Bug 767129

Summary: java-1.6.0-openjdk: CVE-2011-3389/7064341 fix regression [rhel-6]
Product: Red Hat Enterprise Linux 6 Reporter: Tomas Hoger <thoger>
Component: java-1.6.0-openjdkAssignee: Deepak Bhole <dbhole>
Status: CLOSED CURRENTRELEASE QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2CC: ahughes, aogburn, djorm, jawilson, lakagwu, psplicha, tfonteyn
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 767132 (view as bug list) Environment:
Last Closed: 2012-02-16 09:40:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Tomas Hoger 2011-12-13 10:37:41 UTC 
Description of problem:
A regression was found in the fix for CVE-2011-3389/7064341 that was applied to Oracle JDK 6u29 and matching OpenJDK update.  This causes connections to certain SSL servers to hang:

http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7103725

In our case, this problem was reported for JBoss products using JDBC to connect to Microsoft SQL server.  Some workarounds were identified:
- use non-CBC cipher (e.g. one of RC4 cipher suites)
- disable CVE-2011-3389 mitigation using -Djsse.enableCBCProtection=false

Related Support Essentials article:
https://access.redhat.com/kb/docs/DOC-67350
Comment 4 Tomas Hoger 2011-12-19 13:33:38 UTC 
Oracle 6u30 was released to address this issue:

http://www.oracle.com/technetwork/java/javase/6u30-relnotes-1394870.html
Comment 8 Deepak Bhole 2011-12-22 02:08:22 UTC 
Fixed in upstream OpenJDK:

http://hg.openjdk.java.net/jdk6/jdk6/jdk/rev/cb20ed4b953a
Comment 10 Andrew John Hughes 2011-12-23 01:02:26 UTC 
Fix is in IcedTea6 HEAD:

http://icedtea.classpath.org/hg/icedtea6/rev/8a24f86753c6

Needs backporting to branches.
Comment 11 Andrew John Hughes 2012-01-12 13:38:49 UTC 
This is fixed in the latest upstream release:

http://blog.fuseyism.com/index.php/2012/01/12/icedtea6-1-8-12-1-9-12-and-1-10-5-released/

I'll leave others to comment on when this will be packaged for RHEL.
Comment 15 Tomas Hoger 2012-02-16 09:40:27 UTC 
This was fixed upstream in IcedTea 1.10.5.  We have updated to 1.10.6 in RHSA-2012:0135, hence this issue is fixed.

https://rhn.redhat.com/errata/RHSA-2012-0135.html