Bug 1183039 – CVE-2015-0400 OpenJDK: NTLM authentication data disclosure via redirect to proxy (Libraries, 8048035)

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1183039 - (CVE-2015-0400) CVE-2015-0400 OpenJDK: NTLM authentication data disclosure via redirect to proxy (Libraries, 8048035)

Summary:	CVE-2015-0400 OpenJDK: NTLM authentication data disclosure via redirect to pr...

Status:	CLOSED NOTABUG

Aliases:	CVE-2015-0400

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20150120,repor...
Keywords:	Security

Depends On:
Blocks:	1179762
	Show dependency tree / graph

Reported:	2015-01-16 09:26 EST by Tomas Hoger
Modified:	2015-01-26 09:53 EST (History)
CC List:	1 user (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-01-16 09:27:49 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Tomas Hoger 2015-01-16 09:26:29 EST

A flaw was found in the way the HTTPUrlConnection class in the Libraries component in OpenJDK handled HTTP 305 "Use Proxy" server responses when using NTLM transparent proxy authentication.  A malicious HTTP server could possibly cause an application using HTTPUrlConnection to disclose NTLM authentication data to an attacker-chosen proxy server.

Note that the NTLM transparent authentication is only available in OpenJDK versions on the Microsoft Windows platform.  Therefore, the OpenJDK packages in Red Hat Enterprise Linux and Fedora were not affected by this issue.

Comment 1 Tomas Hoger 2015-01-16 09:27:49 EST

Statement:

Not vulnerable. This issue did not affect the versions of OpenJDK and Oracle JDK as shipped with Red Hat Enterprise Linux.

Comment 2 Tomas Hoger 2015-01-20 17:23:17 EST

Public now via Oracle Critical Patch Update - January 2015.  Fixed in Oracle Java SE 6u91, 7u75, and 8u31.

External References:

http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixJAVA

Comment 3 Tomas Hoger 2015-01-22 07:04:15 EST

Upstream OpenJDK commits:

http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/e64096846c20
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/1e79baf89075

Comment 4 Tomas Hoger 2015-01-26 09:53:06 EST

This issue was fixed in IcedTea6 1.13.6 and IcedTea7 2.5.4:

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-January/030488.html
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-January/030469.html

Note You need to log in before you can comment on or make changes to this bug.