Oracle Java SE 6u161, 7u151, and 8u141 fixes an unspecified vulnerability in the JAX-WS component (CVE-2017-10243). Upstream has CVSS scored this issue as: 6.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L External Reference: http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html#AppendixJAVA
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2017:1792 https://access.redhat.com/errata/RHSA-2017:1792
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2017:1791 https://access.redhat.com/errata/RHSA-2017:1791
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2017:1790 https://access.redhat.com/errata/RHSA-2017:1790
It was reported that this issue also affected OpenJDK. It was discovered that the wsdlimport tool in the JAX-WS component of OpenJDK did not use security settings for XML parsing when parsing WSDL XML documents. A specially crafted WSDL document could cause wsdlimport to use an excessive amount of CPU and memory, open connections to other hosts, or leak information. OpenJDK-8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jaxws/rev/65d3b0e44551
Relevant entry in the Oracle Java 8u141 release notes: http://www.oracle.com/technetwork/java/javase/8u141-relnotes-3720385.html xml/jax-ws Tighter secure checks on processing WSDL files by wsimport tool The wsimport tool has been changed to disallow DTDs in Web Service descriptions, specifically: - DOCTYPE declaration is disallowed in documents - External general entities are not included by default - External parameter entities are not included by default - External DTDs are completely ignored To restore the previous behavior: - Set the System property com.sun.xml.internal.ws.disableXmlSecurity to true - Use the wsimport tool command line option –disableXmlSecurity NOTE: JDK 7 and JDK 6 support for this option in wsimport will be provided via a Patch release post July CPU JDK-8182054 (not public)
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2017:2424 https://access.redhat.com/errata/RHSA-2017:2424
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Red Hat Enterprise Linux 7 Supplementary Via RHSA-2017:2469 https://access.redhat.com/errata/RHSA-2017:2469
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Red Hat Enterprise Linux 7 Supplementary Via RHSA-2017:2481 https://access.redhat.com/errata/RHSA-2017:2481
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Via RHSA-2017:2530 https://access.redhat.com/errata/RHSA-2017:2530
This issue has been addressed in the following products: Red Hat Satellite 5.8 Red Hat Satellite 5.8 ELS Via RHSA-2017:3453 https://access.redhat.com/errata/RHSA-2017:3453