Bug 1665953 (CVE-2019-2426)

Summary:	CVE-2019-2426 OpenJDK: transparent NTLM authentication enabled by default (Networking, 8209094)
Product:	[Other] Security Response	Reporter:	Tomas Hoger <thoger>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED NOTABUG	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	abergmann, ahughes, bkearney, dbhole, ggainey, java-qa, jvanek, meissner, security-response-team, tlestach
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2019-01-14 14:44:48 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Bug Depends On:
Bug Blocks:	Embargoed1661579

Description Tomas Hoger 2019-01-14 14:43:33 UTC

It was discovered that the HTTP client implementation in the Networking component of OpenJDK enabled transparent NTLM authentication by default.  This could lead to an information leak in communication with untrusted servers.

The fix introduces a new network property jdk.http.ntlm.transparentAuth, which can be used to control the use of the transparent NTLM authentication, and that can take values of disabled (default), allHosts, or trustedHosts.

This issue only affected version of OpenJDK for Microsoft Windows, versions for Linux were not affected.

Comment 1 Tomas Hoger 2019-01-15 22:07:58 UTC

Public now via Oracle CPU January 2019:

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html#AppendixJAVA

Fixed in Oracle Java 11.0.2, 8u201, and 7u211.

Comment 2 Tomas Hoger 2019-02-13 16:30:02 UTC

OpenJDK-8 upstream commit:
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/d0d0b71e3a2a

OpenJDK-11 upstream commit:
http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/12084427f1e2