Bug 1665953 (CVE-2019-2426)

Summary: CVE-2019-2426 OpenJDK: transparent NTLM authentication enabled by default (Networking, 8209094)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abergmann, ahughes, bkearney, dbhole, ggainey, java-qa, jvanek, meissner, security-response-team, tlestach
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-01-14 14:44:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: Embargoed1661579    

Description Tomas Hoger 2019-01-14 14:43:33 UTC
It was discovered that the HTTP client implementation in the Networking component of OpenJDK enabled transparent NTLM authentication by default.  This could lead to an information leak in communication with untrusted servers.

The fix introduces a new network property jdk.http.ntlm.transparentAuth, which can be used to control the use of the transparent NTLM authentication, and that can take values of disabled (default), allHosts, or trustedHosts.

This issue only affected version of OpenJDK for Microsoft Windows, versions for Linux were not affected.

Comment 1 Tomas Hoger 2019-01-15 22:07:58 UTC
Public now via Oracle CPU January 2019:


Fixed in Oracle Java 11.0.2, 8u201, and 7u211.

Comment 2 Tomas Hoger 2019-02-13 16:30:02 UTC
OpenJDK-8 upstream commit:

OpenJDK-11 upstream commit: