Bug 1386103 (CVE-2016-5597)
| Summary: | CVE-2016-5597 OpenJDK: exposure of server authentication credentials to proxy (Networking, 8160838) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | dbhole, jvanek, kbost, security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in the way the Networking component of OpenJDK handled HTTP proxy authentication. A Java application could possibly expose HTTPS server authentication credentials via a plain text network connection to an HTTP proxy if proxy asked for authentication.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-01-13 08:12:37 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1381992 | ||
|
Description
Tomas Hoger
2016-10-18 07:32:31 UTC
This fix seems to workaround bugs in applications rather than address a flaw in JDK. The problematic scenario is: - A Java application connects to some HTTPS server, and the server requires HTTP authentication. - The application normally connects to the server directly, or using a HTTP proxy which does not require authentication. - java.net.Authenticator subclass used in the application to provide authentication credentials to the Networking component of JDK does not properly check which requestor host/port and which requestor type is requesting credentials. I.e. it returns server authentication credentials when asked for proxy authentication credentials. Problem happens when connection is made via HTTP proxy that requires HTTP Basic authentication. The application sends out server credentials over plain text connection to the proxy, even though those credentials are only meant to be sent over encrypted connection and only to the target server. It can be argued that this change also works around problems in the API design and/or documentation (as example in the official documentation does not include any requestor type checks either). http://docs.oracle.com/javase/8/docs/technotes/guides/net/http-auth.html This fix breaks use case where properly implemented applications, that distinguishes server and proxy authentication credentials, makes HTTPS connections via a HTTP proxy that requires Basic authentication. After this fix, Basic authentication will no longer be tried and the application will not be asked for proxy authentication credentials. Note that HTTP connections from the same application sent via the same proxy will not be affected. Removing Basic from the tunneling.disabledSchemes would avoid the breakage in this use case. On the Java command line, this can be used: -Djdk.http.auth.tunneling.disabledSchemes= This change has the following entry in the release notes for Oracle JDK 8u111, 7u121, and 6u131: http://www.oracle.com/technetwork/java/javase/8u111-relnotes-3124969.html http://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html#R170_121 http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html#R160_131 Disable Basic authentication for HTTPS tunneling In some environments, certain authentication schemes may be undesirable when proxying HTTPS. Accordingly, the Basic authentication scheme has been deactivated, by default, in the Oracle Java Runtime, by adding Basic to the jdk.http.auth.tunneling.disabledSchemes networking property. Now, proxies requiring Basic authentication when setting up a tunnel for HTTPS will no longer succeed by default. If required, this authentication scheme can be reactivated by removing Basic from the jdk.http.auth.tunneling.disabledSchemes networking property, or by setting a system property of the same name to "" ( empty ) on the command line. Additionally, the jdk.http.auth.tunneling.disabledSchemes and jdk.http.auth.proxying.disabledSchemes networking properties, and system properties of the same name, can be used to disable other authentication schemes that may be active when setting up a tunnel for HTTPS, or proxying plain HTTP, respectively. JDK-8160838 (not public) Public now via Oracle CPU October 2016, fixed in Oracle JDK 8u111, 7u121, and 6u131. External References: http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixJAVA OpenJDK 8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/d689f7b806c8 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2016:2079 https://rhn.redhat.com/errata/RHSA-2016-2079.html This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2016:2088 https://rhn.redhat.com/errata/RHSA-2016-2088.html This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 5 Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2016:2090 https://rhn.redhat.com/errata/RHSA-2016-2090.html This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 5 Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2016:2089 https://rhn.redhat.com/errata/RHSA-2016-2089.html This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Supplementary Via RHSA-2016:2138 https://rhn.redhat.com/errata/RHSA-2016-2138.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Red Hat Enterprise Linux 6 Supplementary Via RHSA-2016:2137 https://rhn.redhat.com/errata/RHSA-2016-2137.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Red Hat Enterprise Linux 7 Supplementary Via RHSA-2016:2136 https://rhn.redhat.com/errata/RHSA-2016-2136.html This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Supplementary Red Hat Enterprise Linux 6 Supplementary Via RHSA-2016:2659 https://rhn.redhat.com/errata/RHSA-2016-2659.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2016:2658 https://rhn.redhat.com/errata/RHSA-2016-2658.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2017:0061 https://rhn.redhat.com/errata/RHSA-2017-0061.html This issue has been addressed in the following products: Red Hat Satellite 5.6 Red Hat Satellite 5.7 Via RHSA-2017:1216 https://access.redhat.com/errata/RHSA-2017:1216 |