Bug 1413955 (CVE-2017-3241)
Summary: | CVE-2017-3241 OpenJDK: untrusted input deserialization in RMI registry and DCG (RMI, 8156802) | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | urgent | Docs Contact: | |
Priority: | urgent | ||
Version: | unspecified | CC: | dbhole, jvanek, sardella, security-response-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
It was discovered that the RMI registry and DCG implementations in the RMI component of OpenJDK performed deserialization of untrusted inputs. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2017-02-28 09:24:58 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1410614 |
Description
Tomas Hoger
2017-01-17 12:33:11 UTC
This issue was addressed by defining serial filters for RMI registry and RMI DCG. Built-in filters can be overridden via sun.rmi.registry.registryFilter and sun.rmi.transport.dgcFilter security properties defined in the java.security files, or via system properties of the same name. This fix builds on top of another change introduced in the Jan 2017 CPU - 8155760 - which adds serialization filtering. It makes it possible to define serialization filter, which controls which classes are allowed to appear in the serialized input and sets limits for the deserialization process. The system-wide filter can be defined using the jdk.serialFilter security or system property. No filter is defined by default. Related entry in the Oracle JDK release notes: http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html http://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html#R170_131 http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html#R160_141 core-libs/java.rmi RMI Better constraint checking RMI Registry and Distributed Garbage Collection use the mechanisms of JEP 290 Serialization Filtering to improve service robustness. RMI Registry and DGC implement built-in white-list filters for the typical classes expected to be used with each service. Additional filter patterns can be configured using either a system property or a security property. The "sun.rmi.registry.registryFilter" and "sun.rmi.transport.dgcFilter" property pattern syntax is described in JEP 290 and in <JRE>/lib/security/java.security. JDK-8156802 (not public) The required serialization filtering feature is also mentioned: core-libs/java.io:serialization Serialization Filter Configuration Serialization Filtering introduces a new mechanism which allows incoming streams of object-serialization data to be filtered in order to improve both security and robustness. Every ObjectInputStream applies a filter, if configured, to the stream contents during deserialization. Filters are set using either a system property or a configured security property. The value of the "jdk.serialFilter" patterns are described in JEP 290 Serialization Filtering and in <JRE>/lib/security/java.security. Filter actions are logged to the 'java.io.serialization' logger, if enabled. See JDK-8155760 Referenced JEP and upstream bug: http://openjdk.java.net/jeps/290 https://bugs.openjdk.java.net/browse/JDK-8155760 Public now via Oracle CPU January 2017: http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixJAVA The issue was fixed in Oracle JDK 8u121, 7u131, and 6u141. OpenJDK 8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/75f31e0bd829 Required serialization filtering implementation: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/09c05d3bf23e This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 5 Via RHSA-2017:0176 https://rhn.redhat.com/errata/RHSA-2017-0176.html This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2017:0175 https://rhn.redhat.com/errata/RHSA-2017-0175.html This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 5 Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2017:0177 https://rhn.redhat.com/errata/RHSA-2017-0177.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2017:0180 https://rhn.redhat.com/errata/RHSA-2017-0180.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Red Hat Enterprise Linux 7 Supplementary Via RHSA-2017:0263 https://rhn.redhat.com/errata/RHSA-2017-0263.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 Via RHSA-2017:0269 https://rhn.redhat.com/errata/RHSA-2017-0269.html This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Supplementary Via RHSA-2017:0337 https://rhn.redhat.com/errata/RHSA-2017-0337.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Red Hat Enterprise Linux 7 Supplementary Via RHSA-2017:0336 https://rhn.redhat.com/errata/RHSA-2017-0336.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Red Hat Enterprise Linux 5 Supplementary Via RHSA-2017:0338 https://rhn.redhat.com/errata/RHSA-2017-0338.html This issue has been addressed in the following products: Red Hat Satellite 5.6 Red Hat Satellite 5.7 Via RHSA-2017:1216 https://access.redhat.com/errata/RHSA-2017:1216 |