Bug 706250 (CVE-2011-0872)

Summary: CVE-2011-0872 OpenJDK: non-blocking sockets incorrectly selected for reading (NIO, 6213702)
Product: [Other] Security Response Reporter: Marc Schoenefeld <mschoene>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ahughes, aph, dbhole, gregw, jvanek, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-03 13:58:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 8 Tomas Hoger 2011-06-07 11:44:56 UTC 
A flaw was found in the NIO implementation of JRE on Microsoft Windows platforms. A non-blocking sockets with TCP urgent disabled could incorrectly get selected for reading.

Statement:

Not vulnerable. This issue only affected Java versions running on Windows platform. It did not affect the versions of java-1.6.0-openjdk as shipped with Red Hat Enterprise Linux 5 and 6, and the java-1.6.0-sun packages as shipped with Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise Linux 5 and 6 Supplementary.
Comment 9 Tomas Hoger 2011-06-08 06:36:50 UTC 
Public now via Oracle CPU June 2011:
http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html

Also fixed in IcedTea6 versions 1.8.8, 1.9.8 and 1.10.2:
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2011-June/014607.html

Patch:
http://icedtea.classpath.org/hg/release/icedtea6-1.9/file/8d393fbff5d3/patches/security/20110607/6213702.patch
Comment 10 Greg Wilkins 2012-01-15 23:41:02 UTC 
We have a problem with the Jetty server hanging which looks to be a result of this "fix".

The symptom is that the server accepts new connections, but never processes any input on them.  On inspection, we can see that the call to the NIO selector is blocked in the discardUrgentData method.

We are not yet sure what causes the problem to occur, but suspect it is bad data on one connection.  If so, then this fix is allowing a DoS attack because 1 bad connection can lock an entire selector.

See https://bugs.eclipse.org/bugs/show_bug.cgi?id=357318
Comment 11 Tomas Hoger 2012-01-19 15:52:08 UTC 
Greg, we did not actually do much about this issue on our side given that this problem / fix was Windows-specific.  If I correctly read the info in your Jetty bug, the issue is only reproducible on Windows platform, so may indeed be related to this fix.

This should be reported to Oracle.  As was done already:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=357318#c47
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7130796

If you want to make sure this appears on the Oracle security team radar, you may drop them a mail.  You can find contact information on their Reporting Security Vulnerabilities page:
http://www.oracle.com/us/support/assurance/reporting/index.html