Bugzilla will be upgraded to version 5.0 on December 2, 2018. The outage period for the upgrade will start at 0:00 UTC and have a duration of 12 hours
Bug 1386103 - (CVE-2016-5597) CVE-2016-5597 OpenJDK: exposure of server authentication credentials to proxy (Networking, 8160838)
CVE-2016-5597 OpenJDK: exposure of server authentication credentials to proxy...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20161018,repor...
: Security
Depends On:
Blocks: 1381992
  Show dependency treegraph
 
Reported: 2016-10-18 03:32 EDT by Tomas Hoger
Modified: 2017-12-07 12:19 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way the Networking component of OpenJDK handled HTTP proxy authentication. A Java application could possibly expose HTTPS server authentication credentials via a plain text network connection to an HTTP proxy if proxy asked for authentication.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-01-13 03:12:37 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2079 normal SHIPPED_LIVE Critical: java-1.8.0-openjdk security update 2016-10-19 14:58:57 EDT
Red Hat Product Errata RHSA-2016:2088 normal SHIPPED_LIVE Critical: java-1.8.0-oracle security update 2017-12-14 17:30:51 EST
Red Hat Product Errata RHSA-2016:2089 normal SHIPPED_LIVE Critical: java-1.7.0-oracle security update 2017-12-14 17:42:23 EST
Red Hat Product Errata RHSA-2016:2090 normal SHIPPED_LIVE Important: java-1.6.0-sun security update 2017-12-14 15:03:08 EST
Red Hat Product Errata RHSA-2016:2136 normal SHIPPED_LIVE Critical: java-1.8.0-ibm security update 2016-11-02 11:06:24 EDT
Red Hat Product Errata RHSA-2016:2137 normal SHIPPED_LIVE Critical: java-1.7.1-ibm security update 2016-11-02 11:05:59 EDT
Red Hat Product Errata RHSA-2016:2138 normal SHIPPED_LIVE Critical: java-1.7.0-ibm security update 2016-11-02 11:05:40 EDT
Red Hat Product Errata RHSA-2016:2658 normal SHIPPED_LIVE Important: java-1.7.0-openjdk security update 2016-11-07 13:27:12 EST
Red Hat Product Errata RHSA-2016:2659 normal SHIPPED_LIVE Critical: java-1.6.0-ibm security update 2016-11-07 09:05:44 EST
Red Hat Product Errata RHSA-2017:0061 normal SHIPPED_LIVE Important: java-1.6.0-openjdk security update 2017-01-13 00:00:28 EST
Red Hat Product Errata RHSA-2017:1216 normal SHIPPED_LIVE Moderate: java-1.7.1-ibm security update 2017-05-09 16:41:26 EDT

  None (edit)
Description Tomas Hoger 2016-10-18 03:32:31 EDT
A flaw was found in the way the Networking component of OpenJDK handled HTTP proxy authentication.  A Java application could possibly expose HTTPS server authentication credentials via a plain text network connection to an HTTP proxy if proxy asked for authentication.

Two new network system properties are introduced as part of the fix which restrict HTTP authentication schemes that can be used for authentication to proxy depending on whether proxied request is HTTP or HTTPS:

- jdk.http.auth.proxying.disabledSchemes lists authentication schemes that can not be used for proxy authentication when proxying HTTP request.  No schemes are disabled by default.

- jdk.http.auth.tunneling.disabledSchemes lists authentication schemes that can not be used for proxy authentication when proxying HTTPS request (using HTTP CONNECT method).  The 'Basic' HTTP authentication scheme is disabled by default.
Comment 1 Tomas Hoger 2016-10-18 03:56:15 EDT
This fix seems to workaround bugs in applications rather than address a flaw in JDK.  The problematic scenario is:

- A Java application connects to some HTTPS server, and the server requires HTTP authentication.

- The application normally connects to the server directly, or using a HTTP proxy which does not require authentication.

- java.net.Authenticator subclass used in the application to provide authentication credentials to the Networking component of JDK does not properly check which requestor host/port and which requestor type is requesting credentials.  I.e. it returns server authentication credentials when asked for proxy authentication credentials.

Problem happens when connection is made via HTTP proxy that requires HTTP Basic authentication.  The application sends out server credentials over plain text connection to the proxy, even though those credentials are only meant to be sent over encrypted connection and only to the target server.

