Bug 1357494 (CVE-2016-3458)

Summary: CVE-2016-3458 OpenJDK: insufficient restrictions on the use of custom ValueHandler (CORBA, 8079718)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dbhole, jvanek, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-26 15:15:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1350028    

Description Tomas Hoger 2016-07-18 11:40:55 UTC 
It was discovered that the CORBA component of OpenJDK did not sufficiently restrict the use of custom ValueHandler when performing object deserialization.  An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions.
Comment 1 Tomas Hoger 2016-07-20 07:34:41 UTC 
Public now via Oracle CPU July 2016, fixed in Oracle JDK 8u101, 7u111, and 6u121.

External References:

http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixJAVA
Comment 2 Tomas Hoger 2016-07-20 07:38:39 UTC 
There is an entry in the release notes related to this issue:

http://www.oracle.com/technetwork/java/javase/8u101-relnotes-3021761.html

  other-libs/corba
  Improve access control to javax.rmi.CORBA.ValueHandler

  The javax.rmi.CORBA.Util class provides methods that can be used by stubs
  and ties to perform common operations. It also acts as a factory for
  ValueHandlers. The javax.rmi.CORBA.ValueHandler interface provides services
  to support the reading and writing of value types to GIOP streams. The
  security awareness of these utilities has been enhanced with the
  introduction of a permission
  java.io.SerializablePermission("enableCustomValueHanlder").
  This is used to establish a trust relationship between the users of the
  javax.rmi.CORBA.Util and javax.rmi.CORBA.ValueHandler APIs.

  The required permission is "enableCustomValueHanlder"
  SerializablePermission. Third party code running with a SecurityManager
  installed, but not having the new permission while invoking
  Util.createValueHandler(), will fail with an AccessControlException.

  This permission check behaviour can be overridden, in JDK8u and previous
  releases, by defining a system property,
  "jdk.rmi.CORBA.allowCustomValueHandler".

  As such, external applications that explicitly call
  javax.rmi.CORBA.Util.createValueHandler require a configuration change
  to function when a SecurityManager is installed and neither of the
  following two requirements is met: 

  1. The java.io.SerializablePermission("enableCustomValueHanlder") is not
  granted by SecurityManager.

  2. In the case of applications running on JDK8u and before, the system
  property "jdk.rmi.CORBA.allowCustomValueHandler" is either not defined or
  is defined equal to "false" (case insensitive).

  Please note that the "enableCustomValueHanlder" typo will be corrected in
  the October 2016 releases. In those and future JDK releases,
  "enableCustomValueHandler" will be the correct SerializationPermission
  to use.

  JDK-8079718 (not public)

Note that OpenJDK packages in Red Hat Enterprise Linux will use correctly spelt name for the "enableCustomValueHandler" permission, but will also recognize mis-spelt "enableCustomValueHanlder" for compatibility with Oracle JDK.
Comment 3 Tomas Hoger 2016-07-20 09:41:33 UTC 
OpenJDK 8 upstream commit:

http://hg.openjdk.java.net/jdk8u/jdk8u/corba/rev/4821afbaa2a6
Comment 4 errata-xmlrpc 2016-07-20 12:13:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2016:1458 https://access.redhat.com/errata/RHSA-2016:1458
Comment 5 errata-xmlrpc 2016-07-21 10:20:32 UTC 
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 5
  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2016:1477 https://access.redhat.com/errata/RHSA-2016:1477
Comment 6 errata-xmlrpc 2016-07-21 10:21:19 UTC 
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 5
  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2016:1476 https://access.redhat.com/errata/RHSA-2016:1476
Comment 7 errata-xmlrpc 2016-07-21 10:22:30 UTC 
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2016:1475 https://access.redhat.com/errata/RHSA-2016:1475
Comment 8 errata-xmlrpc 2016-07-27 11:43:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2016:1504 https://rhn.redhat.com/errata/RHSA-2016-1504.html
Comment 9 errata-xmlrpc 2016-08-26 13:00:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2016:1776 https://rhn.redhat.com/errata/RHSA-2016-1776.html