Bug 1233697 (CVE-2015-5235) - CVE-2015-5235 icedtea-web: applet origin spoofing
Summary: CVE-2015-5235 icedtea-web: applet origin spoofing
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-5235
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1259311
Blocks: 1233713
TreeView+ depends on / blocked
 
Reported: 2015-06-19 12:27 UTC by Tomas Hoger
Modified: 2019-09-29 13:34 UTC (History)
8 users (show)

Fixed In Version: icedtea-web 1.5.3, icedtea-web 1.6.1
Doc Type: Bug Fix
Doc Text:
It was discovered that IcedTea-Web did not properly determine an applet's origin when asking the user if the applet should be run. A malicious page could use this flaw to cause IcedTea-Web to execute the applet without user approval, or confuse the user into approving applet execution based on an incorrectly indicated applet origin.
Clone Of:
Environment:
Last Closed: 2016-05-11 06:37:52 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0778 normal SHIPPED_LIVE Moderate: icedtea-web security, bug fix, and enhancement update 2016-05-10 22:35:24 UTC

Description Tomas Hoger 2015-06-19 12:27:11 UTC
Andrea Palazzo reported the following problem affecting IcedTea-Web:

"""
When requesting authorization to run an unsigned applet, a warning message is prompted, indicating the domain from which the applet's code is being requested. It is possible to tamper with this value just supplying an arbitrary value as codebase.  This issue could be exploited to abuse the eventual presence of whitelisted domains in the victim config (something like A 1434665367633 .* \Qhttp://trusted-site/\E) to gain unauthorized execution or to trick the user into allowing an application leveraging on the trust he could have for a well known domain.
"""

Acknowledgement:

Name: Andrea Palazzo (Truel IT)

Comment 2 jiri vanek 2015-06-20 19:02:35 UTC
This is nice example, where http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html#app_library will help a lot.

Comment 36 jiri vanek 2015-09-01 11:36:40 UTC
Dialogue informing user about laoded reources (similar to https://bugzilla.redhat.com/attachment.cgi?id=1064644) improved and enabled for unsigned apps.
Pushed to head - http://icedtea.classpath.org/hg/icedtea-web/rev/531034ce3e30

Comment 37 jiri vanek 2015-09-01 12:54:41 UTC
(In reply to jiri vanek from comment #12)
> Created attachment 1042634 [details]
> patch with improved tests
> 
> fix is same, just added three more tests for surrounding cases.

Pushed to head - http://icedtea.classpath.org/hg/icedtea-web/rev/ee5e2cb91774

Comment 39 Tomas Hoger 2015-09-02 11:59:11 UTC
Created icedtea-web tracking bugs for this issue:

Affects: fedora-all [bug 1259311]

Comment 42 jiri vanek 2015-09-03 13:11:58 UTC
Versioned .appletTrustSetting patch pushed to head
http://icedtea.classpath.org/hg/icedtea-web/rev/5ddfe3e389ab

Comment 43 jiri vanek 2015-09-03 13:29:32 UTC
Short summary:

The issue is fixed via two steps:
 -  First, when applet is saved for whole codebase, also docbase is include
So Instead of rcord like 
metadata|docbase     |codebase    |another data
.     ..|  .*        | some.url/.*|...
we save something like
.     ..|doc.url/.*  | some.url/.*|...

 - Second, all resources going out of codebase AND docbase are reported to user

Comment 44 jiri vanek 2015-09-03 13:30:20 UTC
As partially related changeset, possibly already infected records are moved to backup and not used by updated versions

Comment 45 jiri vanek 2015-09-08 12:14:19 UTC
all related changes pushed to 1.6 branch

Comment 46 jiri vanek 2015-09-08 15:21:31 UTC
all related changes pushed to 1.5 branch

Comment 48 Tomas Hoger 2015-12-14 20:52:44 UTC
Patches for this issue were included in upstream versions 1.6.1 and 1.5.3.

Comment 49 Tomas Hoger 2015-12-15 09:25:09 UTC
This issue was corrected in Red Hat Enterprise Linux 7.2 when icedtea-web packages were updated to upstream version 1.6.1:

https://rhn.redhat.com/errata/RHBA-2015-2457.html

Comment 50 errata-xmlrpc 2016-05-10 20:14:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:0778 https://rhn.redhat.com/errata/RHSA-2016-0778.html


Note You need to log in before you can comment on or make changes to this bug.