Bug 1051823 (CVE-2013-5878)

Summary: CVE-2013-5878 OpenJDK: null xmlns handling issue (Security, 8025026)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: dbhole, jkurik, jvanek, omajid, pfrields, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20140114,reported=20140107,source=oracle,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,rhel-5/java-1.6.0-openjdk=affected,rhel-6/java-1.6.0-openjdk=affected,rhel-7/java-1.6.0-openjdk=affected,rhel-5/java-1.7.0-openjdk=affected,rhel-6/java-1.7.0-openjdk=affected,rhel-7/java-1.7.0-openjdk=affected,rhel-5/java-1.7.0-oracle=affected,rhel-6/java-1.7.0-oracle=affected,rhel-7/java-1.7.0-oracle=affected,rhel-5/java-1.6.0-ibm=affected,rhel-6/java-1.6.0-ibm=affected,rhel-7/java-1.6.0-ibm=affected,rhel-5/java-1.7.0-ibm=affected,rhel-6/java-1.7.0-ibm=affected,rhel-7/java-1.7.0-ibm=affected
Fixed In Version: icedtea 2.4.4, icedtea 2.3.13, icedtea 1.12.8, icedtea 1.13.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-06 10:41:10 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 1049945    

Description Tomas Hoger 2014-01-11 16:02:04 EST
A flaw found in the way Security component in OpenJDK handled null xmlns (XML namespace) attributes when performing XML document canonicalization.  An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions.
Comment 1 Tomas Hoger 2014-01-14 16:14:50 EST
Public now via Oracle CPU January 2014.  Fixed in Oracle JDK 7u51 and 6u71.

External References:

http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
Comment 2 errata-xmlrpc 2014-01-14 20:02:29 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:0027 https://rhn.redhat.com/errata/RHSA-2014-0027.html
Comment 3 errata-xmlrpc 2014-01-14 20:04:14 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0026 https://rhn.redhat.com/errata/RHSA-2014-0026.html
Comment 4 errata-xmlrpc 2014-01-15 14:18:12 EST
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2014:0030 https://rhn.redhat.com/errata/RHSA-2014-0030.html
Comment 5 Tomas Hoger 2014-01-16 03:43:34 EST
OpenJDK7 upstream commit:

http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/6b3c195c73b0
Comment 6 errata-xmlrpc 2014-01-27 14:56:17 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2014:0097 https://rhn.redhat.com/errata/RHSA-2014-0097.html
Comment 8 errata-xmlrpc 2014-02-04 14:38:06 EST
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2014:0135 https://rhn.redhat.com/errata/RHSA-2014-0135.html
Comment 9 errata-xmlrpc 2014-02-04 14:42:06 EST
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2014:0134 https://rhn.redhat.com/errata/RHSA-2014-0134.html
Comment 10 errata-xmlrpc 2014-04-17 07:42:23 EDT
This issue has been addressed in following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 5

Via RHSA-2014:0414 https://rhn.redhat.com/errata/RHSA-2014-0414.html
Comment 11 errata-xmlrpc 2014-06-10 09:12:52 EDT
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 7

Via RHSA-2014:0705 https://rhn.redhat.com/errata/RHSA-2014-0705.html
Comment 12 errata-xmlrpc 2014-07-29 11:41:24 EDT
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.4
  Red Hat Network Satellite Server v 5.5
  Red Hat Satellite Server v 5.6

Via RHSA-2014:0982 https://rhn.redhat.com/errata/RHSA-2014-0982.html