Bug 1472666 - (CVE-2017-10243) CVE-2017-10243 OpenJDK: insecure XML parsing in wsdlimport (JAX-WS, 8182054)
CVE-2017-10243 OpenJDK: insecure XML parsing in wsdlimport (JAX-WS, 8182054)
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20170718,repor...
: Security
Depends On:
Blocks: 1466515
  Show dependency treegraph
 
Reported: 2017-07-19 03:38 EDT by Tomas Hoger
Modified: 2017-12-13 11:54 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the wsdlimport tool in the JAX-WS component of OpenJDK did not use secure XML parser settings when parsing WSDL XML documents. A specially crafted WSDL document could cause wsdlimport to use an excessive amount of CPU and memory, open connections to other hosts, or leak information.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-23 05:45:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2017-07-19 03:38:37 EDT
Oracle Java SE 6u161, 7u151, and 8u141 fixes an unspecified vulnerability in the JAX-WS component (CVE-2017-10243).  Upstream has CVSS scored this issue as: 6.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

External Reference:

http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html#AppendixJAVA
Comment 1 errata-xmlrpc 2017-07-20 12:01:53 EDT
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2017:1792 https://access.redhat.com/errata/RHSA-2017:1792
Comment 2 errata-xmlrpc 2017-07-20 12:04:30 EDT
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2017:1791 https://access.redhat.com/errata/RHSA-2017:1791
Comment 3 errata-xmlrpc 2017-07-20 12:20:25 EDT
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2017:1790 https://access.redhat.com/errata/RHSA-2017:1790
Comment 4 Tomas Hoger 2017-08-01 05:23:01 EDT
It was reported that this issue also affected OpenJDK.

It was discovered that the wsdlimport tool in the JAX-WS component of OpenJDK did not use security settings for XML parsing when parsing WSDL XML documents. A specially crafted WSDL document could cause wsdlimport to use an excessive amount of CPU and memory, open connections to other hosts, or leak information.

OpenJDK-8 upstream commit:

http://hg.openjdk.java.net/jdk8u/jdk8u/jaxws/rev/65d3b0e44551
Comment 5 Tomas Hoger 2017-08-01 05:24:46 EDT
Relevant entry in the Oracle Java 8u141 release notes:

http://www.oracle.com/technetwork/java/javase/8u141-relnotes-3720385.html

  xml/jax-ws
  Tighter secure checks on processing WSDL files by wsimport tool

  The wsimport tool has been changed to disallow DTDs in Web Service
  descriptions, specifically:

  - DOCTYPE declaration is disallowed in documents
  - External general entities are not included by default
  - External parameter entities are not included by default
  - External DTDs are completely ignored

  To restore the previous behavior:

  - Set the System property com.sun.xml.internal.ws.disableXmlSecurity to true
  - Use the wsimport tool command line option –disableXmlSecurity

  NOTE: JDK 7 and JDK 6 support for this option in wsimport will be provided
  via a Patch release post July CPU

  JDK-8182054 (not public)
Comment 6 errata-xmlrpc 2017-08-07 11:08:11 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2017:2424 https://access.redhat.com/errata/RHSA-2017:2424
Comment 7 errata-xmlrpc 2017-08-14 05:50:37 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary
  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2017:2469 https://access.redhat.com/errata/RHSA-2017:2469
Comment 8 errata-xmlrpc 2017-08-15 16:00:27 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary
  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2017:2481 https://access.redhat.com/errata/RHSA-2017:2481
Comment 9 errata-xmlrpc 2017-08-23 05:19:23 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2017:2530 https://access.redhat.com/errata/RHSA-2017:2530
Comment 10 errata-xmlrpc 2017-12-13 11:54:19 EST
This issue has been addressed in the following products:

  Red Hat Satellite 5.8
  Red Hat Satellite 5.8 ELS

Via RHSA-2017:3453 https://access.redhat.com/errata/RHSA-2017:3453

Note You need to log in before you can comment on or make changes to this bug.