Bug 1386103 (CVE-2016-5597) - CVE-2016-5597 OpenJDK: exposure of server authentication credentials to proxy (Networking, 8160838)
Summary: CVE-2016-5597 OpenJDK: exposure of server authentication credentials to proxy...
Status: CLOSED ERRATA
Alias: CVE-2016-5597
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
(Show other bugs)
Version: unspecified
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20161018,repor...
Keywords: Security
Depends On:
Blocks: 1381992
TreeView+ depends on / blocked
 
Reported: 2016-10-18 07:32 UTC by Tomas Hoger
Modified: 2017-12-07 17:19 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way the Networking component of OpenJDK handled HTTP proxy authentication. A Java application could possibly expose HTTPS server authentication credentials via a plain text network connection to an HTTP proxy if proxy asked for authentication.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-01-13 08:12:37 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2079 normal SHIPPED_LIVE Critical: java-1.8.0-openjdk security update 2016-10-19 18:58:57 UTC
Red Hat Product Errata RHSA-2016:2088 normal SHIPPED_LIVE Critical: java-1.8.0-oracle security update 2017-12-14 22:30:51 UTC
Red Hat Product Errata RHSA-2016:2089 normal SHIPPED_LIVE Critical: java-1.7.0-oracle security update 2017-12-14 22:42:23 UTC
Red Hat Product Errata RHSA-2016:2090 normal SHIPPED_LIVE Important: java-1.6.0-sun security update 2017-12-14 20:03:08 UTC
Red Hat Product Errata RHSA-2016:2136 normal SHIPPED_LIVE Critical: java-1.8.0-ibm security update 2016-11-02 15:06:24 UTC
Red Hat Product Errata RHSA-2016:2137 normal SHIPPED_LIVE Critical: java-1.7.1-ibm security update 2016-11-02 15:05:59 UTC
Red Hat Product Errata RHSA-2016:2138 normal SHIPPED_LIVE Critical: java-1.7.0-ibm security update 2016-11-02 15:05:40 UTC
Red Hat Product Errata RHSA-2016:2658 normal SHIPPED_LIVE Important: java-1.7.0-openjdk security update 2016-11-07 18:27:12 UTC
Red Hat Product Errata RHSA-2016:2659 normal SHIPPED_LIVE Critical: java-1.6.0-ibm security update 2016-11-07 14:05:44 UTC
Red Hat Product Errata RHSA-2017:0061 normal SHIPPED_LIVE Important: java-1.6.0-openjdk security update 2017-01-13 05:00:28 UTC
Red Hat Product Errata RHSA-2017:1216 normal SHIPPED_LIVE Moderate: java-1.7.1-ibm security update 2017-05-09 20:41:26 UTC

Description Tomas Hoger 2016-10-18 07:32:31 UTC
A flaw was found in the way the Networking component of OpenJDK handled HTTP proxy authentication.  A Java application could possibly expose HTTPS server authentication credentials via a plain text network connection to an HTTP proxy if proxy asked for authentication.

Two new network system properties are introduced as part of the fix which restrict HTTP authentication schemes that can be used for authentication to proxy depending on whether proxied request is HTTP or HTTPS:

- jdk.http.auth.proxying.disabledSchemes lists authentication schemes that can not be used for proxy authentication when proxying HTTP request.  No schemes are disabled by default.

- jdk.http.auth.tunneling.disabledSchemes lists authentication schemes that can not be used for proxy authentication when proxying HTTPS request (using HTTP CONNECT method).  The 'Basic' HTTP authentication scheme is disabled by default.

Comment 1 Tomas Hoger 2016-10-18 07:56:15 UTC
This fix seems to workaround bugs in applications rather than address a flaw in JDK.  The problematic scenario is:

- A Java application connects to some HTTPS server, and the server requires HTTP authentication.

- The application normally connects to the server directly, or using a HTTP proxy which does not require authentication.

- java.net.Authenticator subclass used in the application to provide authentication credentials to the Networking component of JDK does not properly check which requestor host/port and which requestor type is requesting credentials.  I.e. it returns server authentication credentials when asked for proxy authentication credentials.

Problem happens when connection is made via HTTP proxy that requires HTTP Basic authentication.  The application sends out server credentials over plain text connection to the proxy, even though those credentials are only meant to be sent over encrypted connection and only to the target server.

