Bug 1183039 (CVE-2015-0400) - CVE-2015-0400 OpenJDK: NTLM authentication data disclosure via redirect to proxy (Libraries, 8048035)
Summary: CVE-2015-0400 OpenJDK: NTLM authentication data disclosure via redirect to pr...
Alias: CVE-2015-0400
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
Blocks: 1179762
TreeView+ depends on / blocked
Reported: 2015-01-16 14:26 UTC by Tomas Hoger
Modified: 2021-02-17 05:48 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-01-16 14:27:49 UTC

Attachments (Terms of Use)

Description Tomas Hoger 2015-01-16 14:26:29 UTC
A flaw was found in the way the HTTPUrlConnection class in the Libraries component in OpenJDK handled HTTP 305 "Use Proxy" server responses when using NTLM transparent proxy authentication.  A malicious HTTP server could possibly cause an application using HTTPUrlConnection to disclose NTLM authentication data to an attacker-chosen proxy server.

Note that the NTLM transparent authentication is only available in OpenJDK versions on the Microsoft Windows platform.  Therefore, the OpenJDK packages in Red Hat Enterprise Linux and Fedora were not affected by this issue.

Comment 1 Tomas Hoger 2015-01-16 14:27:49 UTC

Not vulnerable. This issue did not affect the versions of OpenJDK and Oracle JDK as shipped with Red Hat Enterprise Linux.

Comment 2 Tomas Hoger 2015-01-20 22:23:17 UTC
Public now via Oracle Critical Patch Update - January 2015.  Fixed in Oracle Java SE 6u91, 7u75, and 8u31.

External References:


Note You need to log in before you can comment on or make changes to this bug.