Bug 1472666 (CVE-2017-10243)

Summary: CVE-2017-10243 OpenJDK: insecure XML parsing in wsdlimport (JAX-WS, 8182054)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jvanek, omajid
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the wsdlimport tool in the JAX-WS component of OpenJDK did not use secure XML parser settings when parsing WSDL XML documents. A specially crafted WSDL document could cause wsdlimport to use an excessive amount of CPU and memory, open connections to other hosts, or leak information.
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-23 09:45:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1466515    

Description Tomas Hoger 2017-07-19 07:38:37 UTC
Oracle Java SE 6u161, 7u151, and 8u141 fixes an unspecified vulnerability in the JAX-WS component (CVE-2017-10243).  Upstream has CVSS scored this issue as: 6.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

External Reference:

http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html#AppendixJAVA

Comment 1 errata-xmlrpc 2017-07-20 16:01:53 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2017:1792 https://access.redhat.com/errata/RHSA-2017:1792

Comment 2 errata-xmlrpc 2017-07-20 16:04:30 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2017:1791 https://access.redhat.com/errata/RHSA-2017:1791

Comment 3 errata-xmlrpc 2017-07-20 16:20:25 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2017:1790 https://access.redhat.com/errata/RHSA-2017:1790

Comment 4 Tomas Hoger 2017-08-01 09:23:01 UTC
It was reported that this issue also affected OpenJDK.

It was discovered that the wsdlimport tool in the JAX-WS component of OpenJDK did not use security settings for XML parsing when parsing WSDL XML documents. A specially crafted WSDL document could cause wsdlimport to use an excessive amount of CPU and memory, open connections to other hosts, or leak information.

OpenJDK-8 upstream commit:

http://hg.openjdk.java.net/jdk8u/jdk8u/jaxws/rev/65d3b0e44551

Comment 5 Tomas Hoger 2017-08-01 09:24:46 UTC
Relevant entry in the Oracle Java 8u141 release notes:

http://www.oracle.com/technetwork/java/javase/8u141-relnotes-3720385.html

  xml/jax-ws
  Tighter secure checks on processing WSDL files by wsimport tool

  The wsimport tool has been changed to disallow DTDs in Web Service
  descriptions, specifically:

  - DOCTYPE declaration is disallowed in documents
  - External general entities are not included by default
  - External parameter entities are not included by default
  - External DTDs are completely ignored

  To restore the previous behavior:

  - Set the System property com.sun.xml.internal.ws.disableXmlSecurity to true
  - Use the wsimport tool command line option –disableXmlSecurity

  NOTE: JDK 7 and JDK 6 support for this option in wsimport will be provided
  via a Patch release post July CPU

  JDK-8182054 (not public)

Comment 6 errata-xmlrpc 2017-08-07 15:08:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2017:2424 https://access.redhat.com/errata/RHSA-2017:2424

Comment 7 errata-xmlrpc 2017-08-14 09:50:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary
  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2017:2469 https://access.redhat.com/errata/RHSA-2017:2469

Comment 8 errata-xmlrpc 2017-08-15 20:00:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary
  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2017:2481 https://access.redhat.com/errata/RHSA-2017:2481

Comment 9 errata-xmlrpc 2017-08-23 09:19:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2017:2530 https://access.redhat.com/errata/RHSA-2017:2530

Comment 10 errata-xmlrpc 2017-12-13 16:54:19 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 5.8
  Red Hat Satellite 5.8 ELS

Via RHSA-2017:3453 https://access.redhat.com/errata/RHSA-2017:3453