Bug 1639834 (CVE-2018-3149)

Summary:	CVE-2018-3149 OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (JNDI, 8199177)
Product:	[Other] Security Response	Reporter:	Tomas Hoger <thoger>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED ERRATA	QA Contact:
Severity:	high	Docs Contact:
Priority:	high
Version:	unspecified	CC:	ahughes, dbhole, jvanek, security-response-team, yozone
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2018-12-18 21:53:30 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1633820, 1633821, 1633822, 1639728, 1639729, 1639730, 1639731, 1639732, 1639733, 1639734, 1639736, 1639737, 1639780, 1640178, 1640179, 1640180, 1646173, 1646174, 1646175, 1649854, 1649855, 1649856, 1652094, 1652099, 1652100
Bug Blocks:	1633819

Description Tomas Hoger 2018-10-16 17:30:21 UTC

It was discovered that the JNDI comment of OpenJDK did not properly enforce the restriction controlled by the com.sun.jndi.ldap.object.trustURLCodebase system property.  In certain cases, a Java LDAP client could unexpectedly load and execute code form an LDAP server.

Comment 1 Tomas Hoger 2018-10-16 19:21:41 UTC

The restriction on loading classes from remote URL and the com.sun.jndi.ldap.object.trustURLCodebase system property was introduced via this commit:

http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/255dcd4f19b6

as the fix for CVE-2009-1094.

Comment 2 Tomas Hoger 2018-10-16 20:55:01 UTC

Public now via Oracle CPU October 2018:

https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixJAVA

The issue was fixed in Oracle JDK 11.0.1, 8u191, 7u201, and 6u211.

Comment 4 errata-xmlrpc 2018-10-17 21:22:18 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2942 https://access.redhat.com/errata/RHSA-2018:2942

Comment 5 errata-xmlrpc 2018-10-17 21:22:56 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:2943 https://access.redhat.com/errata/RHSA-2018:2943

Comment 6 Tomas Hoger 2018-10-19 20:33:02 UTC

OpenJDK-8 upstream commit:
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/28d4d67065ab

OpenJDK-11 upstream commit:
http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/e62c1f2ef2dd

Comment 7 errata-xmlrpc 2018-10-24 21:39:17 UTC

This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2018:3007 https://access.redhat.com/errata/RHSA-2018:3007

Comment 8 errata-xmlrpc 2018-10-24 21:39:53 UTC

This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2018:3008 https://access.redhat.com/errata/RHSA-2018:3008

Comment 9 errata-xmlrpc 2018-10-24 22:06:01 UTC

This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2018:3000 https://access.redhat.com/errata/RHSA-2018:3000

Comment 10 errata-xmlrpc 2018-10-24 22:06:35 UTC

This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2018:3001 https://access.redhat.com/errata/RHSA-2018:3001

Comment 11 errata-xmlrpc 2018-10-24 22:07:11 UTC

This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2018:3002 https://access.redhat.com/errata/RHSA-2018:3002

Comment 12 errata-xmlrpc 2018-10-24 22:07:54 UTC

This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2018:3003 https://access.redhat.com/errata/RHSA-2018:3003

Comment 14 errata-xmlrpc 2018-10-30 09:18:50 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3350 https://access.redhat.com/errata/RHSA-2018:3350

Comment 15 errata-xmlrpc 2018-10-30 16:59:46 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:3409 https://access.redhat.com/errata/RHSA-2018:3409

Comment 16 errata-xmlrpc 2018-11-07 18:13:27 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3521 https://access.redhat.com/errata/RHSA-2018:3521

Comment 17 errata-xmlrpc 2018-11-09 11:49:21 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2018:3533 https://access.redhat.com/errata/RHSA-2018:3533

Comment 18 errata-xmlrpc 2018-11-09 11:49:57 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2018:3534 https://access.redhat.com/errata/RHSA-2018:3534

Comment 21 errata-xmlrpc 2018-11-26 15:43:01 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2018:3671 https://access.redhat.com/errata/RHSA-2018:3671

Comment 22 errata-xmlrpc 2018-11-26 15:43:38 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2018:3672 https://access.redhat.com/errata/RHSA-2018:3672

Comment 23 errata-xmlrpc 2018-12-05 15:53:22 UTC

This issue has been addressed in the following products:

  Red Hat Satellite 5.6
  Red Hat Satellite 5.7

Via RHSA-2018:3779 https://access.redhat.com/errata/RHSA-2018:3779

Comment 24 errata-xmlrpc 2018-12-18 15:51:12 UTC

This issue has been addressed in the following products:

  Red Hat Satellite 5.8

Via RHSA-2018:3852 https://access.redhat.com/errata/RHSA-2018:3852