It can be argued that this change also works around problems in the API design and/or documentation (as example in the official documentation does not include any requestor type checks either).

http://docs.oracle.com/javase/8/docs/technotes/guides/net/http-auth.html

This fix breaks use case where properly implemented applications, that distinguishes server and proxy authentication credentials, makes HTTPS connections via a HTTP proxy that requires Basic authentication.  After this fix, Basic authentication will no longer be tried and the application will not be asked for proxy authentication credentials.  Note that HTTP connections from the same application sent via the same proxy will not be affected.  Removing Basic from the tunneling.disabledSchemes would avoid the breakage in this use case.  On the Java command line, this can be used:

  -Djdk.http.auth.tunneling.disabledSchemes=

Comment 2 Tomas Hoger 2016-10-18 18:42:16 UTC
This change has the following entry in the release notes for Oracle JDK 8u111, 7u121, and 6u131:

http://www.oracle.com/technetwork/java/javase/8u111-relnotes-3124969.html
http://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html#R170_121
http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html#R160_131

  Disable Basic authentication for HTTPS tunneling

  In some environments, certain authentication schemes may be undesirable
  when proxying HTTPS. Accordingly, the Basic authentication scheme has been
  deactivated, by default, in the Oracle Java Runtime, by adding Basic to the
  jdk.http.auth.tunneling.disabledSchemes networking property. Now, proxies
  requiring Basic authentication when setting up a tunnel for HTTPS will no
  longer succeed by default. If required, this authentication scheme can be
  reactivated by removing Basic from the
  jdk.http.auth.tunneling.disabledSchemes networking property, or by setting
  a system property of the same name to "" ( empty ) on the command line.

  Additionally, the jdk.http.auth.tunneling.disabledSchemes and
  jdk.http.auth.proxying.disabledSchemes networking properties, and system
  properties of the same name, can be used to disable other authentication
  schemes that may be active when setting up a tunnel for HTTPS, or proxying
  plain HTTP, respectively.

  JDK-8160838 (not public)

Comment 3 Tomas Hoger 2016-10-18 20:10:02 UTC
Public now via Oracle CPU October 2016, fixed in Oracle JDK 8u111, 7u121, and 6u131.

External References:

http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixJAVA

Comment 4 Tomas Hoger 2016-10-19 08:05:09 UTC
OpenJDK 8 upstream commit:

http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/d689f7b806c8

Comment 5 errata-xmlrpc 2016-10-19 15:19:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2016:2079 https://rhn.redhat.com/errata/RHSA-2016-2079.html

Comment 6 errata-xmlrpc 2016-10-20 12:38:56 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2016:2088 https://rhn.redhat.com/errata/RHSA-2016-2088.html

Comment 7 errata-xmlrpc 2016-10-20 12:49:41 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 5
  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2016:2090 https://rhn.redhat.com/errata/RHSA-2016-2090.html

Comment 8 errata-xmlrpc 2016-10-20 12:50:41 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 5
  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2016:2089 https://rhn.redhat.com/errata/RHSA-2016-2089.html

Comment 9 errata-xmlrpc 2016-11-02 18:21:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5 Supplementary

Via RHSA-2016:2138 https://rhn.redhat.com/errata/RHSA-2016-2138.html

Comment 10 errata-xmlrpc 2016-11-02 18:22:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary
  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2016:2137 https://rhn.redhat.com/errata/RHSA-2016-2137.html

Comment 11 errata-xmlrpc 2016-11-02 18:22:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary
  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2016:2136 https://rhn.redhat.com/errata/RHSA-2016-2136.html

Comment 12 errata-xmlrpc 2016-11-07 09:06:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5 Supplementary
  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2016:2659 https://rhn.redhat.com/errata/RHSA-2016-2659.html

Comment 13 errata-xmlrpc 2016-11-07 13:28:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2016:2658 https://rhn.redhat.com/errata/RHSA-2016-2658.html

Comment 14 errata-xmlrpc 2017-01-13 00:01:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2017:0061 https://rhn.redhat.com/errata/RHSA-2017-0061.html

Comment 15 errata-xmlrpc 2017-05-09 16:42:11 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 5.6
  Red Hat Satellite 5.7

Via RHSA-2017:1216 https://access.redhat.com/errata/RHSA-2017:1216


Note You need to log in before you can comment on or make changes to this bug.