Bug 1288070

Summary: Suspected security vulnerability in sun.nio.ch.PipeImpl
Product: [Fedora] Fedora Reporter: Matthias-Christian Ott <ott>
Component: java-1.8.0-openjdkAssignee: Deepak Bhole <dbhole>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: ahughes, aph, dbhole, jerboaa, jvanek, msrb, omajid, thoger
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Windows   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-03 20:19:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matthias-Christian Ott 2015-12-03 12:40:59 UTC 
sun.nio.ch.PipeImpl creates a TCP/IP socket pair and binds socket sc2 an ephemeral port on 127.0.0.1. It then generates a 64-bit random number with an insecure random number generator, connects from sc1 to sc2 and sends the generated number. If the received number matches the sent number, the connection is established. Otherwise a new random number is generated and the process is repeated until the numbers match.

On most operating systems there is no access control for loopback TCP/IP connections (in their default configuration), so an attacker can submit their own guess of the random number by exploiting a race condition. This would at most require 2^64 attempts (the usual speed-ups apply). Moreover, the attack can be significantly accelerated by the fact the random number generator is partially predictable. If CryptGenRandom fails on Microsoft Windows, the seed for the random number generator is java.lang.System#nanoTime and the number of invocations of java.util.Random. Both values can be estimated by the attacker by observing the use of system resources. Otherwise the seed of the random number generator is 64-bit.
Comment 4 Deepak Bhole 2015-12-03 20:19:01 UTC 
Hello, thank you for reporting this issue. Red Hat only supports OpenJDK on Linux at this time, and this issue appears to affect Windows specifically.

Please report this issue to Oracle directly as they maintain OpenJDK on Windows actively: 

https://www.oracle.com/support/assurance/vulnerability-remediation/reporting-security-vulnerabilities.html

Closing issue here.