Bug 431416 (CVE-2008-0628)

Summary: CVE-2008-0628 java-1.6.0 default external entity processing
Product: [Other] Security Response Reporter: Marc Schoenefeld <mschoene>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: kreilly
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://sunsolve.sun.com/search/document.do?assetkey=1-66-231246-1
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-12 05:01:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 443139    
Bug Blocks:    

Description Marc Schoenefeld 2008-02-04 11:40:09 UTC 
Sun describes a 1.6.0-only (1.4, 1.5 not affected) XML processing vulnerability
(insecure default) at
http://sunsolve.sun.com/search/document.do?assetkey=1-66-231246-1. 
This bug may cause effects similar to CVE-2007-5461. 

Vendor Description:

The Java Runtime Environment (JRE) by default allows external entity references
to be processed. To turn off processing of external entity references, sites can
set the "external general entities" property to FALSE. This property is provided
since it may be possible to leverage the processing of external entity
references to access certain URL resources (such as some files and web pages) or
create a Denial of Service (DoS) condition on the system running the JRE. A
defect in the JRE allows external entity references to be processed even when
the "external general entities" property is set to FALSE.

For this vulnerability to be exploited, a trusted application needs to process
XML data that contains malicious content. This vulnerability cannot be exploited
through an untrusted applet or untrusted Java Web Start application.
Comment 1 Thomas Fitzsimmons 2008-02-05 21:14:56 UTC 
bugs.sun.com isn't showing me the cited bug report.  I've asked my Sun contact
how to map vulnerability fixes to OpenJDK commits.
Comment 2 Thomas Fitzsimmons 2008-02-05 22:19:31 UTC 
This bug does not affect IcedTea.  The OpenJDK release incorporated by the
current IcedTea releases contains the fix.

In general, Sun plans to implement a security update scheme whereby fixes are
applied and reported at the same time across all their JDK products including
OpenJDK.  When this plan is implemented it will be easier to map security fixes
to OpenJDK releases.  In the meantime, I'll ask my Sun contact about each one.
Comment 3 Tomas Hoger 2008-02-07 08:15:28 UTC 
See also:

http://scary.beasts.org/security/CESA-2007-002.html
Comment 7 Vincent Danen 2013-04-12 05:01:01 UTC 
The list of fixed products with their respective errata is here:

https://access.redhat.com/security/cve/CVE-2008-0628