Red Hat Bugzilla – Bug 1320650
CVE-2016-0636 OpenJDK: missing type safety checks for MethodHandle calls across class loaders, incorrect CVE-2013-5838 fix (Hotspot, 8151666)
Last modified: 2017-12-14 14:54:37 EST
It was discovered that the security fix for CVE-2013-5838 was incomplete and still allowed remote attackers to escape the Java security sandbox mechanism. The root problem is that the Reflection API does not properly guarantee type safety when Method Handle objects were invoked across two different Class Loader namespaces. A part of the original patch was to use the "loadersAreRelated()" method to ensure that the two Class Loaders are related, which is a condition for correct type safety. However, this condition could be easily fulfilled by abusing certain behaviours in the class loading process, which could allow an attacker to bypass the type safety checks and ultimately escapte the security sandbox mechanism. External References: http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0636-2949497.html https://blogs.oracle.com/security/entry/security_alert_cve_2016_0636 http://seclists.org/fulldisclosure/2016/Mar/31 http://www.security-explorations.com/materials/SE-2012-01-ORACLE-14.pdf
Public now via "Oracle Security Alert for CVE-2016-0636": http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0636-2949497.html https://blogs.oracle.com/security/entry/security_alert_cve_2016_0636 Fixed in Oracle Java SE 7u99 and 8u77.
This update seems to be addressing this issue from Adam Gowdiak of Security Explorations: http://seclists.org/fulldisclosure/2016/Mar/31 http://www.security-explorations.com/materials/SE-2012-01-ORACLE-14.pdf The reported issue in an incorrect fix for CVE-2013-5838 (bug 1019300).
(In reply to Tomas Hoger from comment #8) > This update seems to be addressing this issue from Adam Gowdiak of Security > Explorations: > > http://seclists.org/fulldisclosure/2016/Mar/31 This is now confirmed by the Security Explorations' site: http://www.security-explorations.com/en/SE-2012-01-status.html 24-Mar-2016 - Oracle provides a status report regarding a broken security fix for Issue 69. The company informs that it was fixed by Security Alert for CVE-2016-0636 issued on Mar 23, 2016.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:0511 https://rhn.redhat.com/errata/RHSA-2016-0511.html
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2016:0516 https://rhn.redhat.com/errata/RHSA-2016-0516.html
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 5 Oracle Java for Red Hat Enterprise Linux 7 Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2016:0515 https://rhn.redhat.com/errata/RHSA-2016-0515.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:0514 https://rhn.redhat.com/errata/RHSA-2016-0514.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:0513 https://rhn.redhat.com/errata/RHSA-2016-0513.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 7 Via RHSA-2016:0512 https://rhn.redhat.com/errata/RHSA-2016-0512.html
OpenJDK 8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/c44179bce874
IBM indicates their JRE/JDK were not affected by this issue: http://www.ibm.com/developerworks/java/jdk/alerts/#Oracle_Security_Alert_for_CVE-2016-0636