Bug 1567126 (CVE-2018-2794)

Summary: CVE-2018-2794 OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: dbhole, jvanek, security-response-team, vvasilev
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-24 20:52:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1559768, 1559769, 1559770, 1559771, 1559773, 1559774, 1559775, 1559776, 1565346, 1565347, 1565348, 1565349, 1565350, 1565351, 1565352, 1565353, 1565511, 1565512, 1565513, 1565514, 1577848, 1577849, 1577850, 1577851, 1577855, 1577856, 1577857, 1577858, 1579406, 1579410, 1724840, 1724841    
Bug Blocks: 1559778, 1569958    

Description Tomas Hoger 2018-04-13 13:10:35 UTC
It was discovered that the Security component of OpenJDK did not restrict which classes could be used when deserializing keys form the JCEKS key stores. A specially crafted JCEKS key store could possibly use this flaw to execute arbitrary code with the privileges of an application reading data form the key store.

The fix adds support for a new security property jceks.key.serialFilter which can be used to specify classes that can be used when deserializing data from the JCEKS key stores.

Comment 1 Tomas Hoger 2018-04-17 20:43:40 UTC
Public now via Oracle CPU April 2018:

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixJAVA

The issue was fixed in Oracle JDK 10.0.1, 8u171, 7u181, and 6u191.

Comment 2 Tomas Hoger 2018-04-17 20:48:17 UTC
Relevant entry in the Oracle JDK release notes:

  security-libs/javax.crypto
  Enhanced KeyStore Mechanisms

  A new security property named jceks.key.serialFilter has been introduced.
  If this filter is configured, the JCEKS KeyStore uses it during the
  deserialization of the encrypted Key object stored inside a SecretKeyEntry.
  If it is not configured or if the filter result is UNDECIDED (for example,
  none of the patterns match), then the filter configured by
  jdk.serialFilter is consulted.

  If the system property jceks.key.serialFilter is also supplied, it
  supersedes the security property value defined here.

  The filter pattern uses the same format as jdk.serialFilter. The default
  pattern allows java.lang.Enum, java.security.KeyRep,
  java.security.KeyRep$Type, and javax.crypto.spec.SecretKeySpec but
  rejects all the others.

  Customers storing a SecretKey that does not serialize to the above types
  must modify the filter to make the key extractable.

  JDK-8189997 (not public)

http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html
http://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html#R170_181
http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html#R160_191

Comment 3 errata-xmlrpc 2018-04-19 16:59:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:1188 https://access.redhat.com/errata/RHSA-2018:1188

Comment 4 errata-xmlrpc 2018-04-19 18:00:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:1191 https://access.redhat.com/errata/RHSA-2018:1191

Comment 6 errata-xmlrpc 2018-04-23 17:11:42 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2018:1201 https://access.redhat.com/errata/RHSA-2018:1201

Comment 7 errata-xmlrpc 2018-04-23 17:14:53 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2018:1202 https://access.redhat.com/errata/RHSA-2018:1202

Comment 8 errata-xmlrpc 2018-04-23 17:17:25 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2018:1204 https://access.redhat.com/errata/RHSA-2018:1204

Comment 9 errata-xmlrpc 2018-04-23 17:19:54 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2018:1203 https://access.redhat.com/errata/RHSA-2018:1203

Comment 10 errata-xmlrpc 2018-04-23 17:21:56 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2018:1205 https://access.redhat.com/errata/RHSA-2018:1205

Comment 11 errata-xmlrpc 2018-04-23 17:29:48 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2018:1206 https://access.redhat.com/errata/RHSA-2018:1206

Comment 12 errata-xmlrpc 2018-04-30 16:17:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:1270 https://access.redhat.com/errata/RHSA-2018:1270

Comment 13 errata-xmlrpc 2018-05-02 22:06:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:1278 https://access.redhat.com/errata/RHSA-2018:1278

Comment 16 errata-xmlrpc 2018-05-24 18:52:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2018:1721 https://access.redhat.com/errata/RHSA-2018:1721

Comment 17 errata-xmlrpc 2018-05-24 18:57:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2018:1722 https://access.redhat.com/errata/RHSA-2018:1722

Comment 18 errata-xmlrpc 2018-05-24 19:00:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2018:1723 https://access.redhat.com/errata/RHSA-2018:1723

Comment 19 errata-xmlrpc 2018-05-24 19:04:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2018:1724 https://access.redhat.com/errata/RHSA-2018:1724

Comment 20 errata-xmlrpc 2018-06-25 14:56:44 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 5.6
  Red Hat Satellite 5.7

Via RHSA-2018:1974 https://access.redhat.com/errata/RHSA-2018:1974

Comment 21 errata-xmlrpc 2018-06-25 14:57:19 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 5.8

Via RHSA-2018:1975 https://access.redhat.com/errata/RHSA-2018:1975