A flaw was found in the way the HTTPUrlConnection class in the Libraries component in OpenJDK handled HTTP 305 "Use Proxy" server responses when using NTLM transparent proxy authentication. A malicious HTTP server could possibly cause an application using HTTPUrlConnection to disclose NTLM authentication data to an attacker-chosen proxy server. Note that the NTLM transparent authentication is only available in OpenJDK versions on the Microsoft Windows platform. Therefore, the OpenJDK packages in Red Hat Enterprise Linux and Fedora were not affected by this issue.
Statement: Not vulnerable. This issue did not affect the versions of OpenJDK and Oracle JDK as shipped with Red Hat Enterprise Linux.
Public now via Oracle Critical Patch Update - January 2015. Fixed in Oracle Java SE 6u91, 7u75, and 8u31. External References: http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixJAVA
Upstream OpenJDK commits: http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/e64096846c20 http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/1e79baf89075
This issue was fixed in IcedTea6 1.13.6 and IcedTea7 2.5.4: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-January/030488.html http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-January/030469.html