Bug 1777985 (CVE-2019-2894)

Summary: CVE-2019-2894 OpenJDK: Side-channel vulnerability in the ECDSA implementation (Security, 8228825)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ahughes, dbhole, jvanek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-29 01:04:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1753424    

Description Tomas Hoger 2019-11-28 21:42:38 UTC 
A side-channel vulnerability was discovered in the ECDSA implementation in the Security component of OpenJDK.  This issue could possibly lead to a disclosure of the private key.

Further details can be found on pages of the Centre for Research on Cryptography and Security of Masaryk University in Brno (Czech republic):

https://minerva.crocs.fi.muni.cz/

The issue is branded as Minerva.

Patches applied to OpenJDK do not aim to address the problem in the EC implementation, but rather only disable affected EC curves in TLS by default.  Note that use cases where affected curves are re-enabled for use in TLS, or uses outside TLS would still be affected.

The following note regarding this issue was included in the Oracle Java SE release notes:

"""
security-libs/javax.net.ssl
➜ Remove Obsolete NIST EC Curves from the Default TLS Algorithms

This change removes obsolete NIST EC curves from the default Named Groups used during TLS negotiation. The curves removed are sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, and secp256k1.

To re-enable these curves, use the jdk.tls.namedGroups system property. The property contains a comma-separated list within quotation marks of enabled named groups in preference order. For example:

java -Djdk.tls.namedGroups="secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1" ...

JDK-8228825 (not public)
"""

https://www.oracle.com/technetwork/java/javase/13-0-1-relnotes-5592797.html
https://www.oracle.com/technetwork/java/javase/8u231-relnotes-5592812.html

The EC curves that were disabled via the patch for this issue were not enabled in OpenJDK builds as included in Red Hat products, and hence those OpenJDK builds were not affected.
Comment 1 Tomas Hoger 2019-11-28 21:43:30 UTC 
Public via Oracle CPU October 2019:

https://www.oracle.com/security-alerts/cpuoct2019.html#AppendixJAVA

Fixed in Oracle Java SE 13.0.1, 11.0.5, 8u231, and 7u241.
Comment 2 Product Security DevOps Team 2019-11-29 01:04:53 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-2894
Comment 3 Tomas Hoger 2019-11-29 07:25:49 UTC 
OpenJDK-11 upstream commit:
http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/4a01dc2f412e

OpenJDK-8 upstream commit:
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/5456f24496f4