Bug 1413764 (CVE-2016-5547)
| Summary: | CVE-2016-5547 OpenJDK: missing ObjectIdentifier length check (Libraries, 8168705) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | dbhole, hitoshi.iijima, jvanek, sardella, security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
It was discovered that the Libraries component of OpenJDK did not validate the length of the object identifier read from the DER input before allocating memory to store the OID. An attacker able to make a Java application decode a specially crafted DER input could cause the application to consume an excessive amount of memory.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-02-28 09:26:15 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1410614 | ||
|
Description
Tomas Hoger
2017-01-16 22:16:42 UTC
Public now via Oracle CPU January 2017: http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixJAVA The issue was fixed in Oracle JDK 8u121 and 7u131. OpenJDK 8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/683c9263a5b1 This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 5 Via RHSA-2017:0176 https://rhn.redhat.com/errata/RHSA-2017-0176.html This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2017:0175 https://rhn.redhat.com/errata/RHSA-2017-0175.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2017:0180 https://rhn.redhat.com/errata/RHSA-2017-0180.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Red Hat Enterprise Linux 7 Supplementary Via RHSA-2017:0263 https://rhn.redhat.com/errata/RHSA-2017-0263.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 Via RHSA-2017:0269 https://rhn.redhat.com/errata/RHSA-2017-0269.html This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Supplementary Via RHSA-2017:0337 https://rhn.redhat.com/errata/RHSA-2017-0337.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Red Hat Enterprise Linux 7 Supplementary Via RHSA-2017:0336 https://rhn.redhat.com/errata/RHSA-2017-0336.html This issue has been addressed in the following products: Red Hat Satellite 5.6 Red Hat Satellite 5.7 Via RHSA-2017:1216 https://access.redhat.com/errata/RHSA-2017:1216 |