Bug 1725928 (CVE-2019-10181)

Summary: CVE-2019-10181 icedtea-web: unsigned code injection in a signed JAR file
Product: [Other] Security Response Reporter: Cedric Buissart <cbuissar>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dbhole, jvanek, omajid, security-response-team, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was found that executable code could be injected in a JAR file without compromising the signature verification. An attacker could use this flaw to inject code in a trusted JAR. The code would be executed inside the sandbox.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-31 19:18:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1725929, 1725930, 1734633, 1734634, 1734644, 1734805    
Bug Blocks: 1724963    

Description Cedric Buissart 2019-07-01 18:50:41 UTC 
The implementation considers jar archives fully signed even when unsigned class files are residing in the META-INF directory. An mitm attacker could inject extra code to the jar archive and get it invoked by specifying it via the main-class attribute of application-desc: <application-desc main-class="META-INF.Test" />

The dash is not among the allowed characters in Java identifiers, so this cannot be produced via a legit compiler, but the bytecode verifier accepts crafted class files with dash in the package name happily.
Comment 4 Cedric Buissart 2019-07-22 06:48:34 UTC 
Acknowledgments:

Name: Imre Rad
Comment 10 Cedric Buissart 2019-07-31 13:42:49 UTC 
Created icedtea-web tracking bugs for this issue:

Affects: fedora-all [bug 1734805]
Comment 11 errata-xmlrpc 2019-07-31 17:52:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2004 https://access.redhat.com/errata/RHSA-2019:2004
Comment 12 errata-xmlrpc 2019-07-31 19:13:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2003 https://access.redhat.com/errata/RHSA-2019:2003
Comment 13 Product Security DevOps Team 2019-07-31 19:18:25 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10181
Comment 14 Cedric Buissart 2019-08-02 13:25:28 UTC 
Upstream fixes :

* 1.7 branch :
CVE-2019-10182 : https://github.com/AdoptOpenJDK/IcedTea-Web/commit/f9c2cf7fd24415ba2bb2619b69259035338ee5b6
CVE-2019-10185 : https://github.com/AdoptOpenJDK/IcedTea-Web/commit/26305807b41a5b4e9813db42531acd754899207f
CVE-2019-10181 : https://github.com/AdoptOpenJDK/IcedTea-Web/commit/32d174def953d801eb1cfc9d989bff5e80aac3cd

* 1.8 branch :
CVE-2019-10182 : https://github.com/AdoptOpenJDK/IcedTea-Web/commit/7958049eedc213be1ad4ae80ee312b167ddb320f
CVE-2019-10185 : https://github.com/AdoptOpenJDK/IcedTea-Web/commit/686213a6d68c21879d92cea3699b279c8f2662fa
CVE-2019-10181 : https://github.com/AdoptOpenJDK/IcedTea-Web/commit/528cb8163b7053576a658b9602b5694b21957b0e