Hi,
Taking a look at the stack trace, it's not the vulnerability mentioned above, but something similar.
It triggers in the platform tests since those activate the securitymanager, while the standalone do not. The problem is that the custom TCK Policy tries to load a class, for which the security manager checks if that's allowed, and then directly asks the Policy for that. This shows among others why it's so wrong to mix Principal based Permissions and Code based Permissions:
[runcts] OUT => [javatest.batch] 24790: at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:450)
[runcts] OUT => [javatest.batch] 24791: at java.base/java.security.AccessController.checkPermission(AccessController.java:895)
[runcts] OUT => [javatest.batch] 24792: at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
[runcts] OUT => [javatest.batch] 24793: at org.apache.felix.framework.BundleImpl.loadClass(BundleImpl.java:977)
[runcts] OUT => [javatest.batch] 24794: at org.jvnet.hk2.osgiadapter.OSGiModuleImpl$4$1.run(OSGiModuleImpl.java:449)
[runcts] OUT => [javatest.batch] 24795: at org.jvnet.hk2.osgiadapter.OSGiModuleImpl$4$1.run(OSGiModuleImpl.java:446)
[runcts] OUT => [javatest.batch] 24796: at java.base/java.security.AccessController.doPrivileged(Native Method)
[runcts] OUT => [javatest.batch] 24797: at org.jvnet.hk2.osgiadapter.OSGiModuleImpl$4.loadClass(OSGiModuleImpl.java:446)
[runcts] OUT => [javatest.batch] 24798: at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
[runcts] OUT => [javatest.batch] 24799: at com.sun.enterprise.v3.server.APIClassLoaderServiceImpl$APIClassLoader.loadClass(APIClassLoaderServiceImpl.java:235)
[runcts] OUT => [javatest.batch] 24800: at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:575)
[runcts] OUT => [javatest.batch] 24801: at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
[runcts] OUT => [javatest.batch] 24802: at com.sun.ts.tests.jacc.provider.TSPolicy.implies(TSPolicy.java:193)
[runcts] OUT => [javatest.batch] 24803: at java.base/java.security.ProtectionDomain.implies(ProtectionDomain.java:321)
[runcts] OUT => [javatest.batch] 24804: at java.base/java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:353)
[runcts] OUT => [javatest.batch] 24805: at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:450)
[runcts] OUT => [javatest.batch] 24806: at java.base/java.security.AccessController.checkPermission(AccessController.java:895)
[runcts] OUT => [javatest.batch] 24807: at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
[runcts] OUT => [javatest.batch] 24808: at org.apache.felix.framework.BundleImpl.loadClass(BundleImpl.java:977)
[runcts] OUT => [javatest.batch] 24809: at org.jvnet.hk2.osgiadapter.OSGiModuleImpl$4$1.run(OSGiModuleImpl.java:449)
[runcts] OUT => [javatest.batch] 24810: at org.jvnet.hk2.osgiadapter.OSGiModuleImpl$4$1.run(OSGiModuleImpl.java:446)
[runcts] OUT => [javatest.batch] 24811: at java.base/java.security.AccessController.doPrivileged(Native Method)
[runcts] OUT => [javatest.batch] 24812: at org.jvnet.hk2.osgiadapter.OSGiModuleImpl$4.loadClass(OSGiModuleImpl.java:446)
[runcts] OUT => [javatest.batch] 24813: at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
[runcts] OUT => [javatest.batch] 24814: at com.sun.enterprise.v3.server.APIClassLoaderServiceImpl$APIClassLoader.loadClass(APIClassLoaderServiceImpl.java:235)
[runcts] OUT => [javatest.batch] 24815: at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:575)
[runcts] OUT => [javatest.batch] 24816: at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
[runcts] OUT => [javatest.batch] 24817: at com.sun.ts.tests.jacc.provider.TSPolicy.implies(TSPolicy.java:193)
[runcts] OUT => [javatest.batch] 24818: at java.base/java.security.ProtectionDomain.implies(ProtectionDomain.java:321)
[runcts] OUT => [javatest.batch] 24819: at java.base/java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:353)
[runcts] OUT => [javatest.batch] 24820: at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:450)
[runcts] OUT => [javatest.batch] 24821: at java.base/java.security.AccessController.checkPermission(AccessController.java:895)
[runcts] OUT => [javatest.batch] 24822: at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
[runcts] OUT => [javatest.batch] 24823: at org.apache.felix.framework.BundleImpl.loadClass(BundleImpl.java:977)
[runcts] OUT => [javatest.batch] 24824: at org.jvnet.hk2.osgiadapter.OSGiModuleImpl$4$1.run(OSGiModuleImpl.java:449)
So what's happening is quite clear, and also why it's happening.
The only thing which is not clear is why it's happening now and not before (e.g. in GlassFish 6).
Kind regards,
Arjan Tijms