Bug 1568163 (CVE-2018-2800)
| Summary: | CVE-2018-2800 OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | dbhole, jvanek, security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-05-24 20:52:23 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1559768, 1559769, 1559770, 1559771, 1559773, 1559774, 1559775, 1559776, 1565346, 1565347, 1565348, 1565349, 1565350, 1565351, 1565352, 1565353, 1565511, 1565512, 1565513, 1565514, 1577848, 1577849, 1577850, 1577851, 1577855, 1577856, 1577857, 1577858, 1579406, 1579410 | ||
| Bug Blocks: | 1559778 | ||
|
Description
Tomas Hoger
2018-04-16 21:40:46 UTC
Public now via Oracle CPU April 2018: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixJAVA The issue was fixed in Oracle 8u171, 7u181, and 6u191. Relevant entry in the Oracle JDK release notes: core-libs/java.rmi Server-side HTTP-tunneled RMI Connections Disabled Server side HTTP-tunneled RMI connections have been disabled by default in this release. This behavior can be reverted by setting the runtime property sun.rmi.server.disableIncomingHttp property to false. Note, this should not be confused with the sun.rmi.server.disableHttp property, which disables HTTP-tunneling on the client side and is false by default. JDK-8193833 (not public) http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html http://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html#R170_181 http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html#R160_191 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2018:1188 https://access.redhat.com/errata/RHSA-2018:1188 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:1191 https://access.redhat.com/errata/RHSA-2018:1191 OpenJDK-8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/d70c21e5b413 This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2018:1201 https://access.redhat.com/errata/RHSA-2018:1201 This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2018:1202 https://access.redhat.com/errata/RHSA-2018:1202 This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2018:1204 https://access.redhat.com/errata/RHSA-2018:1204 This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2018:1203 https://access.redhat.com/errata/RHSA-2018:1203 This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2018:1205 https://access.redhat.com/errata/RHSA-2018:1205 This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2018:1206 https://access.redhat.com/errata/RHSA-2018:1206 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2018:1270 https://access.redhat.com/errata/RHSA-2018:1270 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:1278 https://access.redhat.com/errata/RHSA-2018:1278 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Via RHSA-2018:1721 https://access.redhat.com/errata/RHSA-2018:1721 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Via RHSA-2018:1722 https://access.redhat.com/errata/RHSA-2018:1722 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Via RHSA-2018:1723 https://access.redhat.com/errata/RHSA-2018:1723 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Via RHSA-2018:1724 https://access.redhat.com/errata/RHSA-2018:1724 This issue has been addressed in the following products: Red Hat Satellite 5.6 Red Hat Satellite 5.7 Via RHSA-2018:1974 https://access.redhat.com/errata/RHSA-2018:1974 This issue has been addressed in the following products: Red Hat Satellite 5.8 Via RHSA-2018:1975 https://access.redhat.com/errata/RHSA-2018:1975 |