Bug 1413717 (CVE-2017-3231)

Summary: CVE-2017-3231 OpenJDK: URLClassLoader insufficient access control checks (Networking, 8151934)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dbhole, jvanek, sardella, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-28 09:26:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1410614    

Description Tomas Hoger 2017-01-16 19:08:21 UTC 
It was discovered that the URLClassLoader class in the Networking component of OpenJDK did not properly check access control context when downloading class files.  An untrusted Java application or applet could use this flaw to make HTTP requests to locations that should not be accessible, bypassing certain Java sandbox restrictions.
Comment 1 Tomas Hoger 2017-01-17 21:27:48 UTC 
Related entry in the Oracle JDK release notes:

http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html
http://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html#R170_131
http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html#R160_141

  core-libs/java.net
  Additional access restrictions for URLClassLoader.newInstance

  Class loaders created by the java.net.URLClassLoader.newInstance methods
  can be used to load classes from a list of given URLs. If the calling code
  does not have access to one or more of the URLs and the URL artifacts that
  can be accessed do not contain the required class, then a
  ClassNotFoundException, or similar, will be thrown. Previously, a
  SecurityException would have been thrown when access to a URL was denied.
  If required to revert to the old behavior, this change can be disabled by
  setting the jdk.net.URLClassPath.disableRestrictedPermissions system
  property.
  JDK-8151934 (not public)
Comment 2 Tomas Hoger 2017-01-17 21:44:02 UTC 
Public now via Oracle CPU January 2017:

http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixJAVA

The issue was fixed in Oracle JDK 8u121, 7u131, and 6u141.
Comment 3 Tomas Hoger 2017-01-18 20:43:37 UTC 
OpenJDK 8 upstream commit:

http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/dfa1648415a4
Comment 4 errata-xmlrpc 2017-01-19 14:00:37 UTC 
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 5

Via RHSA-2017:0176 https://rhn.redhat.com/errata/RHSA-2017-0176.html
Comment 5 errata-xmlrpc 2017-01-19 14:02:34 UTC 
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2017:0175 https://rhn.redhat.com/errata/RHSA-2017-0175.html
Comment 6 errata-xmlrpc 2017-01-19 14:10:17 UTC 
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 5
  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2017:0177 https://rhn.redhat.com/errata/RHSA-2017-0177.html
Comment 7 errata-xmlrpc 2017-01-20 11:06:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2017:0180 https://rhn.redhat.com/errata/RHSA-2017-0180.html
Comment 8 errata-xmlrpc 2017-02-09 12:06:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary
  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2017:0263 https://rhn.redhat.com/errata/RHSA-2017-0263.html
Comment 9 errata-xmlrpc 2017-02-13 11:19:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 5

Via RHSA-2017:0269 https://rhn.redhat.com/errata/RHSA-2017-0269.html
Comment 10 errata-xmlrpc 2017-02-28 08:20:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5 Supplementary

Via RHSA-2017:0337 https://rhn.redhat.com/errata/RHSA-2017-0337.html
Comment 11 errata-xmlrpc 2017-02-28 08:22:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary
  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2017:0336 https://rhn.redhat.com/errata/RHSA-2017-0336.html
Comment 12 errata-xmlrpc 2017-02-28 08:30:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary
  Red Hat Enterprise Linux 5 Supplementary

Via RHSA-2017:0338 https://rhn.redhat.com/errata/RHSA-2017-0338.html
Comment 13 errata-xmlrpc 2017-05-09 16:42:54 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 5.6
  Red Hat Satellite 5.7

Via RHSA-2017:1216 https://access.redhat.com/errata/RHSA-2017:1216