Bug 1288070 - Suspected security vulnerability in sun.nio.ch.PipeImpl
Summary: Suspected security vulnerability in sun.nio.ch.PipeImpl
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: java-1.8.0-openjdk
Version: rawhide
Hardware: All
OS: Windows
unspecified
unspecified
Target Milestone: ---
Assignee: Deepak Bhole
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-12-03 12:40 UTC by Matthias-Christian Ott
Modified: 2015-12-03 20:19 UTC (History)
8 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2015-12-03 20:19:01 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Matthias-Christian Ott 2015-12-03 12:40:59 UTC
sun.nio.ch.PipeImpl creates a TCP/IP socket pair and binds socket sc2 an ephemeral port on 127.0.0.1. It then generates a 64-bit random number with an insecure random number generator, connects from sc1 to sc2 and sends the generated number. If the received number matches the sent number, the connection is established. Otherwise a new random number is generated and the process is repeated until the numbers match.

On most operating systems there is no access control for loopback TCP/IP connections (in their default configuration), so an attacker can submit their own guess of the random number by exploiting a race condition. This would at most require 2^64 attempts (the usual speed-ups apply). Moreover, the attack can be significantly accelerated by the fact the random number generator is partially predictable. If CryptGenRandom fails on Microsoft Windows, the seed for the random number generator is java.lang.System#nanoTime and the number of invocations of java.util.Random. Both values can be estimated by the attacker by observing the use of system resources. Otherwise the seed of the random number generator is 64-bit.

Comment 4 Deepak Bhole 2015-12-03 20:19:01 UTC
Hello, thank you for reporting this issue. Red Hat only supports OpenJDK on Linux at this time, and this issue appears to affect Windows specifically.

Please report this issue to Oracle directly as they maintain OpenJDK on Windows actively: 

https://www.oracle.com/support/assurance/vulnerability-remediation/reporting-security-vulnerabilities.html

Closing issue here.


Note You need to log in before you can comment on or make changes to this bug.