Bug 1386103 (CVE-2016-5597)

Summary: CVE-2016-5597 OpenJDK: exposure of server authentication credentials to proxy (Networking, 8160838)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dbhole, jvanek, kbost, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way the Networking component of OpenJDK handled HTTP proxy authentication. A Java application could possibly expose HTTPS server authentication credentials via a plain text network connection to an HTTP proxy if proxy asked for authentication.
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-13 08:12:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1381992    

Description Tomas Hoger 2016-10-18 07:32:31 UTC
A flaw was found in the way the Networking component of OpenJDK handled HTTP proxy authentication.  A Java application could possibly expose HTTPS server authentication credentials via a plain text network connection to an HTTP proxy if proxy asked for authentication.

Two new network system properties are introduced as part of the fix which restrict HTTP authentication schemes that can be used for authentication to proxy depending on whether proxied request is HTTP or HTTPS:

- jdk.http.auth.proxying.disabledSchemes lists authentication schemes that can not be used for proxy authentication when proxying HTTP request.  No schemes are disabled by default.

- jdk.http.auth.tunneling.disabledSchemes lists authentication schemes that can not be used for proxy authentication when proxying HTTPS request (using HTTP CONNECT method).  The 'Basic' HTTP authentication scheme is disabled by default.

Comment 1 Tomas Hoger 2016-10-18 07:56:15 UTC
This fix seems to workaround bugs in applications rather than address a flaw in JDK.  The problematic scenario is:

- A Java application connects to some HTTPS server, and the server requires HTTP authentication.

- The application normally connects to the server directly, or using a HTTP proxy which does not require authentication.

- java.net.Authenticator subclass used in the application to provide authentication credentials to the Networking component of JDK does not properly check which requestor host/port and which requestor type is requesting credentials.  I.e. it returns server authentication credentials when asked for proxy authentication credentials.

Problem happens when connection is made via HTTP proxy that requires HTTP Basic authentication.  The application sends out server credentials over plain text connection to the proxy, even though those credentials are only meant to be sent over encrypted connection and only to the target server.

It can be argued that this change also works around problems in the API design and/or documentation (as example in the official documentation does not include any requestor type checks either).

http://docs.oracle.com/javase/8/docs/technotes/guides/net/http-auth.html

This fix breaks use case where properly implemented applications, that distinguishes server and proxy authentication credentials, makes HTTPS connections via a HTTP proxy that requires Basic authentication.  After this fix, Basic authentication will no longer be tried and the application will not be asked for proxy authentication credentials.  Note that HTTP connections from the same application sent via the same proxy will not be affected.  Removing Basic from the tunneling.disabledSchemes would avoid the breakage in this use case.  On the Java command line, this can be used:

  -Djdk.http.auth.tunneling.disabledSchemes=

Comment 2 Tomas Hoger 2016-10-18 18:42:16 UTC
This change has the following entry in the release notes for Oracle JDK 8u111, 7u121, and 6u131:

http://www.oracle.com/technetwork/java/javase/8u111-relnotes-3124969.html
http://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html#R170_121
http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html#R160_131

  Disable Basic authentication for HTTPS tunneling

  In some environments, certain authentication schemes may be undesirable
  when proxying HTTPS. Accordingly, the Basic authentication scheme has been
  deactivated, by default, in the Oracle Java Runtime, by adding Basic to the
  jdk.http.auth.tunneling.disabledSchemes networking property. Now, proxies
  requiring Basic authentication when setting up a tunnel for HTTPS will no
  longer succeed by default. If required, this authentication scheme can be
  reactivated by removing Basic from the
  jdk.http.auth.tunneling.disabledSchemes networking property, or by setting
  a system property of the same name to "" ( empty ) on the command line.

  Additionally, the jdk.http.auth.tunneling.disabledSchemes and
  jdk.http.auth.proxying.disabledSchemes networking properties, and system
  properties of the same name, can be used to disable other authentication
  schemes that may be active when setting up a tunnel for HTTPS, or proxying
  plain HTTP, respectively.

  JDK-8160838 (not public)

Comment 3 Tomas Hoger 2016-10-18 20:10:02 UTC
Public now via Oracle CPU October 2016, fixed in Oracle JDK 8u111, 7u121, and 6u131.

External References:

http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixJAVA

Comment 4 Tomas Hoger 2016-10-19 08:05:09 UTC
OpenJDK 8 upstream commit:

http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/d689f7b806c8

Comment 5 errata-xmlrpc 2016-10-19 15:19:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2016:2079 https://rhn.redhat.com/errata/RHSA-2016-2079.html

Comment 6 errata-xmlrpc 2016-10-20 12:38:56 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2016:2088 https://rhn.redhat.com/errata/RHSA-2016-2088.html

Comment 7 errata-xmlrpc 2016-10-20 12:49:41 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 5
  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2016:2090 https://rhn.redhat.com/errata/RHSA-2016-2090.html

Comment 8 errata-xmlrpc 2016-10-20 12:50:41 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 5
  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2016:2089 https://rhn.redhat.com/errata/RHSA-2016-2089.html

Comment 9 errata-xmlrpc 2016-11-02 18:21:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5 Supplementary

Via RHSA-2016:2138 https://rhn.redhat.com/errata/RHSA-2016-2138.html

Comment 10 errata-xmlrpc 2016-11-02 18:22:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary
  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2016:2137 https://rhn.redhat.com/errata/RHSA-2016-2137.html

Comment 11 errata-xmlrpc 2016-11-02 18:22:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary
  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2016:2136 https://rhn.redhat.com/errata/RHSA-2016-2136.html

Comment 12 errata-xmlrpc 2016-11-07 09:06:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5 Supplementary
  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2016:2659 https://rhn.redhat.com/errata/RHSA-2016-2659.html

Comment 13 errata-xmlrpc 2016-11-07 13:28:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2016:2658 https://rhn.redhat.com/errata/RHSA-2016-2658.html

Comment 14 errata-xmlrpc 2017-01-13 00:01:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2017:0061 https://rhn.redhat.com/errata/RHSA-2017-0061.html

Comment 15 errata-xmlrpc 2017-05-09 16:42:11 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 5.6
  Red Hat Satellite 5.7

Via RHSA-2017:1216 https://access.redhat.com/errata/RHSA-2017:1216