Bug 1210355 (CVE-2015-0478)

Summary: CVE-2015-0478 OpenJDK: insufficient hardening of RSA-CRT implementation (JCE, 8071726)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: dbhole, fweimer, jrusnack, jvanek, omajid, sbaiduzh, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: IcedTea6 1.13.7, IcedTea7 2.5.5 Doc Type: Bug Fix
Doc Text:
It was found that the RSA implementation in the JCE component in OpenJDK did not follow recommended practices for implementing RSA signatures.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-05-20 20:39:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1184913, 1209063    

Description Tomas Hoger 2015-04-09 13:54:09 UTC 
It was found that the RSA implementation in Java Cryptography Extension (JCE) component in OpenJDK did not follow recommended practices for implementing RSA signatures.

Acknowledgement:

This issue was discovered by Florian Weimer of Red Hat Product Security.
Comment 1 Tomas Hoger 2015-04-14 19:48:23 UTC 
Public now via Oracle Critical Patch Update - April 2015.  Fixed in Oracle Java SE 6u95, 7u79, and 8u45.

External References:

http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixJAVA
https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
https://people.redhat.com/~fweimer/rsa-crt-leaks.pdf
Comment 2 errata-xmlrpc 2015-04-14 20:18:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2015:0807 https://rhn.redhat.com/errata/RHSA-2015-0807.html
Comment 3 errata-xmlrpc 2015-04-15 15:16:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2015:0809 https://rhn.redhat.com/errata/RHSA-2015-0809.html
Comment 4 errata-xmlrpc 2015-04-15 16:58:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2015:0808 https://rhn.redhat.com/errata/RHSA-2015-0808.html
Comment 5 errata-xmlrpc 2015-04-15 16:58:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2015:0806 https://rhn.redhat.com/errata/RHSA-2015-0806.html
Comment 6 Tomas Hoger 2015-04-16 12:51:53 UTC 
This issue was fixed in IcedTea6 1.13.7 and IcedTea7 2.5.5:

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-April/031449.html
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-April/031450.html

Upstream OpenJDK commit:

http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/1083da8a8ec1
Comment 7 errata-xmlrpc 2015-04-17 10:29:10 UTC 
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2015:0854 https://rhn.redhat.com/errata/RHSA-2015-0854.html
Comment 8 errata-xmlrpc 2015-04-20 14:08:34 UTC 
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 5
  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2015:0857 https://rhn.redhat.com/errata/RHSA-2015-0857.html
Comment 9 errata-xmlrpc 2015-04-20 14:28:19 UTC 
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 5
  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2015:0858 https://rhn.redhat.com/errata/RHSA-2015-0858.html
Comment 10 errata-xmlrpc 2015-05-13 13:33:31 UTC 
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2015:1007 https://rhn.redhat.com/errata/RHSA-2015-1007.html
Comment 11 errata-xmlrpc 2015-05-13 13:35:29 UTC 
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 6
  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2015:1006 https://rhn.redhat.com/errata/RHSA-2015-1006.html
Comment 12 errata-xmlrpc 2015-05-20 18:36:42 UTC 
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2015:1021 https://rhn.redhat.com/errata/RHSA-2015-1021.html
Comment 13 errata-xmlrpc 2015-05-20 19:06:15 UTC 
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 6
  Supplementary for Red Hat Enterprise Linux 7

Via RHSA-2015:1020 https://rhn.redhat.com/errata/RHSA-2015-1020.html
Comment 14 errata-xmlrpc 2015-06-11 13:21:52 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite Server v 5.6
  Red Hat Satellite Server v 5.7

Via RHSA-2015:1091 https://rhn.redhat.com/errata/RHSA-2015-1091.html
Comment 15 Tomas Hoger 2015-09-22 13:13:46 UTC 
Further details of this issue are now available via Florian Weimer's blog post and paper:

https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
https://people.redhat.com/~fweimer/rsa-crt-leaks.pdf

Brief description of this issue in the OpenJDK context:

It was discovered that RSA implementation in OpenJDK did not perform verification of signatures computed using the RSA-CRT (Chinese Remainder Theorem) optimization.  Faults that occur during signature computation may lead to a leak of the used RSA private key, known as Arjen Lenstra's CRT attack:

https://infoscience.epfl.ch/record/164524/files/nscan20.PDF

This problem may be exposed in TLS, for example when using Perfect Forward Secrecy cipher suites.