706250 – (CVE-2011-0872) CVE-2011-0872 OpenJDK: non-blocking sockets incorrectly selected for reading (NIO, 6213702)

Bug 706250 (CVE-2011-0872) - CVE-2011-0872 OpenJDK: non-blocking sockets incorrectly selected for reading (NIO, 6213702)

Summary: CVE-2011-0872 OpenJDK: non-blocking sockets incorrectly selected for reading ...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2011-0872
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-05-19 20:51 UTC by Marc Schoenefeld
Modified:	2021-02-24 15:25 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-06-03 13:58:10 UTC
Embargoed:

Attachments	(Terms of Use)

Comment 8 Tomas Hoger 2011-06-07 11:44:56 UTC

A flaw was found in the NIO implementation of JRE on Microsoft Windows platforms. A non-blocking sockets with TCP urgent disabled could incorrectly get selected for reading.

Statement:

Not vulnerable. This issue only affected Java versions running on Windows platform. It did not affect the versions of java-1.6.0-openjdk as shipped with Red Hat Enterprise Linux 5 and 6, and the java-1.6.0-sun packages as shipped with Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise Linux 5 and 6 Supplementary.

Comment 9 Tomas Hoger 2011-06-08 06:36:50 UTC

Public now via Oracle CPU June 2011:
http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html

Also fixed in IcedTea6 versions 1.8.8, 1.9.8 and 1.10.2:
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2011-June/014607.html

Patch:
http://icedtea.classpath.org/hg/release/icedtea6-1.9/file/8d393fbff5d3/patches/security/20110607/6213702.patch

Comment 10 Greg Wilkins 2012-01-15 23:41:02 UTC

We have a problem with the Jetty server hanging which looks to be a result of this "fix".

The symptom is that the server accepts new connections, but never processes any input on them.  On inspection, we can see that the call to the NIO selector is blocked in the discardUrgentData method.

We are not yet sure what causes the problem to occur, but suspect it is bad data on one connection.  If so, then this fix is allowing a DoS attack because 1 bad connection can lock an entire selector.

See https://bugs.eclipse.org/bugs/show_bug.cgi?id=357318

Comment 11 Tomas Hoger 2012-01-19 15:52:08 UTC

Greg, we did not actually do much about this issue on our side given that this problem / fix was Windows-specific.  If I correctly read the info in your Jetty bug, the issue is only reproducible on Windows platform, so may indeed be related to this fix.

This should be reported to Oracle.  As was done already:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=357318#c47
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7130796

If you want to make sure this appears on the Oracle security team radar, you may drop them a mail.  You can find contact information on their Reporting Security Vulnerabilities page:
http://www.oracle.com/us/support/assurance/reporting/index.html

Note You need to log in before you can comment on or make changes to this bug.