Bug 1535036 (CVE-2018-2633)
| Summary: | CVE-2018-2633 OpenJDK: LDAPCertStore insecure handling of LDAP referrals (JNDI, 8186606) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | dbhole, jvanek, security-response-team, yozone |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
It was discovered that the LDAPCertStore class in the JNDI component of OpenJDK failed to securely handle LDAP referrals. An attacker could possibly use this flaw to make it fetch attacker controlled certificate data.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-03-14 15:40:35 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1528238, 1528239, 1528240, 1528241, 1528243, 1528244, 1528245, 1528246, 1535085, 1535086, 1535087, 1535088, 1535089, 1535090, 1535091, 1535092, 1535104, 1535105, 1535106, 1535107, 1546135, 1546136, 1546137, 1546138, 1546140, 1546141, 1546142, 1546143, 1549401, 1549402 | ||
| Bug Blocks: | 1528235 | ||
|
Description
Tomas Hoger
2018-01-16 14:23:17 UTC
Public now via Oracle CPU January 2018: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixJAVA The issue was fixed in Oracle JDK 9.0.4, 8u161, 7u171, and 6u181. This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2018:0095 https://access.redhat.com/errata/RHSA-2018:0095 This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2018:0099 https://access.redhat.com/errata/RHSA-2018:0099 This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2018:0100 https://access.redhat.com/errata/RHSA-2018:0100 This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2018:0115 https://access.redhat.com/errata/RHSA-2018:0115 OpenJDK-8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/6c4b009c1573 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Via RHSA-2018:0351 https://access.redhat.com/errata/RHSA-2018:0351 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Via RHSA-2018:0352 https://access.redhat.com/errata/RHSA-2018:0352 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2018:0349 https://access.redhat.com/errata/RHSA-2018:0349 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Via RHSA-2018:0458 https://access.redhat.com/errata/RHSA-2018:0458 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Via RHSA-2018:0521 https://access.redhat.com/errata/RHSA-2018:0521 This issue has been addressed in the following products: Red Hat Satellite 5.8 Via RHSA-2018:1463 https://access.redhat.com/errata/RHSA-2018:1463 This issue has been addressed in the following products: Red Hat Satellite 5.6 Red Hat Satellite 5.7 Via RHSA-2018:1812 https://access.redhat.com/errata/RHSA-2018:1812 |