This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 907207 - (CVE-2013-0428) CVE-2013-0428 OpenJDK: reflection API incorrect checks for proxy classes (Libraries, 7197546, SE-2012-01 Issue 29)
CVE-2013-0428 OpenJDK: reflection API incorrect checks for proxy classes (Lib...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Red Hat Product Security
impact=critical,public=20130201,repor...
: Security
Depends On:
Blocks: 906729
  Show dependency treegraph
 
Reported: 2013-02-03 14:05 EST by Tomas Hoger
Modified: 2013-10-23 12:48 EDT (History)
3 users (show)

See Also:
Fixed In Version: icedtea6 1.11.6, icedtea6 1.12.1, icedtea7 2.1.5, icedtea7 2.2.5, icedtea7 2.3.6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-03-12 05:16:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2013-02-03 14:05:09 EST
A flaw was found in the Java refection API in the handling of access privileges of proxy classes.  An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions.

External Reference:

http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html
Comment 1 Tomas Hoger 2013-02-04 11:26:07 EST
Upstream commit, as included in IcedTea7 repositories:

http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/jdk/rev/c9534e095b37
Comment 2 Tomas Hoger 2013-02-04 12:16:58 EST
Additional details from Adam Gowdiak of Security Explorations:

http://seclists.org/fulldisclosure/2013/Feb/12

  [Issue 29]
  This issue allows for the creation of arbitrary Proxy objects
  for interfaces defined in restricted packages. Proxy objects
  defined in a NULL class loader namespaces are of a particular
  interest here. Such objects can be used to manipulate instances
  of certain restricted classes.
  
  In our Proof of Concept code we create such a proxy object for
  the com.sun.xml.internal.bind.v2.model.nav.Navigator interface.
  In order to use the aforementioned proxy object, we need an
  instance of that interface too. We obtain it with the help of
  Issue 28, which allows to access arbitrary field objects from
  restricted classes and interfaces. As a result, by combining
  Issue 27-29, one can use Navigator interface and make use of
  its sensitive Reflection API functionality such as obtaining
  access to methods of arbitrary classes. That condition can be
  further leveraged to obtain a complete JVM security bypass.
  
  Please, note that our Proof of Concept code for Issues 27-29
  was reported to Oracle in Apr 2012 and depending Issues 27-28
  were addressed by the company sooner than Issue 29. Testing
  of the PoC will thus give best results on older versions of
  Java SE 7.

Original report:
http://www.security-explorations.com/materials/SE-2012-01-ORACLE-4.pdf
Comment 3 errata-xmlrpc 2013-02-04 18:55:46 EST
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2013:0237 https://rhn.redhat.com/errata/RHSA-2013-0237.html
Comment 4 errata-xmlrpc 2013-02-04 18:57:11 EST
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2013:0236 https://rhn.redhat.com/errata/RHSA-2013-0236.html
Comment 6 errata-xmlrpc 2013-02-08 14:16:23 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:0246 https://rhn.redhat.com/errata/RHSA-2013-0246.html
Comment 7 errata-xmlrpc 2013-02-08 14:27:13 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:0247 https://rhn.redhat.com/errata/RHSA-2013-0247.html
Comment 8 errata-xmlrpc 2013-02-08 14:37:20 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0245 https://rhn.redhat.com/errata/RHSA-2013-0245.html
Comment 9 Tomas Hoger 2013-02-14 05:14:21 EST
Fixed in upstream IcedTea versions IcedTea6 1.11.6, and 1.12.1, and IcedTea7 2.1.5, 2.2.5, and 2.3.6:

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-February/021708.html
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-February/021728.html
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-February/021905.html
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-February/021876.html

Note that version 2.3.5 was tagged in upstream mercurial including the security fixes, but was not released.  Only 2.3.6 was released, correcting problem introduced by security patches as included in 2.3.5.
Comment 10 errata-xmlrpc 2013-03-11 14:47:26 EDT
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2013:0624 https://rhn.redhat.com/errata/RHSA-2013-0624.html
Comment 11 errata-xmlrpc 2013-03-11 14:58:59 EDT
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2013:0626 https://rhn.redhat.com/errata/RHSA-2013-0626.html
Comment 12 errata-xmlrpc 2013-03-11 15:04:47 EDT
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2013:0625 https://rhn.redhat.com/errata/RHSA-2013-0625.html
Comment 13 errata-xmlrpc 2013-10-23 12:36:37 EDT
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.5

Via RHSA-2013:1456 https://rhn.redhat.com/errata/RHSA-2013-1456.html
Comment 14 errata-xmlrpc 2013-10-23 12:48:59 EDT
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.4

Via RHSA-2013:1455 https://rhn.redhat.com/errata/RHSA-2013-1455.html

Note You need to log in before you can comment on or make changes to this bug.