Bug 1443097 (CVE-2017-3539) - CVE-2017-3539 OpenJDK: MD5 allowed for jar verification (Security, 8171121)
Summary: CVE-2017-3539 OpenJDK: MD5 allowed for jar verification (Security, 8171121)
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-3539
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20170418,repor...
Depends On:
Blocks: 1438752
TreeView+ depends on / blocked
 
Reported: 2017-04-18 13:04 UTC by Tomas Hoger
Modified: 2019-06-08 21:55 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the Security component of OpenJDK did not allow users to restrict the set of algorithms allowed for Jar integrity verification. This flaw could allow an attacker to modify content of the Jar file that used weak signing key or hash algorithm.
Clone Of:
Environment:
Last Closed: 2017-05-10 13:46:37 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1108 normal SHIPPED_LIVE Moderate: java-1.8.0-openjdk security and bug fix update 2017-04-21 06:10:52 UTC
Red Hat Product Errata RHSA-2017:1109 normal SHIPPED_LIVE Moderate: java-1.8.0-openjdk security update 2017-04-20 23:27:18 UTC
Red Hat Product Errata RHSA-2017:1117 normal SHIPPED_LIVE Moderate: java-1.8.0-oracle security update 2017-12-14 20:17:15 UTC
Red Hat Product Errata RHSA-2017:1118 normal SHIPPED_LIVE Moderate: java-1.7.0-oracle security update 2017-12-14 19:52:56 UTC
Red Hat Product Errata RHSA-2017:1119 normal SHIPPED_LIVE Moderate: java-1.6.0-sun security update 2017-12-14 19:49:13 UTC
Red Hat Product Errata RHSA-2017:1204 normal SHIPPED_LIVE Moderate: java-1.7.0-openjdk security update 2017-05-09 14:46:54 UTC
Red Hat Product Errata RHSA-2017:1220 normal SHIPPED_LIVE Moderate: java-1.8.0-ibm security update 2017-05-10 16:44:34 UTC
Red Hat Product Errata RHSA-2017:1221 normal SHIPPED_LIVE Moderate: java-1.7.1-ibm security update 2017-05-10 16:44:04 UTC
Red Hat Product Errata RHSA-2017:1222 normal SHIPPED_LIVE Moderate: java-1.6.0-ibm security update 2017-05-10 16:43:49 UTC
Red Hat Product Errata RHSA-2017:3453 normal SHIPPED_LIVE Important: java-1.8.0-ibm security update 2017-12-13 21:48:15 UTC

Description Tomas Hoger 2017-04-18 13:04:02 UTC
It was discovered that the Security component of OpenJDK did not allow users to restrict the set of algorithms allowed for Jar integrity verification.  This flaw could allow an attacker to modify content of the Jar file that used weak signing key or hash algorithm.

This problem was originally addressed as part of October 2016 CPU as CVE-2016-5542 (bug 1385723).  In that update, the following changes were made:

- New security property jdk.jar.disabledAlgorithms was introduced, which can be used to restrict which algorithms can be used for jar verification.

- MD2 hash algorithm and RSA keys with less than 1024 bits were disabled by default.

At the same time, it was announced that the MD5 has algorithm was going to be disabled in the future updates.  It was originally planned to get disabled as part of the January 2017 CPU, but the change was further postponed to the April 2017 CPU.  Hence, MD5 is now becoming disabled by default.

The further details of the planned cryptography changes are available on the "Oracle JRE and JDK Cryptographic Roadmap" page:

https://www.java.com/en/jre-jdk-cryptoroadmap.html

Comment 1 Tomas Hoger 2017-04-18 18:23:54 UTC
Relevant entry in the Oracle JDK release notes:

http://www.oracle.com/technetwork/java/javase/8u131-relnotes-3565278.html
http://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html#R170_141
http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html#R160_151

  security-libs/java.security
  MD5 added to jdk.jar.disabledAlgorithms Security property

  This JDK release introduces a new restriction on how MD5 signed JAR files
  are verified. If the signed JAR file uses MD5, signature verification
  operations will ignore the signature and treat the JAR as if it were
  unsigned. This can potentially occur in the following types of applications
  that use signed JAR files:

  * Applets or Web Start Applications

  * Standalone or Server Applications that are run with a SecurityManager
  enabled and are configured with a policy file that grants permissions based
  on the code signer(s) of the JAR file.

