Bug 852051 (CVE-2012-4681)

Summary: CVE-2012-4681 OpenJDK: beans insufficient permission checks, Java 7 0day (beans, 7162473)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: ahughes, aph, bfreeman, cbuissar, chewi, daniell1, dbhole, djorm, fweimer, jlieskov, jvanek, kseifried, mcepl, mjw, mjw, omajid, ptisnovs, saud, saud, security-response-team, towic38779
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-09-19 08:43:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 852299, 852300, 852301, 852302, 852303, 852304, 852957, 852958, 854890, 854891, 856471    
Bug Blocks: 852098    

Description Tomas Hoger 2012-08-27 12:58:05 UTC
A 0-day flaw exploited in the wild has been reported to affect Java 7:

http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html
http://pastie.org/4594319

This issue was confirmed to allow unsigned applet to bypass Java applet restrictions and run arbitrary code on users' systems.

Comment 1 Tomas Hoger 2012-08-27 13:09:03 UTC
Code execution was confirmed with the latest Oracle and IBM Java 7 web browser plugin.  IcedTea-Web using OpenJDK7 blocks this exploit by not allowing applet to change the SecurityManager (which is allowed in Oracle and IBM Java plugin).

Java 6 is currently not known to be affected.

Comment 3 Tomas Hoger 2012-08-27 14:11:28 UTC
Secunia: http://secunia.com/advisories/50133/

Comment 5 David Jorm 2012-08-28 01:49:16 UTC
This flaw allows an attacker to circumvent all restrictions applied by the Java security manager. The Java security manager is used to sandbox Java applets in web browsers, but is also used in a variety of other applications. For example, Tomcat can optionally use the Java security manager to apply restrictions to deployed applications. This flaw affects these uses of the Java security manager, not just browser plugins for viewing Java applets.

Comment 9 David Jorm 2012-08-28 07:37:10 UTC
This statement was last updated on Sep 19, 2012.

Statement:

This flaw allowed an attacker to circumvent all restrictions applied by the Java security manager. The Java security manager is used to sandbox Java applets in web browsers, but is also used in a variety of other applications.

Red Hat has tested the flaw and confirmed that it affected Java SE 7 provided by OpenJDK 7 (java-1.7.0-openjdk), Oracle Java SE 7 (java-1.7.0-oracle) and IBM Java SE 7 (java-1.7.0-ibm) as shipped with Red Hat Enterprise Linux 6. Updates correcting this issue were released for all affected packages.

Comment 10 Tomas Hoger 2012-08-28 13:13:21 UTC
Details of the flaw from Michael Schierl:

http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html

Comment 12 Tomas Hoger 2012-08-28 14:22:05 UTC
(In reply to comment #1)
> IcedTea-Web using OpenJDK7 blocks this exploit by not allowing applet to
> change the SecurityManager (which is allowed in Oracle and IBM Java plugin).

Other attacks that do not try to change SecurityManager may be used against IcedTea-Web using OpenJDK7.  Note that IcedTea-Web browser plugin as shipped with Red Hat Enterprise Linux 6 currently only used OpenJDK6.

Comment 13 Tomas Hoger 2012-08-28 15:46:45 UTC
Mozilla bug requesting blocking affected Java plugin versions:

https://bugzilla.mozilla.org/show_bug.cgi?id=785837

Comment 16 Tomas Hoger 2012-08-28 18:31:03 UTC
Another reference with relevant technical details:

http://www.alertlogic.com/java-7-classfinder-restricted-package-bypass/

Comment 19 David Jorm 2012-08-30 05:32:23 UTC
Created java-1.7.0-openjdk tracking bugs for this issue

Affects: fedora-16 [bug 852957]
Affects: fedora-17 [bug 852958]

Comment 21 Tomas Hoger 2012-08-30 07:38:42 UTC
According to the following post, issues used by this exploit were reported to upstream in April:

http://seclists.org/fulldisclosure/2012/Aug/336

Comment 22 Kurt Seifried 2012-08-30 08:21:01 UTC
Another reference with relevant technical details:

http://www.h-online.com/security/features/The-new-Java-0day-examined-1677789.html

Comment 26 Kurt Seifried 2012-08-30 19:18:06 UTC
IcedTea-Web using OpenJDK7 blocks this exploit by not allowing applet to change the SecurityManager (which is allowed in Oracle and IBM Java plugin). However it should be noted that:

"But there are other ways to abuse this bug to circumvent security restrictions in a more subtle way, so patching is still very recommended."

http://gnu.wildebeest.org/blog/mjw/2012/08/30/java-bug-cve-2012-4681/

Comment 27 Tomas Hoger 2012-08-31 07:21:35 UTC
Upstream commit, as applied to IcedTea 7 2.3 repositories:

http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/jdk/rev/8a226f6a768a

This replaces previous patch mentioned in comment #17.  The two patches are identical except of the formatting.

Comment 29 Tomas Hoger 2012-08-31 09:53:36 UTC
OpenJDK7 repositories commit:

http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/2c58f14f60c7

Comment 30 errata-xmlrpc 2012-09-03 13:01:42 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1223 https://rhn.redhat.com/errata/RHSA-2012-1223.html

Comment 32 errata-xmlrpc 2012-09-04 07:05:42 UTC
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2012:1225 https://rhn.redhat.com/errata/RHSA-2012-1225.html

Comment 35 errata-xmlrpc 2012-09-18 22:53:12 UTC
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2012:1289 https://rhn.redhat.com/errata/RHSA-2012-1289.html

Comment 36 David Jorm 2012-09-19 08:50:26 UTC
This flaw affects users of JBoss middleware products who are using Java 7 and relying on the Java security manager to control the privileges of untrusted deployed applications. A malicious deployed application could use this flaw to circumvent the controls applied by the Java security manager. Affected JBoss middleware users are advised to use a patched implementation of Java 7. JBoss middleware users who are not using Java 7 or are not relying on the Java security manager are not affected by this flaw.