Red Hat Bugzilla – Bug 1273637
CVE-2015-4803 OpenJDK: inefficient use of hash tables and lists during XML parsing (JAXP, 8068842)
Last modified: 2016-07-18 09:54:43 EDT
It was discovered that the JAXP component of OpenJDK did not use efficient data structures to store data from parsed XML documents. A specially-crafted XML input could cause a Java application using JAXP to use an excessive amount of CPU time by e.g. triggering hash collisions.
Public now via Oracle Critical Patch Update - October 2015. Fixed in Oracle Java SE 6u105, 7u91, and 8u65. External References: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html#AppendixJAVA
This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Via RHSA-2015:1921 https://rhn.redhat.com/errata/RHSA-2015-1921.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2015:1920 https://rhn.redhat.com/errata/RHSA-2015-1920.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2015:1919 https://rhn.redhat.com/errata/RHSA-2015-1919.html
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Oracle Java for Red Hat Enterprise Linux 5 Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2015:1928 https://rhn.redhat.com/errata/RHSA-2015-1928.html
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2015:1926 https://rhn.redhat.com/errata/RHSA-2015-1926.html
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Oracle Java for Red Hat Enterprise Linux 5 Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2015:1927 https://rhn.redhat.com/errata/RHSA-2015-1927.html
OpenJDK8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jaxp/rev/5f65805254c3
While this issue affects the JAXP libraries used by EAP, it's possible to override them with the patched ones from the JDK using the instructions in this article: https://access.redhat.com/solutions/874723
This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2015:2086 https://rhn.redhat.com/errata/RHSA-2015-2086.html
This issue has been addressed in the following products: Supplementary for Red Hat Enterprise Linux 6 Supplementary for Red Hat Enterprise Linux 5 Via RHSA-2015:2508 https://rhn.redhat.com/errata/RHSA-2015-2508.html
This issue has been addressed in the following products: Supplementary for Red Hat Enterprise Linux 5 Via RHSA-2015:2507 https://rhn.redhat.com/errata/RHSA-2015-2507.html
This issue has been addressed in the following products: Supplementary for Red Hat Enterprise Linux 7 Via RHSA-2015:2509 https://rhn.redhat.com/errata/RHSA-2015-2509.html
This issue has been addressed in the following products: Supplementary for Red Hat Enterprise Linux 6 Supplementary for Red Hat Enterprise Linux 7 Via RHSA-2015:2506 https://rhn.redhat.com/errata/RHSA-2015-2506.html
Closed the EAP trackers as won't fix because the issue was ranked as moderate and there is a workaround. The workaround is to use your own JAXP libraries by packaging them with your application. https://access.redhat.com/solutions/874723
This issue has been addressed in the following products: Red Hat Satellite 5.6 Red Hat Satellite 5.7 Via RHSA-2016:1430 https://access.redhat.com/errata/RHSA-2016:1430