  The list of disabled algorithms is controlled via the security property,
  jdk.jar.disabledAlgorithms, in the java.security file. This property
  contains a list of disabled algorithms and key sizes for cryptographically
  signed JAR files.

  To check if a weak algorithm or key was used to sign a JAR file, one can
  use the jarsigner binary that ships with this JDK. Running
  "jarsigner -verify" on a JAR file signed with a weak algorithm or key
  will print more information about the disabled algorithm or key.

  For example, to check a JAR file named test.jar, use the following command:

  jarsigner -verify test.jar

  If the file in this example was signed with a weak signature algorithm like
  MD5withRSA, the following output would be displayed:

    The jar will be treated as unsigned, because it is signed with a weak
    algorithm that is now disabled. Re-run jarsigner with the -verbose
    option for more details.

  More details can be displayed by using the verbose option:

  jarsigner -verify -verbose test.jar

  The following output would be displayed:

  - Signed by "CN=weak_signer" 
      Digest algorithm: MD5 (weak) 
      Signature algorithm: MD5withRSA (weak), 512-bit key (weak) 
    Timestamped by "CN=strong_tsa" on Mon Sep 26 08:59:39 CST 2016 
      Timestamp digest algorithm: SHA-256 
      Timestamp signature algorithm: SHA256withRSA, 2048-bit key

  To address the issue, the JAR file will need to be re-signed with a
  stronger algorithm or key size. Alternatively, the restrictions can be
  reverted by removing the applicable weak algorithms or key sizes from the
  jdk.jar.disabledAlgorithms security property; however, this option is not
  recommended. Before re-signing affected JARs, the existing signature(s)
  should be removed from the JAR file. This can be done with the .zip
  utility, as follows:

  zip -d test.jar 'META-INF/.SF' 'META-INF/.RSA' 'META-INF/*.DSA' 

  Please periodically check the Oracle JRE and JDK Cryptographic Roadmap at
  http://java.com/cryptoroadmap for planned restrictions to signed JARs and
  other security components.

  JDK-8171121 (not public)

Comment 2 Tomas Hoger 2017-04-18 22:18:59 UTC
Public now via Oracle CPU April 20167, fixed in Oracle JDK 8u131, 7u141, and 6u151.

External References:

http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixJAVA

Comment 3 Tomas Hoger 2017-04-19 11:28:36 UTC
OpenJDK8 upstream commit:

http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/1f2ff3f1882a

Comment 4 errata-xmlrpc 2017-04-20 19:28:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:1109 https://access.redhat.com/errata/RHSA-2017:1109

Comment 5 errata-xmlrpc 2017-04-21 02:11:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1108 https://access.redhat.com/errata/RHSA-2017:1108

Comment 6 errata-xmlrpc 2017-04-24 11:17:35 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2017:1118 https://access.redhat.com/errata/RHSA-2017:1118

Comment 7 errata-xmlrpc 2017-04-24 11:18:32 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2017:1117 https://access.redhat.com/errata/RHSA-2017:1117

Comment 8 errata-xmlrpc 2017-04-24 11:19:20 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2017:1119 https://access.redhat.com/errata/RHSA-2017:1119

Comment 9 errata-xmlrpc 2017-05-09 10:48:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2017:1204 https://access.redhat.com/errata/RHSA-2017:1204

Comment 10 errata-xmlrpc 2017-05-10 12:47:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2017:1222 https://access.redhat.com/errata/RHSA-2017:1222

Comment 11 errata-xmlrpc 2017-05-10 12:49:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary
  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2017:1221 https://access.redhat.com/errata/RHSA-2017:1221

Comment 12 errata-xmlrpc 2017-05-10 12:51:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary
  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2017:1220 https://access.redhat.com/errata/RHSA-2017:1220

Comment 13 errata-xmlrpc 2017-12-13 16:51:43 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 5.8
  Red Hat Satellite 5.8 ELS

Via RHSA-2017:3453 https://access.redhat.com/errata/RHSA-2017:3453


Note You need to log in before you can comment on or make changes to this bug.