Bug 1443252 (CVE-2017-3526)

Summary: CVE-2017-3526 OpenJDK: incomplete XML parse tree size enforcement (JAXP, 8169011)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dbhole, jvanek, security-response-team, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was found that the JAXP component of OpenJDK failed to correctly enforce parse tree size limits when parsing XML document. An attacker able to make a Java application parse a specially crafted XML document could use this flaw to make it consume an excessive amount of CPU and memory.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-09 12:42:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1438752    

Description Tomas Hoger 2017-04-18 21:51:57 UTC 
It was found that the JAXP (Java API for XML Processing) component of OpenJDK failed to correctly enforce parse tree size limits when parsing XML document.  An attacker able to make a Java application parse a specially crafted XML document could use this flaw to make it consume an excessive amount of CPU and memory.
Comment 1 Tomas Hoger 2017-04-18 22:19:07 UTC 
Public now via Oracle CPU April 20167, fixed in Oracle JDK 8u131, 7u141, and 6u151.

External References:

http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixJAVA
Comment 2 Tomas Hoger 2017-04-19 11:32:19 UTC 
OpenJDK8 upstream commit:

http://hg.openjdk.java.net/jdk8u/jdk8u/jaxp/rev/756b7a2f20cc
Comment 3 errata-xmlrpc 2017-04-20 19:28:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:1109 https://access.redhat.com/errata/RHSA-2017:1109
Comment 4 errata-xmlrpc 2017-04-21 02:11:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1108 https://access.redhat.com/errata/RHSA-2017:1108
Comment 5 errata-xmlrpc 2017-04-24 11:17:53 UTC 
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2017:1118 https://access.redhat.com/errata/RHSA-2017:1118
Comment 6 errata-xmlrpc 2017-04-24 11:18:49 UTC 
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2017:1117 https://access.redhat.com/errata/RHSA-2017:1117
Comment 7 errata-xmlrpc 2017-04-24 11:19:38 UTC 
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2017:1119 https://access.redhat.com/errata/RHSA-2017:1119
Comment 8 errata-xmlrpc 2017-05-09 10:48:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2017:1204 https://access.redhat.com/errata/RHSA-2017:1204