Red Hat Bugzilla – Bug 452649
CVE-2008-3105 CVE-2008-3106 OpenJDK JAX-WS unauthorized URL access (6542088)
Last modified: 2010-12-23 16:31:59 EST
From Sun pre-notification, 6/23/2008
A vulnerability in the Java™ Runtime Environment with processing XML data may
allow unauthorized access to certain URL resources (such as some files and web
pages) or a Denial of Service (DoS) condition to be created on the system
running the JRE.
For this vulnerability to be exploited, the JAX-WS client or service in a
trusted application needs to process XML data that contains malicious content.
This vulnerability cannot be exploited through an untrusted applet or untrusted
Java Web Start application.
java-1.6.0-openjdk-22.214.171.124-0.16.b09.fc9 has been submitted as an update for Fedora 9
java-1.7.0-icedtea-126.96.36.199-0.20.b21.snapshot.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
java-1.6.0-openjdk-188.8.131.52-0.16.b09.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
Note: the Red Hat Security Advisory RHSA-2008:0906 (java-1.6.0-ibm SR 2) included a fix for CVE-2008-3105. This fix is not enabled by default. In order to activate the fix, set the "javax.xml.stream.supportDTD" and "com.ibm.xml.xlxp.support.dtd.compat.mode" system properties to "false",
This was addressed via:
RHEL Supplementary version 5 (java-1.6.0-sun) RHSA-2008:0594
Red Hat Enterprise Linux version 4 Extras (java-1.6.0-ibm) RHSA-2008:0906
RHEL Supplementary version 5 (java-1.6.0-ibm) RHSA-2008:0906