Bug 452649 - (CVE-2008-3105) CVE-2008-3105 CVE-2008-3106 OpenJDK JAX-WS unauthorized URL access (6542088)
CVE-2008-3105 CVE-2008-3106 OpenJDK JAX-WS unauthorized URL access (6542088)
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
source=sun,public=20080708,reported=2...
: Security
Depends On: 454628 456880 456881 457470 462076 462486 475760 475765 475766 475819
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-24 05:59 EDT by Marc Schoenefeld
Modified: 2010-12-23 16:31 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-23 16:31:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Marc Schoenefeld 2008-06-24 05:59:35 EDT
From Sun pre-notification, 6/23/2008

1. 6542088
A vulnerability in the Java™ Runtime Environment with processing XML data may 
allow unauthorized access to certain URL resources (such as some files and web 
pages) or a Denial of Service (DoS) condition to be created on the system 
running the JRE.

For this vulnerability to be exploited, the JAX-WS client or service in a 
trusted application needs to process XML data that contains malicious content. 
This vulnerability cannot be exploited through an untrusted applet or untrusted 
Java Web Start application.
Comment 3 Fedora Update System 2008-07-09 15:17:12 EDT
java-1.6.0-openjdk-1.6.0.0-0.16.b09.fc9 has been submitted as an update for Fedora 9
Comment 4 Fedora Update System 2008-07-09 17:46:47 EDT
java-1.7.0-icedtea-1.7.0.0-0.20.b21.snapshot.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2008-07-15 08:13:22 EDT
java-1.6.0-openjdk-1.6.0.0-0.16.b09.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Marc Schoenefeld 2009-08-06 03:59:31 EDT
Note: the Red Hat Security Advisory RHSA-2008:0906 (java-1.6.0-ibm SR 2) included a fix for CVE-2008-3105. This fix is not enabled by default. In order to activate the fix, set the "javax.xml.stream.supportDTD" and "com.ibm.xml.xlxp.support.dtd.compat.mode" system properties to "false",
for example:

export IBM_JAVA_OPTIONS='-Djavax.xml.stream.supportDTD=false
-Dcom.ibm.xml.xlxp.support.dtd.compat.mode=false'
Comment 14 Vincent Danen 2010-12-23 16:31:59 EST
This was addressed via:

RHEL Supplementary version 5 (java-1.6.0-sun) RHSA-2008:0594
Red Hat Enterprise Linux version 4 Extras (java-1.6.0-ibm) RHSA-2008:0906
RHEL Supplementary version 5 (java-1.6.0-ibm) RHSA-2008:0906

Note You need to log in before you can comment on or make changes to this bug.