It was discovered that the Libraries component of OpenJDK did not allow users to restrict the set of algorithms allowed for Jar integrity verification. This flaw could allow an attacker to modify content of the Jar file that used weak signing key or hash algorithm. The fix for this issue adds new security property - jdk.jar.disabledAlgorithms - which defines a set of algorithms not allowed to be used during Jar verification. MD2 hash algorithm and RSA keys with less than 1024 bits are disabled by default. Future updates are also expected to disable MD5 hash algorithm by default.
This change has the following entry in the release notes for Oracle JDK 8u111, 7u121, and 6u131: http://www.oracle.com/technetwork/java/javase/8u111-relnotes-3124969.html http://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html#R170_121 http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html#R160_131 Restrict JARs signed with weak algorithms and keys This JDK release introduces new restrictions on how signed JAR files are verified. If the signed JAR file uses a disabled algorithm or key size less than the minimum length, signature verification operations will ignore the signature and treat the JAR file as if it were unsigned. This can potentially occur in the following types of applications that use signed JAR files: 1. Applets or Web Start Applications 2. Standalone or Server Applications run with a SecurityManager enabled and that are configured with a policy file that grants permissions based on the code signer(s) of the JAR. The list of disabled algorithms is controlled via a new security property, jdk.jar.disabledAlgorithms, in the java.security file. This property contains a list of disabled algorithms and key sizes for cryptographically signed JAR files. The following algorithms and key sizes are restricted in this release: MD2 (in either the digest or signature algorithm) RSA keys less than 1024 bits NOTE: We are planning to restrict MD5-based signatures in signed JARs in the January 2017 CPU. To check if a weak algorithm or key was used to sign a JAR file, you can use the jarsigner binary that ships with this JDK. Running jarsigner -verify -J-Djava.security.debug=jar on a JAR file signed with a weak algorithm or key will print more information about the disabled algorithm or key. For example, to check a JAR file named test.jar, use the following command: jarsigner -verify -J-Djava.security.debug=jar test.jar If the file in this example was signed with a weak signature algorithm like MD2withRSA, the following output would be displayed: jar: beginEntry META-INF/my_sig.RSA jar: processEntry: processing block jar: processEntry caught: java.security.SignatureException: Signature check failed. Disabled algorithm used: MD2withRSA jar: done with meta! The updated jarsigner command will exit with the following warning printed to standard output: "Signature not parsable or verifiable. The jar will be treated as unsigned. The jar may have been signed with a weak algorithm that is now disabled. For more information, rerun jarsigner with debug enabled (-J-Djava.security.debug=jar)" To address the issue, the JAR file will need to be re-signed with a stronger algorithm or key size. Alternatively, the restrictions can be reverted by removing the applicable weak algorithms or key sizes from the jdk.jar.disabledAlgorithms security property; however, this option is not recommended. Before re-signing affected JAR files, the existing signature(s) should be removed from the JAR. This can be done with the zip utility, as follows: zip -d test.jar 'META-INF/*.SF' 'META-INF/*.RSA' 'META-INF/*.DSA' Please periodically check the Oracle JRE and JDK Cryptographic Roadmap at http://java.com/cryptoroadmap for planned restrictions to signed JAR files and other security components. In particular, please note the current plan is to restrict MD5-based signatures in signed JAR files in the January 2017 CPU. To test if your JARs have been signed with MD5, add MD5 to the jdk.jar.disabledAlgorithms security property, ex: jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 and then run jarsigner -verify -J-Djava.security.debug=jar on your JAR files as described above. JDK-8155973 (not public)
Public now via Oracle CPU October 2016, fixed in Oracle JDK 8u111, 7u121, and 6u131. External References: http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixJAVA
OpenJDK 8 upstream commits: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/67252a0030a1 http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/55e37dab57a1 http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/ab26fe28f9ed Related change to jarsigned to warn about the use of weak algorithm for signature: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/b1304d71a2ec
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2016:2079 https://rhn.redhat.com/errata/RHSA-2016-2079.html
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2016:2088 https://rhn.redhat.com/errata/RHSA-2016-2088.html
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 5 Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2016:2090 https://rhn.redhat.com/errata/RHSA-2016-2090.html
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 5 Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2016:2089 https://rhn.redhat.com/errata/RHSA-2016-2089.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Supplementary Via RHSA-2016:2138 https://rhn.redhat.com/errata/RHSA-2016-2138.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Red Hat Enterprise Linux 6 Supplementary Via RHSA-2016:2137 https://rhn.redhat.com/errata/RHSA-2016-2137.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Red Hat Enterprise Linux 7 Supplementary Via RHSA-2016:2136 https://rhn.redhat.com/errata/RHSA-2016-2136.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Supplementary Red Hat Enterprise Linux 6 Supplementary Via RHSA-2016:2659 https://rhn.redhat.com/errata/RHSA-2016-2659.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2016:2658 https://rhn.redhat.com/errata/RHSA-2016-2658.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2017:0061 https://rhn.redhat.com/errata/RHSA-2017-0061.html
This issue has been addressed in the following products: Red Hat Satellite 5.6 Red Hat Satellite 5.7 Via RHSA-2017:1216 https://access.redhat.com/errata/RHSA-2017:1216