Bug 1320650 (CVE-2016-0636)
| Summary: | CVE-2016-0636 OpenJDK: missing type safety checks for MethodHandle calls across class loaders, incorrect CVE-2013-5838 fix (Hotspot, 8151666) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Stefan Cornelius <scorneli> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | unspecified | CC: | ahughes, dbhole, jvanek, omajid, sbaiduzh, security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
An improper type safety check was discovered in the Hotspot component. An untrusted Java application or applet could use this flaw to bypass Java Sandbox restrictions.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-03-31 20:08:09 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1320655, 1320656, 1320657, 1320658, 1320659, 1320661, 1320662, 1320664, 1320665, 1320667, 1320668, 1320669, 1320670, 1320671, 1320672, 1320673, 1320674, 1320675, 1320961 | ||
| Bug Blocks: | 1320678 | ||
|
Description
Stefan Cornelius
2016-03-23 17:14:42 UTC
Public now via "Oracle Security Alert for CVE-2016-0636": http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0636-2949497.html https://blogs.oracle.com/security/entry/security_alert_cve_2016_0636 Fixed in Oracle Java SE 7u99 and 8u77. This update seems to be addressing this issue from Adam Gowdiak of Security Explorations: http://seclists.org/fulldisclosure/2016/Mar/31 http://www.security-explorations.com/materials/SE-2012-01-ORACLE-14.pdf The reported issue in an incorrect fix for CVE-2013-5838 (bug 1019300). (In reply to Tomas Hoger from comment #8) > This update seems to be addressing this issue from Adam Gowdiak of Security > Explorations: > > http://seclists.org/fulldisclosure/2016/Mar/31 This is now confirmed by the Security Explorations' site: http://www.security-explorations.com/en/SE-2012-01-status.html 24-Mar-2016 - Oracle provides a status report regarding a broken security fix for Issue 69. The company informs that it was fixed by Security Alert for CVE-2016-0636 issued on Mar 23, 2016. This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:0511 https://rhn.redhat.com/errata/RHSA-2016-0511.html This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2016:0516 https://rhn.redhat.com/errata/RHSA-2016-0516.html This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 5 Oracle Java for Red Hat Enterprise Linux 7 Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2016:0515 https://rhn.redhat.com/errata/RHSA-2016-0515.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:0514 https://rhn.redhat.com/errata/RHSA-2016-0514.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:0513 https://rhn.redhat.com/errata/RHSA-2016-0513.html This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 7 Via RHSA-2016:0512 https://rhn.redhat.com/errata/RHSA-2016-0512.html OpenJDK 8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/c44179bce874 IBM indicates their JRE/JDK were not affected by this issue: http://www.ibm.com/developerworks/java/jdk/alerts/#Oracle_Security_Alert_for_CVE-2016-0636 |