Bug 1233697 – CVE-2015-5235 icedtea-web: applet origin spoofing

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1233697 - (CVE-2015-5235) CVE-2015-5235 icedtea-web: applet origin spoofing

Summary:	CVE-2015-5235 icedtea-web: applet origin spoofing

Status:	CLOSED ERRATA

Aliases:	CVE-2015-5235

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20150902,repor...
Keywords:	Security

Depends On:	1259311
Blocks:	1233713
	Show dependency tree / graph

Reported:	2015-06-19 08:27 EDT by Tomas Hoger
Modified:	2016-05-11 02:37 EDT (History)
CC List:	8 users (show)

See Also:
Fixed In Version:	icedtea-web 1.5.3, icedtea-web 1.6.1
Doc Type:	Bug Fix
Doc Text:	It was discovered that IcedTea-Web did not properly determine an applet's origin when asking the user if the applet should be run. A malicious page could use this flaw to cause IcedTea-Web to execute the applet without user approval, or confuse the user into approving applet execution based on an incorrectly indicated applet origin.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2016-05-11 02:37:52 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:0778	normal	SHIPPED_LIVE	Moderate: icedtea-web security, bug fix, and enhancement update	2016-05-10 18:35:24 EDT

Groups: None (edit)

Description Tomas Hoger 2015-06-19 08:27:11 EDT

Andrea Palazzo reported the following problem affecting IcedTea-Web:

"""
When requesting authorization to run an unsigned applet, a warning message is prompted, indicating the domain from which the applet's code is being requested. It is possible to tamper with this value just supplying an arbitrary value as codebase.  This issue could be exploited to abuse the eventual presence of whitelisted domains in the victim config (something like A 1434665367633 .* \Qhttp://trusted-site/\E) to gain unauthorized execution or to trick the user into allowing an application leveraging on the trust he could have for a well known domain.
"""

Acknowledgement:

Name: Andrea Palazzo (Truel IT)

Comment 2 jiri vanek 2015-06-20 15:02:35 EDT

This is nice example, where http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html#app_library will help a lot.

Comment 36 jiri vanek 2015-09-01 07:36:40 EDT

Dialogue informing user about laoded reources (similar to https://bugzilla.redhat.com/attachment.cgi?id=1064644) improved and enabled for unsigned apps.
Pushed to head - http://icedtea.classpath.org/hg/icedtea-web/rev/531034ce3e30

Comment 37 jiri vanek 2015-09-01 08:54:41 EDT

(In reply to jiri vanek from comment #12)
> Created attachment 1042634 [details]
> patch with improved tests
> 
> fix is same, just added three more tests for surrounding cases.

Pushed to head - http://icedtea.classpath.org/hg/icedtea-web/rev/ee5e2cb91774

Comment 39 Tomas Hoger 2015-09-02 07:59:11 EDT

Created icedtea-web tracking bugs for this issue:

Affects: fedora-all [bug 1259311]

Comment 42 jiri vanek 2015-09-03 09:11:58 EDT

Versioned .appletTrustSetting patch pushed to head
http://icedtea.classpath.org/hg/icedtea-web/rev/5ddfe3e389ab

Comment 43 jiri vanek 2015-09-03 09:29:32 EDT

Short summary:

The issue is fixed via two steps:
 -  First, when applet is saved for whole codebase, also docbase is include
So Instead of rcord like 
metadata|docbase     |codebase    |another data
.     ..|  .*        | some.url/.*|...
we save something like
.     ..|doc.url/.*  | some.url/.*|...

 - Second, all resources going out of codebase AND docbase are reported to user

Comment 44 jiri vanek 2015-09-03 09:30:20 EDT

As partially related changeset, possibly already infected records are moved to backup and not used by updated versions

Comment 45 jiri vanek 2015-09-08 08:14:19 EDT

all related changes pushed to 1.6 branch

Comment 46 jiri vanek 2015-09-08 11:21:31 EDT

all related changes pushed to 1.5 branch

Comment 48 Tomas Hoger 2015-12-14 15:52:44 EST

Patches for this issue were included in upstream versions 1.6.1 and 1.5.3.

Comment 49 Tomas Hoger 2015-12-15 04:25:09 EST

This issue was corrected in Red Hat Enterprise Linux 7.2 when icedtea-web packages were updated to upstream version 1.6.1:

https://rhn.redhat.com/errata/RHBA-2015-2457.html

Comment 50 errata-xmlrpc 2016-05-10 16:14:39 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:0778 https://rhn.redhat.com/errata/RHSA-2016-0778.html

Note You need to log in before you can comment on or make changes to this bug.