Bug 1273859 (CVE-2015-4871)
Summary: | CVE-2015-4871 OpenJDK: protected methods can be used as interface methods via DirectMethodHandle (Libraries) | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | dbhole, jvanek, omajid |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-01-21 12:50:03 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1257667 |
Description
Tomas Hoger
2015-10-21 12:14:57 UTC
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Oracle Java for Red Hat Enterprise Linux 5 Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2015:1927 https://rhn.redhat.com/errata/RHSA-2015-1927.html This issue has been addressed in the following products: Supplementary for Red Hat Enterprise Linux 5 Via RHSA-2015:2507 https://rhn.redhat.com/errata/RHSA-2015-2507.html This issue has been addressed in the following products: Supplementary for Red Hat Enterprise Linux 7 Via RHSA-2015:2509 https://rhn.redhat.com/errata/RHSA-2015-2509.html This issue has been addressed in the following products: Supplementary for Red Hat Enterprise Linux 6 Supplementary for Red Hat Enterprise Linux 7 Via RHSA-2015:2506 https://rhn.redhat.com/errata/RHSA-2015-2506.html Further details of these issue were made public. This issue is not specific to Oracle JDK - OpenJDK 7 is also affected by this issue. This problem is described as Issue 42 in Security Exploration's SE-2014-02: http://www.security-explorations.com/en/SE-2014-02-details.html http://www.security-explorations.com/materials/SE-2014-02-ORACLE.pdf http://seclists.org/fulldisclosure/2015/Oct/83 The following fix was applied to OpenJDK 7 upstream: http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/c434c67b8189 http://mail.openjdk.java.net/pipermail/jdk7u-dev/2015-November/010442.html Note that the issue was not addressed in HotSpot as suggested in the report, but in the DirectMethodHandle implementation. (In reply to Tomas Hoger from comment #5) > Note that the issue was not addressed in HotSpot as suggested in the report, > but in the DirectMethodHandle implementation. The original reporter published a new report indicating that their previous root cause analysis was incorrect and that the DirectMethodHandle was the place with the faulty code: http://seclists.org/fulldisclosure/2015/Nov/107 http://www.security-explorations.com/materials/SE-2014-02-ORACLE-ERRATA.pdf According to the updated report, this issue was corrected in JDK 8 between versions 8u31 and 8u40, hence it was included with updates for the Apr 2015 CPU, updating JDK8 packages to version 8u45. This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:0053 https://rhn.redhat.com/errata/RHSA-2016-0053.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 Via RHSA-2016:0054 https://rhn.redhat.com/errata/RHSA-2016-0054.html This issue has been addressed in the following products: Red Hat Satellite 5.6 Red Hat Satellite 5.7 Via RHSA-2016:1430 https://access.redhat.com/errata/RHSA-2016:1430 |