Bug 1823879 (CVE-2020-2778)

Summary: CVE-2020-2778 OpenJDK: Incomplete enforcement of algorithm restrictions for TLS (JSSE, 8232424)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ahughes, dbhole, jvanek, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-21 16:32:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1810784, 1810785, 1810786, 1810787, 1810788, 1826104    
Bug Blocks: 1810559    

Description Tomas Hoger 2020-04-14 17:34:49 UTC
A flaw was found in the TLS implementation in the JSSE component of OpenJDK.  Setting algorithm constraints on SSLParameters using the setAlgorithmConstraints() method could override the systems security policy defined using the jdk.tls.disabledAlgorithms security property and lead to the use of weak algorithms that were intended to be disabled.

Comment 1 Tomas Hoger 2020-04-14 22:24:23 UTC
Public now via Oracle CPU April 2020:

https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixJAVA

Fixed in Oracle Java SE 14.0.1 and 11.0.7.

Comment 2 errata-xmlrpc 2020-04-21 11:17:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1509 https://access.redhat.com/errata/RHSA-2020:1509

Comment 3 errata-xmlrpc 2020-04-21 16:32:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1514 https://access.redhat.com/errata/RHSA-2020:1514

Comment 4 Product Security DevOps Team 2020-04-21 16:32:55 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-2778

Comment 5 errata-xmlrpc 2020-04-22 09:15:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:1517 https://access.redhat.com/errata/RHSA-2020:1517

Comment 6 Tomas Hoger 2020-05-14 08:25:44 UTC
OpenJDK-11 upstream commit:
http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/36975c9e57a3