Bug 1357494 (CVE-2016-3458) - CVE-2016-3458 OpenJDK: insufficient restrictions on the use of custom ValueHandler (CORBA, 8079718)
Summary: CVE-2016-3458 OpenJDK: insufficient restrictions on the use of custom ValueHa...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-3458
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1350028
TreeView+ depends on / blocked
 
Reported: 2016-07-18 11:40 UTC by Tomas Hoger
Modified: 2019-09-29 13:53 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-08-26 15:15:04 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1458 normal SHIPPED_LIVE Critical: java-1.8.0-openjdk security update 2016-07-20 16:11:36 UTC
Red Hat Product Errata RHSA-2016:1475 normal SHIPPED_LIVE Critical: java-1.8.0-oracle security update 2017-12-14 21:39:19 UTC
Red Hat Product Errata RHSA-2016:1476 normal SHIPPED_LIVE Critical: java-1.7.0-oracle security update 2017-12-14 22:54:27 UTC
Red Hat Product Errata RHSA-2016:1477 normal SHIPPED_LIVE Moderate: java-1.6.0-sun security update 2017-12-14 20:16:39 UTC
Red Hat Product Errata RHSA-2016:1504 normal SHIPPED_LIVE Important: java-1.7.0-openjdk security update 2016-09-16 11:11:24 UTC
Red Hat Product Errata RHSA-2016:1776 normal SHIPPED_LIVE Important: java-1.6.0-openjdk security update 2016-08-26 16:59:28 UTC

Description Tomas Hoger 2016-07-18 11:40:55 UTC
It was discovered that the CORBA component of OpenJDK did not sufficiently restrict the use of custom ValueHandler when performing object deserialization.  An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions.

Comment 1 Tomas Hoger 2016-07-20 07:34:41 UTC
Public now via Oracle CPU July 2016, fixed in Oracle JDK 8u101, 7u111, and 6u121.

External References:

http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixJAVA

Comment 2 Tomas Hoger 2016-07-20 07:38:39 UTC
There is an entry in the release notes related to this issue:

http://www.oracle.com/technetwork/java/javase/8u101-relnotes-3021761.html

  other-libs/corba
  Improve access control to javax.rmi.CORBA.ValueHandler

  The javax.rmi.CORBA.Util class provides methods that can be used by stubs
  and ties to perform common operations. It also acts as a factory for
  ValueHandlers. The javax.rmi.CORBA.ValueHandler interface provides services
  to support the reading and writing of value types to GIOP streams. The
  security awareness of these utilities has been enhanced with the
  introduction of a permission
  java.io.SerializablePermission("enableCustomValueHanlder").
  This is used to establish a trust relationship between the users of the
  javax.rmi.CORBA.Util and javax.rmi.CORBA.ValueHandler APIs.

  The required permission is "enableCustomValueHanlder"
  SerializablePermission. Third party code running with a SecurityManager
  installed, but not having the new permission while invoking
  Util.createValueHandler(), will fail with an AccessControlException.

  This permission check behaviour can be overridden, in JDK8u and previous
  releases, by defining a system property,
  "jdk.rmi.CORBA.allowCustomValueHandler".

  As such, external applications that explicitly call
  javax.rmi.CORBA.Util.createValueHandler require a configuration change
  to function when a SecurityManager is installed and neither of the
  following two requirements is met: 

  1. The java.io.SerializablePermission("enableCustomValueHanlder") is not
  granted by SecurityManager.

  2. In the case of applications running on JDK8u and before, the system
  property "jdk.rmi.CORBA.allowCustomValueHandler" is either not defined or
  is defined equal to "false" (case insensitive).

  Please note that the "enableCustomValueHanlder" typo will be corrected in
  the October 2016 releases. In those and future JDK releases,
  "enableCustomValueHandler" will be the correct SerializationPermission
  to use.

  JDK-8079718 (not public)

Note that OpenJDK packages in Red Hat Enterprise Linux will use correctly spelt name for the "enableCustomValueHandler" permission, but will also recognize mis-spelt "enableCustomValueHanlder" for compatibility with Oracle JDK.

Comment 3 Tomas Hoger 2016-07-20 09:41:33 UTC
OpenJDK 8 upstream commit:

http://hg.openjdk.java.net/jdk8u/jdk8u/corba/rev/4821afbaa2a6

Comment 4 errata-xmlrpc 2016-07-20 12:13:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2016:1458 https://access.redhat.com/errata/RHSA-2016:1458

Comment 5 errata-xmlrpc 2016-07-21 10:20:32 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 5
  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2016:1477 https://access.redhat.com/errata/RHSA-2016:1477

Comment 6 errata-xmlrpc 2016-07-21 10:21:19 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 5
  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2016:1476 https://access.redhat.com/errata/RHSA-2016:1476

Comment 7 errata-xmlrpc 2016-07-21 10:22:30 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2016:1475 https://access.redhat.com/errata/RHSA-2016:1475

Comment 8 errata-xmlrpc 2016-07-27 11:43:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2016:1504 https://rhn.redhat.com/errata/RHSA-2016-1504.html

Comment 9 errata-xmlrpc 2016-08-26 13:00:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2016:1776 https://rhn.redhat.com/errata/RHSA-2016-1776.html


Note You need to log in before you can comment on or make changes to this bug.