Bug 1320650 (CVE-2016-0636)

Summary: CVE-2016-0636 OpenJDK: missing type safety checks for MethodHandle calls across class loaders, incorrect CVE-2013-5838 fix (Hotspot, 8151666)
Product: [Other] Security Response Reporter: Stefan Cornelius <scorneli>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: ahughes, dbhole, jvanek, omajid, sbaiduzh, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
An improper type safety check was discovered in the Hotspot component. An untrusted Java application or applet could use this flaw to bypass Java Sandbox restrictions.
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-31 20:08:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1320655, 1320656, 1320657, 1320658, 1320659, 1320661, 1320662, 1320664, 1320665, 1320667, 1320668, 1320669, 1320670, 1320671, 1320672, 1320673, 1320674, 1320675, 1320961    
Bug Blocks: 1320678    

Description Stefan Cornelius 2016-03-23 17:14:42 UTC
It was discovered that the security fix for CVE-2013-5838 was incomplete
and still allowed remote attackers to escape the Java security sandbox
mechanism.

The root problem is that the Reflection API does not properly guarantee
type safety when Method Handle objects were invoked across two different
Class Loader namespaces.

A part of the original patch was to use the "loadersAreRelated()" method
to ensure that the two Class Loaders are related, which is a condition
for correct type safety.

However, this condition could be easily fulfilled by abusing certain
behaviours in the class loading process, which could allow an attacker
to bypass the type safety checks and ultimately escapte the security
sandbox mechanism.

External References:
http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0636-2949497.html
https://blogs.oracle.com/security/entry/security_alert_cve_2016_0636

http://seclists.org/fulldisclosure/2016/Mar/31
http://www.security-explorations.com/materials/SE-2012-01-ORACLE-14.pdf

Comment 5 Tomas Hoger 2016-03-23 20:20:26 UTC
Public now via "Oracle Security Alert for CVE-2016-0636":

http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0636-2949497.html
https://blogs.oracle.com/security/entry/security_alert_cve_2016_0636

Fixed in Oracle Java SE 7u99 and 8u77.

Comment 8 Tomas Hoger 2016-03-23 21:46:38 UTC
This update seems to be addressing this issue from Adam Gowdiak of Security Explorations:

http://seclists.org/fulldisclosure/2016/Mar/31
http://www.security-explorations.com/materials/SE-2012-01-ORACLE-14.pdf

The reported issue in an incorrect fix for CVE-2013-5838 (bug 1019300).

Comment 12 Tomas Hoger 2016-03-24 20:46:36 UTC
(In reply to Tomas Hoger from comment #8)
> This update seems to be addressing this issue from Adam Gowdiak of Security
> Explorations:
> 
> http://seclists.org/fulldisclosure/2016/Mar/31

This is now confirmed by the Security Explorations' site:

http://www.security-explorations.com/en/SE-2012-01-status.html

  24-Mar-2016
  - Oracle provides a status report regarding a broken security fix for Issue
  69. The company informs that it was fixed by Security Alert for CVE-2016-0636
  issued on Mar 23, 2016.

Comment 13 errata-xmlrpc 2016-03-24 23:08:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:0511 https://rhn.redhat.com/errata/RHSA-2016-0511.html

Comment 14 errata-xmlrpc 2016-03-24 23:29:45 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2016:0516 https://rhn.redhat.com/errata/RHSA-2016-0516.html

Comment 15 errata-xmlrpc 2016-03-24 23:30:01 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 5
  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2016:0515 https://rhn.redhat.com/errata/RHSA-2016-0515.html

Comment 16 errata-xmlrpc 2016-03-24 23:30:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:0514 https://rhn.redhat.com/errata/RHSA-2016-0514.html

Comment 17 errata-xmlrpc 2016-03-24 23:58:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:0513 https://rhn.redhat.com/errata/RHSA-2016-0513.html

Comment 18 errata-xmlrpc 2016-03-24 23:59:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 7

Via RHSA-2016:0512 https://rhn.redhat.com/errata/RHSA-2016-0512.html

Comment 19 Tomas Hoger 2016-03-27 12:35:10 UTC
OpenJDK 8 upstream commit:

http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/c44179bce874

Comment 20 Tomas Hoger 2016-03-31 20:08:09 UTC
IBM indicates their JRE/JDK were not affected by this issue:

http://www.ibm.com/developerworks/java/jdk/alerts/#Oracle_Security_Alert_for_CVE-2016-0636