Fedora Account System
Red Hat Associate
Red Hat Customer
It was discovered that the FTP client implementation in the Networking component of OpenJDK failed to correctly handle user inputs (e.g. usernames and passwords) containing newline characters. A remote attacker could possibly use this flaw to manipulate an FTP connection opened by a Java application if it could make it access a specially crafted FTP URL. Blog posts were published that describe how to use this flaw to open ports on firewalls using active FTP connections: http://blog.blindspotsecurity.com/2017/02/advisory-javapython-ftp-injections.html and sending mails during XML parsing when use of XML external entities is allowed: https://shiftordie.de/blog/2017/02/18/smtp-over-xxe/
Public now via Oracle CPU April 20167, fixed in Oracle JDK 8u131, 7u141, and 6u151. External References: http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixJAVA
OpenJDK8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/81ddd5fc5a4e
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2017:1109 https://access.redhat.com/errata/RHSA-2017:1109
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:1108 https://access.redhat.com/errata/RHSA-2017:1108
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2017:1118 https://access.redhat.com/errata/RHSA-2017:1118
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2017:1117 https://access.redhat.com/errata/RHSA-2017:1117
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2017:1119 https://access.redhat.com/errata/RHSA-2017:1119
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2017:1204 https://access.redhat.com/errata/RHSA-2017:1204
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Via RHSA-2017:1222 https://access.redhat.com/errata/RHSA-2017:1222
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Red Hat Enterprise Linux 6 Supplementary Via RHSA-2017:1221 https://access.redhat.com/errata/RHSA-2017:1221
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Red Hat Enterprise Linux 6 Supplementary Via RHSA-2017:1220 https://access.redhat.com/errata/RHSA-2017:1220
This issue has been addressed in the following products: Red Hat Satellite 5.8 Red Hat Satellite 5.8 ELS Via RHSA-2017:3453 https://access.redhat.com/errata/RHSA-2017:3453