Bug 1183039 (CVE-2015-0400)

Summary: CVE-2015-0400 OpenJDK: NTLM authentication data disclosure via redirect to proxy (Libraries, 8048035)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-16 14:27:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1179762    

Description Tomas Hoger 2015-01-16 14:26:29 UTC 
A flaw was found in the way the HTTPUrlConnection class in the Libraries component in OpenJDK handled HTTP 305 "Use Proxy" server responses when using NTLM transparent proxy authentication.  A malicious HTTP server could possibly cause an application using HTTPUrlConnection to disclose NTLM authentication data to an attacker-chosen proxy server.

Note that the NTLM transparent authentication is only available in OpenJDK versions on the Microsoft Windows platform.  Therefore, the OpenJDK packages in Red Hat Enterprise Linux and Fedora were not affected by this issue.
Comment 1 Tomas Hoger 2015-01-16 14:27:49 UTC 
Statement:

Not vulnerable. This issue did not affect the versions of OpenJDK and Oracle JDK as shipped with Red Hat Enterprise Linux.
Comment 2 Tomas Hoger 2015-01-20 22:23:17 UTC 
Public now via Oracle Critical Patch Update - January 2015.  Fixed in Oracle Java SE 6u91, 7u75, and 8u31.

External References:

http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixJAVA
Comment 3 Tomas Hoger 2015-01-22 12:04:15 UTC 
Upstream OpenJDK commits:

http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/e64096846c20
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/1e79baf89075
Comment 4 Tomas Hoger 2015-01-26 14:53:06 UTC 
This issue was fixed in IcedTea6 1.13.6 and IcedTea7 2.5.4:

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-January/030488.html
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-January/030469.html