Bug 1031471 (CVE-2013-4578)

Summary:	CVE-2013-4578 OpenJDK: jarsigner does not detect unsigned bytecode injected into signed jars
Product:	[Other] Security Response	Reporter:	Arun Babu Neelicattu <aneelica>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED ERRATA	QA Contact:
Severity:	low	Docs Contact:
Priority:	low
Version:	unspecified	CC:	dbhole, grocha, jkurik, jvanek, mjc, security-response-team
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-09-09 02:22:51 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1029725
Bug Blocks:	1031472

Description Arun Babu Neelicattu 2013-11-18 04:17:06 UTC

It has been identified that it is possible to inject malicious unsigned bytecode into a signed JAR without failing jarsigner verification. This flaw could be exploited in environments where contents of a verified JAR is considered trusted and unpacked for use.

Note that if the signed JAR is used at runtime, with signature intact, a fatal runtime exception is thrown.

Comment 2 David Jorm 2013-11-18 04:24:42 UTC

Acknowledgements:

This issue was discovered by Arun Babu Neelicattu of the Red Hat Security Response Team.

Comment 3 Kurt Seifried 2015-02-08 22:34:13 UTC

This was fixed publicly by upstream

http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/d5f36e1c927e

Comment 5 Tomas Hoger 2016-09-09 20:26:07 UTC

(In reply to Kurt Seifried from comment #3)
> This was fixed publicly by upstream
> 
> http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/d5f36e1c927e

The fix was included in OpenJDK, Oracle JDK and IBM JDK updates released to address January 2014 CPU security issues.  Upstream considered it security hardening rather than vulnerability fix.