Bug 1413955 (CVE-2017-3241) - CVE-2017-3241 OpenJDK: untrusted input deserialization in RMI registry and DCG (RMI, 8156802)
Summary: CVE-2017-3241 OpenJDK: untrusted input deserialization in RMI registry and DC...
Status: CLOSED ERRATA
Alias: CVE-2017-3241
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
(Show other bugs)
Version: unspecified
Hardware: All Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=critical,public=20170117,repor...
Keywords: Security
Depends On:
Blocks: 1410614
TreeView+ depends on / blocked
 
Reported: 2017-01-17 12:33 UTC by Tomas Hoger
Modified: 2018-04-18 01:44 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the RMI registry and DCG implementations in the RMI component of OpenJDK performed deserialization of untrusted inputs. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-02-28 09:24:58 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0175 normal SHIPPED_LIVE Critical: java-1.8.0-oracle security update 2017-12-14 19:50:08 UTC
Red Hat Product Errata RHSA-2017:0176 normal SHIPPED_LIVE Critical: java-1.7.0-oracle security update 2017-12-14 20:16:27 UTC
Red Hat Product Errata RHSA-2017:0177 normal SHIPPED_LIVE Critical: java-1.6.0-sun security update 2017-12-14 19:35:31 UTC
Red Hat Product Errata RHSA-2017:0180 normal SHIPPED_LIVE Critical: java-1.8.0-openjdk security update 2017-01-20 16:04:36 UTC
Red Hat Product Errata RHSA-2017:0263 normal SHIPPED_LIVE Critical: java-1.8.0-ibm security update 2017-02-09 17:05:35 UTC
Red Hat Product Errata RHSA-2017:0269 normal SHIPPED_LIVE Critical: java-1.7.0-openjdk security update 2017-02-13 16:17:52 UTC
Red Hat Product Errata RHSA-2017:0336 normal SHIPPED_LIVE Critical: java-1.7.1-ibm security update 2017-02-28 13:19:38 UTC
Red Hat Product Errata RHSA-2017:0337 normal SHIPPED_LIVE Critical: java-1.7.0-ibm security update 2017-02-28 13:19:27 UTC
Red Hat Product Errata RHSA-2017:0338 normal SHIPPED_LIVE Critical: java-1.6.0-ibm security update 2017-02-28 13:29:25 UTC
Red Hat Product Errata RHSA-2017:1216 normal SHIPPED_LIVE Moderate: java-1.7.1-ibm security update 2017-05-09 20:41:26 UTC

Description Tomas Hoger 2017-01-17 12:33:11 UTC
It was discovered that the RMI registry and DCG (Distributed Garbage Collector) implementations in the RMI component of OpenJDK performed deserialization of untrusted inputs.  A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application.

Comment 1 Tomas Hoger 2017-01-17 13:03:52 UTC
This issue was addressed by defining serial filters for RMI registry and RMI DCG.  Built-in filters can be overridden via sun.rmi.registry.registryFilter and sun.rmi.transport.dgcFilter security properties defined in the java.security files, or via system properties of the same name.

This fix builds on top of another change introduced in the Jan 2017 CPU - 8155760 - which adds serialization filtering.  It makes it possible to define serialization filter, which controls which classes are allowed to appear in the serialized input and sets limits for the deserialization process.  The system-wide filter can be defined using the jdk.serialFilter security or system property.  No filter is defined by default.

Comment 2 Tomas Hoger 2017-01-17 21:23:09 UTC
Related entry in the Oracle JDK release notes:

http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html
http://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html#R170_131
http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html#R160_141

  core-libs/java.rmi
  RMI Better constraint checking

  RMI Registry and Distributed Garbage Collection use the mechanisms of JEP
  290 Serialization Filtering to improve service robustness. RMI Registry and
  DGC implement built-in white-list filters for the typical classes expected
  to be used with each service. Additional filter patterns can be configured
  using either a system property or a security property. The
  "sun.rmi.registry.registryFilter" and "sun.rmi.transport.dgcFilter" property
  pattern syntax is described in JEP 290 and in
  <JRE>/lib/security/java.security.
  JDK-8156802 (not public)

The required serialization filtering feature is also mentioned:

  core-libs/java.io:serialization
  Serialization Filter Configuration

  Serialization Filtering introduces a new mechanism which allows incoming
  streams of object-serialization data to be filtered in order to improve
  both security and robustness. Every ObjectInputStream applies a filter, if
  configured, to the stream contents during deserialization. Filters are set
  using either a system property or a configured security property. The value
  of the "jdk.serialFilter" patterns are described in JEP 290 Serialization
  Filtering and in <JRE>/lib/security/java.security. Filter actions are
  logged to the 'java.io.serialization' logger, if enabled.
  See JDK-8155760

Referenced JEP and upstream bug:

http://openjdk.java.net/jeps/290
https://bugs.openjdk.java.net/browse/JDK-8155760

Comment 3 Tomas Hoger 2017-01-17 21:36:33 UTC
Public now via Oracle CPU January 2017:

http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixJAVA

The issue was fixed in Oracle JDK 8u121, 7u131, and 6u141.

Comment 4 Tomas Hoger 2017-01-18 20:53:38 UTC
OpenJDK 8 upstream commit:

http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/75f31e0bd829

Required serialization filtering implementation:

http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/09c05d3bf23e

Comment 5 errata-xmlrpc 2017-01-19 14:01:27 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 5

Via RHSA-2017:0176 https://rhn.redhat.com/errata/RHSA-2017-0176.html

Comment 6 errata-xmlrpc 2017-01-19 14:03:27 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2017:0175 https://rhn.redhat.com/errata/RHSA-2017-0175.html

Comment 7 errata-xmlrpc 2017-01-19 14:10:48 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 5
  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2017:0177 https://rhn.redhat.com/errata/RHSA-2017-0177.html

Comment 8 errata-xmlrpc 2017-01-20 11:06:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2017:0180 https://rhn.redhat.com/errata/RHSA-2017-0180.html

Comment 9 errata-xmlrpc 2017-02-09 12:07:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary
  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2017:0263 https://rhn.redhat.com/errata/RHSA-2017-0263.html

Comment 10 errata-xmlrpc 2017-02-13 11:19:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 5

Via RHSA-2017:0269 https://rhn.redhat.com/errata/RHSA-2017-0269.html

Comment 11 errata-xmlrpc 2017-02-28 08:21:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5 Supplementary

Via RHSA-2017:0337 https://rhn.redhat.com/errata/RHSA-2017-0337.html

Comment 12 errata-xmlrpc 2017-02-28 08:23:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary
  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2017:0336 https://rhn.redhat.com/errata/RHSA-2017-0336.html

Comment 13 errata-xmlrpc 2017-02-28 08:31:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary
  Red Hat Enterprise Linux 5 Supplementary

Via RHSA-2017:0338 https://rhn.redhat.com/errata/RHSA-2017-0338.html

Comment 14 errata-xmlrpc 2017-05-09 16:43:44 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 5.6
  Red Hat Satellite 5.7

Via RHSA-2017:1216 https://access.redhat.com/errata/RHSA-2017:1216


Note You need to log in before you can comment on or make changes to this bug.