Bug 1472476 (CVE-2017-10176) - CVE-2017-10176 OpenJDK: incorrect handling of certain EC points (Security, 8178135)
Summary: CVE-2017-10176 OpenJDK: incorrect handling of certain EC points (Security, 81...
Keywords:
Status: NEW
Alias: CVE-2017-10176
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1466515
TreeView+ depends on / blocked
 
Reported: 2017-07-18 20:43 UTC by Tomas Hoger
Modified: 2019-09-29 14:16 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1790 normal SHIPPED_LIVE Critical: java-1.8.0-oracle security update 2017-12-14 20:16:58 UTC
Red Hat Product Errata RHSA-2017:1791 normal SHIPPED_LIVE Critical: java-1.7.0-oracle security update 2017-12-14 19:49:45 UTC

Description Tomas Hoger 2017-07-18 20:43:06 UTC
It was discovered that the Elliptic Curve (EC) cryptography implementation in the Security component of OpenJDK did not perform computations for certain points correctly.  An attacker able to interact with a Java application using EC cryptography could possibly use this flaw to obtain information about the used key.

Comment 1 Tomas Hoger 2017-07-18 20:51:19 UTC
Public now via Oracle CPU July 2017:

http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html#AppendixJAVA

The issue was fixed in Oracle JDK 8u141 and 7u151.

Comment 2 Tomas Hoger 2017-07-19 14:44:14 UTC
OpenJDK-8 upstream commit:

http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/d99101781d7e

Comment 3 errata-xmlrpc 2017-07-20 16:04:12 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2017:1791 https://access.redhat.com/errata/RHSA-2017:1791

Comment 4 errata-xmlrpc 2017-07-20 16:20:08 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2017:1790 https://access.redhat.com/errata/RHSA-2017:1790


Note You need to log in before you can comment on or make changes to this bug.