Bug 1472666 (CVE-2017-10243) - CVE-2017-10243 OpenJDK: insecure XML parsing in wsdlimport (JAX-WS, 8182054)
Summary: CVE-2017-10243 OpenJDK: insecure XML parsing in wsdlimport (JAX-WS, 8182054)
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-10243
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1466515
TreeView+ depends on / blocked
 
Reported: 2017-07-19 07:38 UTC by Tomas Hoger
Modified: 2019-09-29 14:16 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the wsdlimport tool in the JAX-WS component of OpenJDK did not use secure XML parser settings when parsing WSDL XML documents. A specially crafted WSDL document could cause wsdlimport to use an excessive amount of CPU and memory, open connections to other hosts, or leak information.
Clone Of:
Environment:
Last Closed: 2017-08-23 09:45:36 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1790 normal SHIPPED_LIVE Critical: java-1.8.0-oracle security update 2017-12-14 20:16:58 UTC
Red Hat Product Errata RHSA-2017:1791 normal SHIPPED_LIVE Critical: java-1.7.0-oracle security update 2017-12-14 19:49:45 UTC
Red Hat Product Errata RHSA-2017:1792 normal SHIPPED_LIVE Critical: java-1.6.0-sun security update 2017-12-14 20:06:49 UTC
Red Hat Product Errata RHSA-2017:2424 normal SHIPPED_LIVE Critical: java-1.7.0-openjdk security update 2017-08-07 19:05:48 UTC
Red Hat Product Errata RHSA-2017:2469 normal SHIPPED_LIVE Critical: java-1.8.0-ibm security update 2017-08-14 13:48:39 UTC
Red Hat Product Errata RHSA-2017:2481 normal SHIPPED_LIVE Critical: java-1.7.1-ibm security update 2017-08-15 23:58:06 UTC
Red Hat Product Errata RHSA-2017:2530 normal SHIPPED_LIVE Critical: java-1.6.0-ibm security update 2017-08-23 13:17:46 UTC
Red Hat Product Errata RHSA-2017:3453 normal SHIPPED_LIVE Important: java-1.8.0-ibm security update 2017-12-13 21:48:15 UTC

Description Tomas Hoger 2017-07-19 07:38:37 UTC
Oracle Java SE 6u161, 7u151, and 8u141 fixes an unspecified vulnerability in the JAX-WS component (CVE-2017-10243).  Upstream has CVSS scored this issue as: 6.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

External Reference:

http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html#AppendixJAVA

Comment 1 errata-xmlrpc 2017-07-20 16:01:53 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2017:1792 https://access.redhat.com/errata/RHSA-2017:1792

Comment 2 errata-xmlrpc 2017-07-20 16:04:30 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2017:1791 https://access.redhat.com/errata/RHSA-2017:1791

Comment 3 errata-xmlrpc 2017-07-20 16:20:25 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2017:1790 https://access.redhat.com/errata/RHSA-2017:1790

Comment 4 Tomas Hoger 2017-08-01 09:23:01 UTC
It was reported that this issue also affected OpenJDK.

It was discovered that the wsdlimport tool in the JAX-WS component of OpenJDK did not use security settings for XML parsing when parsing WSDL XML documents. A specially crafted WSDL document could cause wsdlimport to use an excessive amount of CPU and memory, open connections to other hosts, or leak information.

OpenJDK-8 upstream commit:

http://hg.openjdk.java.net/jdk8u/jdk8u/jaxws/rev/65d3b0e44551

Comment 5 Tomas Hoger 2017-08-01 09:24:46 UTC
Relevant entry in the Oracle Java 8u141 release notes:

http://www.oracle.com/technetwork/java/javase/8u141-relnotes-3720385.html

  xml/jax-ws
  Tighter secure checks on processing WSDL files by wsimport tool

  The wsimport tool has been changed to disallow DTDs in Web Service
  descriptions, specifically:

  - DOCTYPE declaration is disallowed in documents
  - External general entities are not included by default
  - External parameter entities are not included by default
  - External DTDs are completely ignored

  To restore the previous behavior:

  - Set the System property com.sun.xml.internal.ws.disableXmlSecurity to true
  - Use the wsimport tool command line option –disableXmlSecurity

  NOTE: JDK 7 and JDK 6 support for this option in wsimport will be provided
  via a Patch release post July CPU

  JDK-8182054 (not public)

Comment 6 errata-xmlrpc 2017-08-07 15:08:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2017:2424 https://access.redhat.com/errata/RHSA-2017:2424

Comment 7 errata-xmlrpc 2017-08-14 09:50:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary
  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2017:2469 https://access.redhat.com/errata/RHSA-2017:2469

Comment 8 errata-xmlrpc 2017-08-15 20:00:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary
  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2017:2481 https://access.redhat.com/errata/RHSA-2017:2481

Comment 9 errata-xmlrpc 2017-08-23 09:19:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2017:2530 https://access.redhat.com/errata/RHSA-2017:2530

Comment 10 errata-xmlrpc 2017-12-13 16:54:19 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 5.8
  Red Hat Satellite 5.8 ELS

Via RHSA-2017:3453 https://access.redhat.com/errata/RHSA-2017:3453


Note You need to log in before you can comment on or make changes to this bug.