Bug 1443097 (CVE-2017-3539)

Summary: CVE-2017-3539 OpenJDK: MD5 allowed for jar verification (Security, 8171121)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bkearney, dbhole, jvanek, meissner, security-response-team, taw, thomas, tlestach, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the Security component of OpenJDK did not allow users to restrict the set of algorithms allowed for Jar integrity verification. This flaw could allow an attacker to modify content of the Jar file that used weak signing key or hash algorithm.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-10 13:46:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1438752    

Description Tomas Hoger 2017-04-18 13:04:02 UTC 
It was discovered that the Security component of OpenJDK did not allow users to restrict the set of algorithms allowed for Jar integrity verification.  This flaw could allow an attacker to modify content of the Jar file that used weak signing key or hash algorithm.

This problem was originally addressed as part of October 2016 CPU as CVE-2016-5542 (bug 1385723).  In that update, the following changes were made:

- New security property jdk.jar.disabledAlgorithms was introduced, which can be used to restrict which algorithms can be used for jar verification.

- MD2 hash algorithm and RSA keys with less than 1024 bits were disabled by default.

At the same time, it was announced that the MD5 has algorithm was going to be disabled in the future updates.  It was originally planned to get disabled as part of the January 2017 CPU, but the change was further postponed to the April 2017 CPU.  Hence, MD5 is now becoming disabled by default.

The further details of the planned cryptography changes are available on the "Oracle JRE and JDK Cryptographic Roadmap" page:

https://www.java.com/en/jre-jdk-cryptoroadmap.html
Comment 1 Tomas Hoger 2017-04-18 18:23:54 UTC 
Relevant entry in the Oracle JDK release notes:

http://www.oracle.com/technetwork/java/javase/8u131-relnotes-3565278.html
http://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html#R170_141
http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html#R160_151

  security-libs/java.security
  MD5 added to jdk.jar.disabledAlgorithms Security property

  This JDK release introduces a new restriction on how MD5 signed JAR files
  are verified. If the signed JAR file uses MD5, signature verification
  operations will ignore the signature and treat the JAR as if it were
  unsigned. This can potentially occur in the following types of applications
  that use signed JAR files:

  * Applets or Web Start Applications

  * Standalone or Server Applications that are run with a SecurityManager
  enabled and are configured with a policy file that grants permissions based
  on the code signer(s) of the JAR file.

  The list of disabled algorithms is controlled via the security property,
  jdk.jar.disabledAlgorithms, in the java.security file. This property
  contains a list of disabled algorithms and key sizes for cryptographically
  signed JAR files.

  To check if a weak algorithm or key was used to sign a JAR file, one can
  use the jarsigner binary that ships with this JDK. Running
  "jarsigner -verify" on a JAR file signed with a weak algorithm or key
  will print more information about the disabled algorithm or key.

  For example, to check a JAR file named test.jar, use the following command:

  jarsigner -verify test.jar

  If the file in this example was signed with a weak signature algorithm like
  MD5withRSA, the following output would be displayed:

    The jar will be treated as unsigned, because it is signed with a weak
    algorithm that is now disabled. Re-run jarsigner with the -verbose
    option for more details.

  More details can be displayed by using the verbose option:

  jarsigner -verify -verbose test.jar

  The following output would be displayed:

  - Signed by "CN=weak_signer" 
      Digest algorithm: MD5 (weak) 
      Signature algorithm: MD5withRSA (weak), 512-bit key (weak) 
    Timestamped by "CN=strong_tsa" on Mon Sep 26 08:59:39 CST 2016 
      Timestamp digest algorithm: SHA-256 
      Timestamp signature algorithm: SHA256withRSA, 2048-bit key

  To address the issue, the JAR file will need to be re-signed with a
  stronger algorithm or key size. Alternatively, the restrictions can be
  reverted by removing the applicable weak algorithms or key sizes from the
  jdk.jar.disabledAlgorithms security property; however, this option is not
  recommended. Before re-signing affected JARs, the existing signature(s)
  should be removed from the JAR file. This can be done with the .zip
  utility, as follows:

  zip -d test.jar 'META-INF/.SF' 'META-INF/.RSA' 'META-INF/*.DSA' 

  Please periodically check the Oracle JRE and JDK Cryptographic Roadmap at
  http://java.com/cryptoroadmap for planned restrictions to signed JARs and
  other security components.

  JDK-8171121 (not public)
Comment 2 Tomas Hoger 2017-04-18 22:18:59 UTC 
Public now via Oracle CPU April 20167, fixed in Oracle JDK 8u131, 7u141, and 6u151.

External References:

http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixJAVA
Comment 3 Tomas Hoger 2017-04-19 11:28:36 UTC 
OpenJDK8 upstream commit:

http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/1f2ff3f1882a
Comment 4 errata-xmlrpc 2017-04-20 19:28:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:1109 https://access.redhat.com/errata/RHSA-2017:1109
Comment 5 errata-xmlrpc 2017-04-21 02:11:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1108 https://access.redhat.com/errata/RHSA-2017:1108
Comment 6 errata-xmlrpc 2017-04-24 11:17:35 UTC 
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2017:1118 https://access.redhat.com/errata/RHSA-2017:1118
Comment 7 errata-xmlrpc 2017-04-24 11:18:32 UTC 
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2017:1117 https://access.redhat.com/errata/RHSA-2017:1117
Comment 8 errata-xmlrpc 2017-04-24 11:19:20 UTC 
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2017:1119 https://access.redhat.com/errata/RHSA-2017:1119
Comment 9 errata-xmlrpc 2017-05-09 10:48:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2017:1204 https://access.redhat.com/errata/RHSA-2017:1204
Comment 10 errata-xmlrpc 2017-05-10 12:47:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2017:1222 https://access.redhat.com/errata/RHSA-2017:1222
Comment 11 errata-xmlrpc 2017-05-10 12:49:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary
  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2017:1221 https://access.redhat.com/errata/RHSA-2017:1221
Comment 12 errata-xmlrpc 2017-05-10 12:51:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary
  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2017:1220 https://access.redhat.com/errata/RHSA-2017:1220
Comment 13 errata-xmlrpc 2017-12-13 16:51:43 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 5.8
  Red Hat Satellite 5.8 ELS

Via RHSA-2017:3453 https://access.redhat.com/errata/RHSA-2017:3453