Red Hat Bugzilla – Bug 767129
java-1.6.0-openjdk: CVE-2011-3389/7064341 fix regression [rhel-6]
Last modified: 2012-02-16 04:40:27 EST
Description of problem:
A regression was found in the fix for CVE-2011-3389/7064341 that was applied to Oracle JDK 6u29 and matching OpenJDK update. This causes connections to certain SSL servers to hang:
In our case, this problem was reported for JBoss products using JDBC to connect to Microsoft SQL server. Some workarounds were identified:
- use non-CBC cipher (e.g. one of RC4 cipher suites)
- disable CVE-2011-3389 mitigation using -Djsse.enableCBCProtection=false
Related Support Essentials article:
Oracle 6u30 was released to address this issue:
Fixed in upstream OpenJDK:
Fix is in IcedTea6 HEAD:
Needs backporting to branches.
This is fixed in the latest upstream release:
I'll leave others to comment on when this will be packaged for RHEL.
This was fixed upstream in IcedTea 1.10.5. We have updated to 1.10.6 in RHSA-2012:0135, hence this issue is fixed.