Bug 1211543 (CVE-2015-0488)

Summary: CVE-2015-0488 OpenJDK: certificate options parsing uncaught exception (JSSE, 8068720)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dbhole, jvanek, omajid, sbaiduzh, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: IcedTea6 1.13.7, IcedTea7 2.5.5 Doc Type: Bug Fix
Doc Text:
A flaw was found in the way the JSSE component in OpenJDK parsed X.509 certificate options. A specially crafted certificate could cause JSSE to raise an exception, possibly causing an application using JSSE to exit unexpectedly.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-05-20 20:39:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1209063    

Description Tomas Hoger 2015-04-14 09:37:23 UTC 
A flaw was found in the way the JSSE (Java Secure Socket Extension) component in OpenJDK parsed X.509 certificate options.  A specially-crafted certificate could cause JSSE to raise an unexpected exception, possibly causing an application using JSSE to exit unexpectedly.
Comment 1 Tomas Hoger 2015-04-14 19:45:37 UTC 
Public now via Oracle Critical Patch Update - April 2015.  Fixed in Oracle Java SE 6u95, 7u79, and 8u45.

External References:

http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixJAVA
Comment 2 errata-xmlrpc 2015-04-14 20:19:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2015:0807 https://rhn.redhat.com/errata/RHSA-2015-0807.html
Comment 3 errata-xmlrpc 2015-04-15 15:16:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2015:0809 https://rhn.redhat.com/errata/RHSA-2015-0809.html
Comment 4 errata-xmlrpc 2015-04-15 16:58:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2015:0808 https://rhn.redhat.com/errata/RHSA-2015-0808.html
Comment 5 errata-xmlrpc 2015-04-15 16:58:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2015:0806 https://rhn.redhat.com/errata/RHSA-2015-0806.html
Comment 6 Tomas Hoger 2015-04-16 12:51:02 UTC 
This issue was fixed in IcedTea6 1.13.7 and IcedTea7 2.5.5:

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-April/031449.html
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-April/031450.html

Upstream OpenJDK commit:

http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/04cda5b7a3c1
Comment 7 errata-xmlrpc 2015-04-17 10:29:31 UTC 
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2015:0854 https://rhn.redhat.com/errata/RHSA-2015-0854.html
Comment 8 errata-xmlrpc 2015-04-20 14:08:56 UTC 
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 5
  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2015:0857 https://rhn.redhat.com/errata/RHSA-2015-0857.html
Comment 9 errata-xmlrpc 2015-04-20 14:28:41 UTC 
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 5
  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2015:0858 https://rhn.redhat.com/errata/RHSA-2015-0858.html
Comment 10 errata-xmlrpc 2015-05-13 13:34:03 UTC 
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2015:1007 https://rhn.redhat.com/errata/RHSA-2015-1007.html
Comment 11 errata-xmlrpc 2015-05-13 13:35:39 UTC 
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 6
  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2015:1006 https://rhn.redhat.com/errata/RHSA-2015-1006.html
Comment 12 errata-xmlrpc 2015-05-20 18:36:53 UTC 
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2015:1021 https://rhn.redhat.com/errata/RHSA-2015-1021.html
Comment 13 errata-xmlrpc 2015-05-20 19:06:26 UTC 
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 6
  Supplementary for Red Hat Enterprise Linux 7

Via RHSA-2015:1020 https://rhn.redhat.com/errata/RHSA-2015-1020.html
Comment 14 errata-xmlrpc 2015-06-11 13:22:03 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite Server v 5.6
  Red Hat Satellite Server v 5.7

Via RHSA-2015:1091 https://rhn.redhat.com/errata/RHSA-2015-1091.html