Bug 860652 (CVE-2013-1475) - CVE-2013-1475 OpenJDK: IIOP type reuse sandbox bypass (CORBA, 8000540, SE-2012-01 Issue 50)
Summary: CVE-2013-1475 OpenJDK: IIOP type reuse sandbox bypass (CORBA, 8000540, SE-201...
Status: CLOSED ERRATA
Alias: CVE-2013-1475
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=critical,public=20130201,repor...
Keywords: Security
Depends On:
Blocks: 856136 906729
TreeView+ depends on / blocked
 
Reported: 2012-09-26 12:00 UTC by Jan Lieskovsky
Modified: 2019-06-08 19:15 UTC (History)
10 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2013-03-01 19:51:03 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0236 normal SHIPPED_LIVE Critical: java-1.6.0-sun security update 2013-02-05 04:53:12 UTC
Novell 782211 None None None 2012-09-26 12:03:22 UTC
Red Hat Product Errata RHSA-2013:0237 normal SHIPPED_LIVE Critical: java-1.7.0-oracle security update 2013-02-05 04:53:02 UTC
Red Hat Product Errata RHSA-2013:0245 normal SHIPPED_LIVE Critical: java-1.6.0-openjdk security update 2013-02-09 00:35:08 UTC
Red Hat Product Errata RHSA-2013:0246 normal SHIPPED_LIVE Important: java-1.6.0-openjdk security update 2013-02-09 00:12:22 UTC
Red Hat Product Errata RHSA-2013:0247 normal SHIPPED_LIVE Important: java-1.7.0-openjdk security update 2013-02-09 00:24:43 UTC

Description Jan Lieskovsky 2012-09-26 12:00:01 UTC
Security Explorations security and vulnerability research company reported:
[1] http://seclists.org/bugtraq/2012/Sep/109

presence of a new security flaw, affecting recent Oracle Java SE 5 Update 22, Oracle Java SE 6 Update 35, and Oracle Java SE 7 Update 7 versions of Oracle Java SE software. This flaw is reported to allow complete Java security sandbox bypass.

References:
[2] http://www.security-explorations.com/en/SE-2012-01.html

Comment 1 Tomas Hoger 2012-10-16 08:48:53 UTC
According to the vendor communication time line published at:

  http://www.security-explorations.com/en/SE-2012-01-status.html

this issue is not planned to be fixed in the Java CPU to be published today and is only planned to get fixed in the following CPU in Feb 2013.

  10-Oct-2012

  - Oracle informs that the company is targeting to address Issue 50 in
    the February 2013 Java SE Critical Patch Update.

  ...

  15-Oct-2012

  - Security Explorations asks Oracle about the reason behind company's
    decision to wait with a patch for a critical Java security issue
    (number 50) till Feb 2013.

Comment 2 Stefan Cornelius 2013-02-04 18:23:46 UTC
This should be CVE-2013-1475 of the February 2013 Java CPU.


External Reference:

http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html

Comment 3 Tomas Hoger 2013-02-04 19:01:39 UTC
Additional details from Adam Gowdiak of Security Explorations:

http://seclists.org/fulldisclosure/2013/Feb/12

  [Issue 50]
  Issue 50 allows to violate a fundamental security constraint
  of Java VM, which is type safety. This vulnerability is another
  instance of the problem related to the unsafe deserialization
  implemented by com.sun.corba.se.impl.io.ObjectStreamClass class.
  Its first instance was fixed by Oracle in Oct 2011 [2] and it
  stemmed from the fact that during deserialization insufficient
  type checks were done with respect to object references that
  were written to target object instance created by the means of
  deserialization. Such a reference writing was accomplished with
  the use of a native functionality of sun.corba.Bridge class.
  
  The problem that we found back in Sep 2012 was very similar to
  the first one. It was located in the same code (class) and was
  also exploiting direct writing of object references to memory
  with the use of putObject method. While the first type confusion
  issue allowed to write object references of incompatible types
  to correct field offsets, Issue 50 relied on the possibility to
  write object references of incompatible types to...invalid field
  offsets.
  
  It might be also worth to mention that Issue 50 was found to
  be present in Java SE Embedded [3]. That is Java version that
  is based on desktop Java SE and is used in today’s most powerful
  embedded systems such as aircraft and medical systems [4]. We
  verified that Oracle Java SE Embedded ver. 7 Update 6 from 10
  Aug 2012 for ARM / Linux contained vulnerable implementation
  of ObjectStreamClass class.
  
  Unfortunately, we don't know any details regarding the impact
  of Issue 50 in the embedded space (which embedded systems are
  vulnerable to it, whether any feasible attack vectors exist,
  etc.). So, it's up to Oracle to clarify any potential concerns
  in that area.

Original report:
http://www.security-explorations.com/materials/SE-2012-01-ORACLE-6.pdf
http://www.security-explorations.com/materials/SE-2012-01-ORACLE-7.pdf

Comment 4 Tomas Hoger 2013-02-04 19:02:20 UTC
Upstream commit, as included in IcedTea7 repositories:

http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/corba/rev/127e4c348a71

Comment 5 errata-xmlrpc 2013-02-04 23:54:41 UTC
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2013:0237 https://rhn.redhat.com/errata/RHSA-2013-0237.html

Comment 6 errata-xmlrpc 2013-02-04 23:57:38 UTC
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2013:0236 https://rhn.redhat.com/errata/RHSA-2013-0236.html

Comment 9 errata-xmlrpc 2013-02-08 19:16:54 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:0246 https://rhn.redhat.com/errata/RHSA-2013-0246.html

Comment 10 errata-xmlrpc 2013-02-08 19:26:46 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:0247 https://rhn.redhat.com/errata/RHSA-2013-0247.html

Comment 11 errata-xmlrpc 2013-02-08 19:36:58 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0245 https://rhn.redhat.com/errata/RHSA-2013-0245.html

Comment 12 Tomas Hoger 2013-02-14 10:09:34 UTC
Fixed in upstream IcedTea versions IcedTea6 1.11.6, and 1.12.1, and IcedTea7 2.1.5, 2.2.5, and 2.3.6:

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-February/021708.html
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-February/021728.html
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-February/021905.html
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-February/021876.html

Note that version 2.3.5 was tagged in upstream mercurial including the security fixes, but was not released.  Only 2.3.6 was released, correcting problem introduced by security patches as included in 2.3.5.

Comment 13 Mark J. Cox 2013-02-18 15:11:15 UTC
[I'm changing the public= date in the metadata to the date the details were disclosed; prior to 2013-02-01 the existence of the issue was known but without any details until the Oracle update was released.]


Note You need to log in before you can comment on or make changes to this bug.