Bug 1413955 (CVE-2017-3241)

Summary: CVE-2017-3241 OpenJDK: untrusted input deserialization in RMI registry and DCG (RMI, 8156802)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: dbhole, jvanek, sardella, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the RMI registry and DCG implementations in the RMI component of OpenJDK performed deserialization of untrusted inputs. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-28 09:24:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1410614    

Description Tomas Hoger 2017-01-17 12:33:11 UTC 
It was discovered that the RMI registry and DCG (Distributed Garbage Collector) implementations in the RMI component of OpenJDK performed deserialization of untrusted inputs.  A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application.
Comment 1 Tomas Hoger 2017-01-17 13:03:52 UTC 
This issue was addressed by defining serial filters for RMI registry and RMI DCG.  Built-in filters can be overridden via sun.rmi.registry.registryFilter and sun.rmi.transport.dgcFilter security properties defined in the java.security files, or via system properties of the same name.

This fix builds on top of another change introduced in the Jan 2017 CPU - 8155760 - which adds serialization filtering.  It makes it possible to define serialization filter, which controls which classes are allowed to appear in the serialized input and sets limits for the deserialization process.  The system-wide filter can be defined using the jdk.serialFilter security or system property.  No filter is defined by default.
Comment 2 Tomas Hoger 2017-01-17 21:23:09 UTC 
Related entry in the Oracle JDK release notes:

http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html
http://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html#R170_131
http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html#R160_141

  core-libs/java.rmi
  RMI Better constraint checking

  RMI Registry and Distributed Garbage Collection use the mechanisms of JEP
  290 Serialization Filtering to improve service robustness. RMI Registry and
  DGC implement built-in white-list filters for the typical classes expected
  to be used with each service. Additional filter patterns can be configured
  using either a system property or a security property. The
  "sun.rmi.registry.registryFilter" and "sun.rmi.transport.dgcFilter" property
  pattern syntax is described in JEP 290 and in
  <JRE>/lib/security/java.security.
  JDK-8156802 (not public)

The required serialization filtering feature is also mentioned:

  core-libs/java.io:serialization
  Serialization Filter Configuration

  Serialization Filtering introduces a new mechanism which allows incoming
  streams of object-serialization data to be filtered in order to improve
  both security and robustness. Every ObjectInputStream applies a filter, if
  configured, to the stream contents during deserialization. Filters are set
  using either a system property or a configured security property. The value
  of the "jdk.serialFilter" patterns are described in JEP 290 Serialization
  Filtering and in <JRE>/lib/security/java.security. Filter actions are
  logged to the 'java.io.serialization' logger, if enabled.
  See JDK-8155760

Referenced JEP and upstream bug:

http://openjdk.java.net/jeps/290
https://bugs.openjdk.java.net/browse/JDK-8155760
Comment 3 Tomas Hoger 2017-01-17 21:36:33 UTC 
Public now via Oracle CPU January 2017:

http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixJAVA

The issue was fixed in Oracle JDK 8u121, 7u131, and 6u141.
Comment 4 Tomas Hoger 2017-01-18 20:53:38 UTC 
OpenJDK 8 upstream commit:

http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/75f31e0bd829

Required serialization filtering implementation:

http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/09c05d3bf23e
Comment 5 errata-xmlrpc 2017-01-19 14:01:27 UTC 
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 5

Via RHSA-2017:0176 https://rhn.redhat.com/errata/RHSA-2017-0176.html
Comment 6 errata-xmlrpc 2017-01-19 14:03:27 UTC 
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2017:0175 https://rhn.redhat.com/errata/RHSA-2017-0175.html
Comment 7 errata-xmlrpc 2017-01-19 14:10:48 UTC 
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 5
  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2017:0177 https://rhn.redhat.com/errata/RHSA-2017-0177.html
Comment 8 errata-xmlrpc 2017-01-20 11:06:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2017:0180 https://rhn.redhat.com/errata/RHSA-2017-0180.html
Comment 9 errata-xmlrpc 2017-02-09 12:07:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary
  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2017:0263 https://rhn.redhat.com/errata/RHSA-2017-0263.html
Comment 10 errata-xmlrpc 2017-02-13 11:19:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 5

Via RHSA-2017:0269 https://rhn.redhat.com/errata/RHSA-2017-0269.html
Comment 11 errata-xmlrpc 2017-02-28 08:21:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5 Supplementary

Via RHSA-2017:0337 https://rhn.redhat.com/errata/RHSA-2017-0337.html
Comment 12 errata-xmlrpc 2017-02-28 08:23:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary
  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2017:0336 https://rhn.redhat.com/errata/RHSA-2017-0336.html
Comment 13 errata-xmlrpc 2017-02-28 08:31:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary
  Red Hat Enterprise Linux 5 Supplementary

Via RHSA-2017:0338 https://rhn.redhat.com/errata/RHSA-2017-0338.html
Comment 14 errata-xmlrpc 2017-05-09 16:43:44 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 5.6
  Red Hat Satellite 5.7

Via RHSA-2017:1216 https://access.redhat.com/errata/RHSA-2017:1216