Bug 452649 - (CVE-2008-3105) CVE-2008-3105 CVE-2008-3106 OpenJDK JAX-WS unauthorized URL access (6542088)
CVE-2008-3105 CVE-2008-3106 OpenJDK JAX-WS unauthorized URL access (6542088)
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 454628 456880 456881 457470 462076 462486 475760 475765 475766 475819
  Show dependency treegraph
Reported: 2008-06-24 05:59 EDT by Marc Schoenefeld
Modified: 2010-12-23 16:31 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-12-23 16:31:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0594 normal SHIPPED_LIVE Critical: java-1.6.0-sun security update 2008-07-14 11:32:09 EDT
Red Hat Product Errata RHSA-2008:0638 normal SHIPPED_LIVE Low: Red Hat Network Satellite Server IBM Java Runtime security update 2008-08-13 10:19:37 EDT
Red Hat Product Errata RHSA-2008:0790 normal SHIPPED_LIVE Critical: java-1.5.0-ibm security update 2008-07-31 11:23:54 EDT
Red Hat Product Errata RHSA-2008:0906 normal SHIPPED_LIVE Critical: java-1.6.0-ibm security update 2008-10-24 10:44:07 EDT
Red Hat Product Errata RHSA-2008:1044 normal SHIPPED_LIVE Important: java-1.5.0-bea security update 2008-12-18 13:32:38 EST
Red Hat Product Errata RHSA-2008:1045 normal SHIPPED_LIVE Important: java-1.6.0-bea security update 2008-12-18 13:33:38 EST

  None (edit)
Description Marc Schoenefeld 2008-06-24 05:59:35 EDT
From Sun pre-notification, 6/23/2008

1. 6542088
A vulnerability in the Java™ Runtime Environment with processing XML data may 
allow unauthorized access to certain URL resources (such as some files and web 
pages) or a Denial of Service (DoS) condition to be created on the system 
running the JRE.

For this vulnerability to be exploited, the JAX-WS client or service in a 
trusted application needs to process XML data that contains malicious content. 
This vulnerability cannot be exploited through an untrusted applet or untrusted 
Java Web Start application.
Comment 3 Fedora Update System 2008-07-09 15:17:12 EDT
java-1.6.0-openjdk- has been submitted as an update for Fedora 9
Comment 4 Fedora Update System 2008-07-09 17:46:47 EDT
java-1.7.0-icedtea- has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2008-07-15 08:13:22 EDT
java-1.6.0-openjdk- has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Marc Schoenefeld 2009-08-06 03:59:31 EDT
Note: the Red Hat Security Advisory RHSA-2008:0906 (java-1.6.0-ibm SR 2) included a fix for CVE-2008-3105. This fix is not enabled by default. In order to activate the fix, set the "javax.xml.stream.supportDTD" and "com.ibm.xml.xlxp.support.dtd.compat.mode" system properties to "false",
for example:

export IBM_JAVA_OPTIONS='-Djavax.xml.stream.supportDTD=false
Comment 14 Vincent Danen 2010-12-23 16:31:59 EST
This was addressed via:

RHEL Supplementary version 5 (java-1.6.0-sun) RHSA-2008:0594
Red Hat Enterprise Linux version 4 Extras (java-1.6.0-ibm) RHSA-2008:0906
RHEL Supplementary version 5 (java-1.6.0-ibm) RHSA-2008:0906

Note You need to log in before you can comment on or make changes to this bug.