Bug 1665945 (CVE-2019-2422)

Summary: CVE-2019-2422 OpenJDK: memory disclosure in FileChannelImpl (Libraries, 8206290)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abergmann, ahughes, bkearney, dbhole, dmoppert, dominik.mierzejewski, java-qa, jvanek, meissner, security-response-team, tlestach, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20190115,reported=20181221,source=oracle,cvss3=3.1/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N,cwe=CWE-200,rhel-6/java-1.7.0-openjdk=affected,rhel-7/java-1.7.0-openjdk=affected,rhel-6/java-1.8.0-openjdk=affected,rhel-7/java-1.8.0-openjdk=affected,rhel-8/java-1.8.0-openjdk=notaffected,rhel-7/java-11-openjdk=affected,rhel-8/java-11-openjdk=notaffected,rhel-6/java-1.7.1-ibm=affected,rhel-7/java-1.7.1-ibm=affected,rhel-6/java-1.8.0-ibm=affected,rhel-7/java-1.8.0-ibm=affected,rhel-8/java-1.8.0-ibm=affected,rhn_satellite_5/java-1.8.0-ibm=affected
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-16 16:24:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1685117, 1661581, 1661582, 1661585, 1661586, 1661587, 1666531, 1666532, 1666899, 1666900, 1685054, 1685111, 1685112, 1685113, 1685114, 1685115, 1685116, 1689835, 1694579    
Bug Blocks: 1661579    

Description Tomas Hoger 2019-01-14 14:30:10 UTC
A memory disclosure flaw was found in the FileChannelImpl class in the Libraries component of OpenJDK.  An untrusted Java application or applet could use this flaw leak limited amount of Java Virtual Machine memory possibly containing sensitive information, resulting in a partial bypass of Java sandbox restrictions.

Comment 1 Tomas Hoger 2019-01-15 22:07:40 UTC
Public now via Oracle CPU January 2019:

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html#AppendixJAVA

Fixed in Oracle Java 11.0.2, 8u201, and 7u211.

Comment 3 Tomas Hoger 2019-02-13 16:30:24 UTC
OpenJDK-8 upstream commit:
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/01337312ad1e

OpenJDK-11 upstream commit:
http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/ca77f2e01dd1

Comment 5 errata-xmlrpc 2019-02-26 11:37:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:0416 https://access.redhat.com/errata/RHSA-2019:0416

Comment 6 errata-xmlrpc 2019-02-28 09:33:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0435 https://access.redhat.com/errata/RHSA-2019:0435

Comment 7 errata-xmlrpc 2019-02-28 10:09:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0436 https://access.redhat.com/errata/RHSA-2019:0436

Comment 8 errata-xmlrpc 2019-03-05 18:31:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:0462 https://access.redhat.com/errata/RHSA-2019:0462

Comment 9 errata-xmlrpc 2019-03-05 19:06:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0464 https://access.redhat.com/errata/RHSA-2019:0464

Comment 10 errata-xmlrpc 2019-03-06 21:52:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2019:0469 https://access.redhat.com/errata/RHSA-2019:0469

Comment 11 errata-xmlrpc 2019-03-07 15:58:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2019:0472 https://access.redhat.com/errata/RHSA-2019:0472

Comment 12 errata-xmlrpc 2019-03-07 15:58:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2019:0473 https://access.redhat.com/errata/RHSA-2019:0473

Comment 13 errata-xmlrpc 2019-03-07 15:59:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2019:0474 https://access.redhat.com/errata/RHSA-2019:0474

Comment 14 errata-xmlrpc 2019-03-25 18:25:32 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 5.8

Via RHSA-2019:0640 https://access.redhat.com/errata/RHSA-2019:0640

Comment 15 errata-xmlrpc 2019-05-16 13:25:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1238 https://access.redhat.com/errata/RHSA-2019:1238