Bug 452649 (CVE-2008-3105)

Summary: CVE-2008-3105 CVE-2008-3106 OpenJDK JAX-WS unauthorized URL access (6542088)
Product: [Other] Security Response Reporter: Marc Schoenefeld <mschoene>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aph, kreilly, rruss, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-23 21:31:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 454628, 456880, 456881, 457470, 462076, 462486, 475760, 475765, 475766, 475819    
Bug Blocks:    

Description Marc Schoenefeld 2008-06-24 09:59:35 UTC 
From Sun pre-notification, 6/23/2008

1. 6542088
A vulnerability in the Java™ Runtime Environment with processing XML data may 
allow unauthorized access to certain URL resources (such as some files and web 
pages) or a Denial of Service (DoS) condition to be created on the system 
running the JRE.

For this vulnerability to be exploited, the JAX-WS client or service in a 
trusted application needs to process XML data that contains malicious content. 
This vulnerability cannot be exploited through an untrusted applet or untrusted 
Java Web Start application.
Comment 3 Fedora Update System 2008-07-09 19:17:12 UTC 
java-1.6.0-openjdk-1.6.0.0-0.16.b09.fc9 has been submitted as an update for Fedora 9
Comment 4 Fedora Update System 2008-07-09 21:46:47 UTC 
java-1.7.0-icedtea-1.7.0.0-0.20.b21.snapshot.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2008-07-15 12:13:22 UTC 
java-1.6.0-openjdk-1.6.0.0-0.16.b09.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Marc Schoenefeld 2009-08-06 07:59:31 UTC 
Note: the Red Hat Security Advisory RHSA-2008:0906 (java-1.6.0-ibm SR 2) included a fix for CVE-2008-3105. This fix is not enabled by default. In order to activate the fix, set the "javax.xml.stream.supportDTD" and "com.ibm.xml.xlxp.support.dtd.compat.mode" system properties to "false",
for example:

export IBM_JAVA_OPTIONS='-Djavax.xml.stream.supportDTD=false
-Dcom.ibm.xml.xlxp.support.dtd.compat.mode=false'
Comment 14 Vincent Danen 2010-12-23 21:31:59 UTC 
This was addressed via:

RHEL Supplementary version 5 (java-1.6.0-sun) RHSA-2008:0594
Red Hat Enterprise Linux version 4 Extras (java-1.6.0-ibm) RHSA-2008:0906
RHEL Supplementary version 5 (java-1.6.0-ibm) RHSA-2008:0906