Bug 1211543 – CVE-2015-0488 OpenJDK: certificate options parsing uncaught exception (JSSE, 8068720)

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1211543 - (CVE-2015-0488) CVE-2015-0488 OpenJDK: certificate options parsing uncaught exception (JSSE, 8068720)

Summary:	CVE-2015-0488 OpenJDK: certificate options parsing uncaught exception (JSSE, ...

Status:	CLOSED ERRATA

Aliases:	CVE-2015-0488

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20150414,repor...
Keywords:	Security

Depends On:
Blocks:	1209063
	Show dependency tree / graph

Reported:	2015-04-14 05:37 EDT by Tomas Hoger
Modified:	2015-06-11 09:22 EDT (History)
CC List:	5 users (show)

See Also:
Fixed In Version:	IcedTea6 1.13.7, IcedTea7 2.5.5
Doc Type:	Bug Fix
Doc Text:	A flaw was found in the way the JSSE component in OpenJDK parsed X.509 certificate options. A specially crafted certificate could cause JSSE to raise an exception, possibly causing an application using JSSE to exit unexpectedly.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-05-20 16:39:34 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0806	normal	SHIPPED_LIVE	Critical: java-1.7.0-openjdk security update	2015-04-15 16:54:17 EDT
Red Hat Product Errata	RHSA-2015:0807	normal	SHIPPED_LIVE	Important: java-1.7.0-openjdk security update	2015-04-14 20:18:32 EDT
Red Hat Product Errata	RHSA-2015:0808	normal	SHIPPED_LIVE	Important: java-1.6.0-openjdk security update	2015-04-15 16:44:55 EDT
Red Hat Product Errata	RHSA-2015:0809	normal	SHIPPED_LIVE	Important: java-1.8.0-openjdk security update	2015-04-15 15:15:09 EDT
Red Hat Product Errata	RHSA-2015:0854	normal	SHIPPED_LIVE	Critical: java-1.8.0-oracle security update	2017-12-15 10:34:03 EST
Red Hat Product Errata	RHSA-2015:0857	normal	SHIPPED_LIVE	Critical: java-1.7.0-oracle security update	2017-12-15 10:35:29 EST
Red Hat Product Errata	RHSA-2015:0858	normal	SHIPPED_LIVE	Important: java-1.6.0-sun security update	2017-12-15 10:32:13 EST
Red Hat Product Errata	RHSA-2015:1006	normal	SHIPPED_LIVE	Critical: java-1.6.0-ibm security update	2015-05-13 13:34:08 EDT
Red Hat Product Errata	RHSA-2015:1007	normal	SHIPPED_LIVE	Critical: java-1.7.0-ibm security update	2015-05-13 13:33:04 EDT
Red Hat Product Errata	RHSA-2015:1020	normal	SHIPPED_LIVE	Critical: java-1.7.1-ibm security update	2015-05-20 19:05:51 EDT
Red Hat Product Errata	RHSA-2015:1021	normal	SHIPPED_LIVE	Important: java-1.5.0-ibm security update	2015-05-20 18:36:22 EDT
Red Hat Product Errata	RHSA-2015:1091	normal	SHIPPED_LIVE	Low: Red Hat Satellite IBM Java Runtime security update	2015-06-11 13:21:29 EDT

Groups: None (edit)

Description Tomas Hoger 2015-04-14 05:37:23 EDT

A flaw was found in the way the JSSE (Java Secure Socket Extension) component in OpenJDK parsed X.509 certificate options.  A specially-crafted certificate could cause JSSE to raise an unexpected exception, possibly causing an application using JSSE to exit unexpectedly.

Comment 1 Tomas Hoger 2015-04-14 15:45:37 EDT

Public now via Oracle Critical Patch Update - April 2015.  Fixed in Oracle Java SE 6u95, 7u79, and 8u45.

External References:

http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixJAVA

Comment 2 errata-xmlrpc 2015-04-14 16:19:02 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2015:0807 https://rhn.redhat.com/errata/RHSA-2015-0807.html

Comment 3 errata-xmlrpc 2015-04-15 11:16:28 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2015:0809 https://rhn.redhat.com/errata/RHSA-2015-0809.html

Comment 4 errata-xmlrpc 2015-04-15 12:58:26 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2015:0808 https://rhn.redhat.com/errata/RHSA-2015-0808.html

Comment 5 errata-xmlrpc 2015-04-15 12:58:56 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2015:0806 https://rhn.redhat.com/errata/RHSA-2015-0806.html

Comment 6 Tomas Hoger 2015-04-16 08:51:02 EDT

This issue was fixed in IcedTea6 1.13.7 and IcedTea7 2.5.5:

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-April/031449.html
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-April/031450.html

Upstream OpenJDK commit:

http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/04cda5b7a3c1

Comment 7 errata-xmlrpc 2015-04-17 06:29:31 EDT

This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2015:0854 https://rhn.redhat.com/errata/RHSA-2015-0854.html

Comment 8 errata-xmlrpc 2015-04-20 10:08:56 EDT

This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 5
  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2015:0857 https://rhn.redhat.com/errata/RHSA-2015-0857.html

Comment 9 errata-xmlrpc 2015-04-20 10:28:41 EDT

This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 5
  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2015:0858 https://rhn.redhat.com/errata/RHSA-2015-0858.html

Comment 10 errata-xmlrpc 2015-05-13 09:34:03 EDT

This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2015:1007 https://rhn.redhat.com/errata/RHSA-2015-1007.html

Comment 11 errata-xmlrpc 2015-05-13 09:35:39 EDT

This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 6
  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2015:1006 https://rhn.redhat.com/errata/RHSA-2015-1006.html

Comment 12 errata-xmlrpc 2015-05-20 14:36:53 EDT

This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2015:1021 https://rhn.redhat.com/errata/RHSA-2015-1021.html

Comment 13 errata-xmlrpc 2015-05-20 15:06:26 EDT

This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 6
  Supplementary for Red Hat Enterprise Linux 7

Via RHSA-2015:1020 https://rhn.redhat.com/errata/RHSA-2015-1020.html

Comment 14 errata-xmlrpc 2015-06-11 09:22:03 EDT

This issue has been addressed in the following products:

  Red Hat Satellite Server v 5.6
  Red Hat Satellite Server v 5.7

Via RHSA-2015:1091 https://rhn.redhat.com/errata/RHSA-2015-1091.html

Note You need to log in before you can comment on or make changes to this bug.