Bug 1443052 (CVE-2017-3509) - CVE-2017-3509 OpenJDK: improper re-use of NTLM authenticated connections (Networking, 8163520)
Summary: CVE-2017-3509 OpenJDK: improper re-use of NTLM authenticated connections (Net...
Status: CLOSED ERRATA
Alias: CVE-2017-3509
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20170418,repor...
Keywords: Security
Depends On:
Blocks: 1438752
TreeView+ depends on / blocked
 
Reported: 2017-04-18 11:54 UTC by Tomas Hoger
Modified: 2018-08-01 17:41 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the HTTP client implementation in the Networking component of OpenJDK could cache and re-use an NTLM authenticated connection in a different security context. A remote attacker could possibly use this flaw to make a Java application perform HTTP requests authenticated with credentials of a different user.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-05-10 13:46:52 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1108 normal SHIPPED_LIVE Moderate: java-1.8.0-openjdk security and bug fix update 2017-04-21 06:10:52 UTC
Red Hat Product Errata RHSA-2017:1109 normal SHIPPED_LIVE Moderate: java-1.8.0-openjdk security update 2017-04-20 23:27:18 UTC
Red Hat Product Errata RHSA-2017:1117 normal SHIPPED_LIVE Moderate: java-1.8.0-oracle security update 2017-12-14 20:17:15 UTC
Red Hat Product Errata RHSA-2017:1118 normal SHIPPED_LIVE Moderate: java-1.7.0-oracle security update 2017-12-14 19:52:56 UTC
Red Hat Product Errata RHSA-2017:1119 normal SHIPPED_LIVE Moderate: java-1.6.0-sun security update 2017-12-14 19:49:13 UTC
Red Hat Product Errata RHSA-2017:1204 normal SHIPPED_LIVE Moderate: java-1.7.0-openjdk security update 2017-05-09 14:46:54 UTC
Red Hat Product Errata RHSA-2017:1220 normal SHIPPED_LIVE Moderate: java-1.8.0-ibm security update 2017-05-10 16:44:34 UTC
Red Hat Product Errata RHSA-2017:1221 normal SHIPPED_LIVE Moderate: java-1.7.1-ibm security update 2017-05-10 16:44:04 UTC
Red Hat Product Errata RHSA-2017:1222 normal SHIPPED_LIVE Moderate: java-1.6.0-ibm security update 2017-05-10 16:43:49 UTC
Red Hat Product Errata RHSA-2017:3453 normal SHIPPED_LIVE Important: java-1.8.0-ibm security update 2017-12-13 21:48:15 UTC

Description Tomas Hoger 2017-04-18 11:54:42 UTC
It was discovered that the HTTP client implementation in the Networking component of OpenJDK could cache a connection using NTLM authentication and later re-use it in a different security context where no or different authentication was meant to be used.  A remote attacker could possibly use this flaw to make a Java application to perform HTTP requests authenticated with credentials of a different user.

The fix for this issue adds support for the "jdk.ntlm.cache" system property, which can be used to disable caching of NTLM authenticated connections when set to false.

Comment 1 Tomas Hoger 2017-04-18 18:29:46 UTC
Relevant entry in the Oracle JDK release notes:

http://www.oracle.com/technetwork/java/javase/8u131-relnotes-3565278.html
http://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html#R170_141
http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html#R160_151

  core-libs/java.net
  New system property to control caching for HTTP NTLM connection.

  A new JDK implementation specific system property to control caching for
  HTTP NTLM connection is introduced. Caching for HTTP NTLM connection remains
  enabled by default, so if the property is not explicitly specified, there
  will be no behavior change.

  On some platforms, the HTTP NTLM implementation in the JDK can support
  transparent authentication, where the system user credentials are used at
  system level. When transparent authentication is not available or
  unsuccessful, the JDK only supports getting credentials from a global
  authenticator. If connection to the server is successful, the authentication
  information will then be cached and reused for further connections to the
  same server. In addition, connecting to an HTTP NTLM server usually involves
  keeping the underlying connection alive and reusing it for further requests
  to the same server. In some applications, it may be desirable to disable all
  caching for the HTTP NTLM protocol in order to force requesting new
  authentication with each new requests to the server.

  With this change, we now provide a new system property that allows control
  of the caching policy for HTTP NTLM connections. If jdk.ntlm.cache is
  defined and evaluates to false, then all caching will be disabled for HTTP
  NTLM connections. Setting this system property to false may, however,
  result in undesirable side effects:

  * Performance of HTTP NTLM connections may be severely impacted as the
  connection will need to be re-authenticated with each new request,
  requiring several communication exchanges with the server.

  * Credentials will need to be obtained again for each new request, which,
  depending on whether transparent authentication is available or not, and
  depending on the global Authenticator implementation, may result in a popup
  asking the user for credentials for every new request.

  JDK-8163520 (not public)

Comment 2 Tomas Hoger 2017-04-18 22:18:30 UTC
Public now via Oracle CPU April 20167, fixed in Oracle JDK 8u131, 7u141, and 6u151.

External References:

http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixJAVA

Comment 3 Tomas Hoger 2017-04-19 11:30:43 UTC
OpenJDK8 upstream commit:

http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/bea5b22daf5d

Comment 4 errata-xmlrpc 2017-04-20 19:27:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:1109 https://access.redhat.com/errata/RHSA-2017:1109

Comment 5 errata-xmlrpc 2017-04-21 02:11:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1108 https://access.redhat.com/errata/RHSA-2017:1108

Comment 6 errata-xmlrpc 2017-04-24 11:17:15 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2017:1118 https://access.redhat.com/errata/RHSA-2017:1118

Comment 7 errata-xmlrpc 2017-04-24 11:18:09 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2017:1117 https://access.redhat.com/errata/RHSA-2017:1117

Comment 8 errata-xmlrpc 2017-04-24 11:18:57 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2017:1119 https://access.redhat.com/errata/RHSA-2017:1119

Comment 9 errata-xmlrpc 2017-05-09 10:47:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2017:1204 https://access.redhat.com/errata/RHSA-2017:1204

Comment 10 errata-xmlrpc 2017-05-10 12:47:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2017:1222 https://access.redhat.com/errata/RHSA-2017:1222

Comment 11 errata-xmlrpc 2017-05-10 12:49:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary
  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2017:1221 https://access.redhat.com/errata/RHSA-2017:1221

Comment 12 errata-xmlrpc 2017-05-10 12:51:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary
  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2017:1220 https://access.redhat.com/errata/RHSA-2017:1220

Comment 13 errata-xmlrpc 2017-12-13 16:50:48 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 5.8
  Red Hat Satellite 5.8 ELS

Via RHSA-2017:3453 https://access.redhat.com/errata/RHSA-2017:3453


Note You need to log in before you can comment on or make changes to this bug.