It can be argued that this change also works around problems in the API design and/or documentation (as example in the official documentation does not include any requestor type checks either).

http://docs.oracle.com/javase/8/docs/technotes/guides/net/http-auth.html

This fix breaks use case where properly implemented applications, that distinguishes server and proxy authentication credentials, makes HTTPS connections via a HTTP proxy that requires Basic authentication.  After this fix, Basic authentication will no longer be tried and the application will not be asked for proxy authentication credentials.  Note that HTTP connections from the same application sent via the same proxy will not be affected.  Removing Basic from the tunneling.disabledSchemes would avoid the breakage in this use case.  On the Java command line, this can be used:

  -Djdk.http.auth.tunneling.disabledSchemes=
Comment 2 Tomas Hoger 2016-10-18 14:42:16 EDT
This change has the following entry in the release notes for Oracle JDK 8u111, 7u121, and 6u131:

http://www.oracle.com/technetwork/java/javase/8u111-relnotes-3124969.html
http://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html#R170_121
http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html#R160_131

  Disable Basic authentication for HTTPS tunneling

  In some environments, certain authentication schemes may be undesirable
  when proxying HTTPS. Accordingly, the Basic authentication scheme has been
  deactivated, by default, in the Oracle Java Runtime, by adding Basic to the
  jdk.http.auth.tunneling.disabledSchemes networking property. Now, proxies
  requiring Basic authentication when setting up a tunnel for HTTPS will no
  longer succeed by default. If required, this authentication scheme can be
  reactivated by removing Basic from the
  jdk.http.auth.tunneling.disabledSchemes networking property, or by setting
  a system property of the same name to "" ( empty ) on the command line.

  Additionally, the jdk.http.auth.tunneling.disabledSchemes and
  jdk.http.auth.proxying.disabledSchemes networking properties, and system
  properties of the same name, can be used to disable other authentication
  schemes that may be active when setting up a tunnel for HTTPS, or proxying
  plain HTTP, respectively.

  JDK-8160838 (not public)
Comment 3 Tomas Hoger 2016-10-18 16:10:02 EDT
Public now via Oracle CPU October 2016, fixed in Oracle JDK 8u111, 7u121, and 6u131.

External References:

http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixJAVA
Comment 4 Tomas Hoger 2016-10-19 04:05:09 EDT
OpenJDK 8 upstream commit:

http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/d689f7b806c8
Comment 5 errata-xmlrpc 2016-10-19 11:19:55 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2016:2079 https://rhn.redhat.com/errata/RHSA-2016-2079.html
Comment 6 errata-xmlrpc 2016-10-20 08:38:56 EDT
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2016:2088 https://rhn.redhat.com/errata/RHSA-2016-2088.html
Comment 7 errata-xmlrpc 2016-10-20 08:49:41 EDT
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 5
  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2016:2090 https://rhn.redhat.com/errata/RHSA-2016-2090.html
Comment 8 errata-xmlrpc 2016-10-20 08:50:41 EDT
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 5
  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2016:2089 https://rhn.redhat.com/errata/RHSA-2016-2089.html
Comment 9 errata-xmlrpc 2016-11-02 14:21:23 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5 Supplementary

Via RHSA-2016:2138 https://rhn.redhat.com/errata/RHSA-2016-2138.html
Comment 10 errata-xmlrpc 2016-11-02 14:22:02 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary
  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2016:2137 https://rhn.redhat.com/errata/RHSA-2016-2137.html
Comment 11 errata-xmlrpc 2016-11-02 14:22:49 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary
  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2016:2136 https://rhn.redhat.com/errata/RHSA-2016-2136.html
Comment 12 errata-xmlrpc 2016-11-07 04:06:25 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5 Supplementary
  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2016:2659 https://rhn.redhat.com/errata/RHSA-2016-2659.html
Comment 13 errata-xmlrpc 2016-11-07 08:28:27 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2016:2658 https://rhn.redhat.com/errata/RHSA-2016-2658.html
Comment 14 errata-xmlrpc 2017-01-12 19:01:48 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2017:0061 https://rhn.redhat.com/errata/RHSA-2017-0061.html
Comment 15 errata-xmlrpc 2017-05-09 12:42:11 EDT
This issue has been addressed in the following products:

  Red Hat Satellite 5.6
  Red Hat Satellite 5.7

Via RHSA-2017:1216 https://access.redhat.com/errata/RHSA-2017:1216

Note You need to log in before you can comment on or make changes to this bug.