452649 – (CVE-2008-3105) CVE-2008-3105 CVE-2008-3106 OpenJDK JAX-WS unauthorized URL access (6542088)

Bug 452649 (CVE-2008-3105) - CVE-2008-3105 CVE-2008-3106 OpenJDK JAX-WS unauthorized URL access (6542088)

Summary: CVE-2008-3105 CVE-2008-3106 OpenJDK JAX-WS unauthorized URL access (6542088)

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2008-3105
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	454628 456880 456881 457470 462076 462486 475760 475765 475766 475819
Blocks:
TreeView+	depends on / blocked

Reported:	2008-06-24 09:59 UTC by Marc Schoenefeld
Modified:	2019-09-29 12:25 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2010-12-23 21:31:59 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2008:0594	normal	SHIPPED_LIVE	Critical: java-1.6.0-sun security update	2008-07-14 15:32:09 UTC
Red Hat Product Errata	RHSA-2008:0638	normal	SHIPPED_LIVE	Low: Red Hat Network Satellite Server IBM Java Runtime security update	2008-08-13 14:19:37 UTC
Red Hat Product Errata	RHSA-2008:0790	normal	SHIPPED_LIVE	Critical: java-1.5.0-ibm security update	2008-07-31 15:23:54 UTC
Red Hat Product Errata	RHSA-2008:0906	normal	SHIPPED_LIVE	Critical: java-1.6.0-ibm security update	2008-10-24 14:44:07 UTC
Red Hat Product Errata	RHSA-2008:1044	normal	SHIPPED_LIVE	Important: java-1.5.0-bea security update	2008-12-18 18:32:38 UTC
Red Hat Product Errata	RHSA-2008:1045	normal	SHIPPED_LIVE	Important: java-1.6.0-bea security update	2008-12-18 18:33:38 UTC

Description Marc Schoenefeld 2008-06-24 09:59:35 UTC

From Sun pre-notification, 6/23/2008

1. 6542088
A vulnerability in the Java™ Runtime Environment with processing XML data may 
allow unauthorized access to certain URL resources (such as some files and web 
pages) or a Denial of Service (DoS) condition to be created on the system 
running the JRE.

For this vulnerability to be exploited, the JAX-WS client or service in a 
trusted application needs to process XML data that contains malicious content. 
This vulnerability cannot be exploited through an untrusted applet or untrusted 
Java Web Start application.

Comment 3 Fedora Update System 2008-07-09 19:17:12 UTC

java-1.6.0-openjdk-1.6.0.0-0.16.b09.fc9 has been submitted as an update for Fedora 9

Comment 4 Fedora Update System 2008-07-09 21:46:47 UTC

java-1.7.0-icedtea-1.7.0.0-0.20.b21.snapshot.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2008-07-15 12:13:22 UTC

java-1.6.0-openjdk-1.6.0.0-0.16.b09.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Marc Schoenefeld 2009-08-06 07:59:31 UTC

Note: the Red Hat Security Advisory RHSA-2008:0906 (java-1.6.0-ibm SR 2) included a fix for CVE-2008-3105. This fix is not enabled by default. In order to activate the fix, set the "javax.xml.stream.supportDTD" and "com.ibm.xml.xlxp.support.dtd.compat.mode" system properties to "false",
for example:

export IBM_JAVA_OPTIONS='-Djavax.xml.stream.supportDTD=false
-Dcom.ibm.xml.xlxp.support.dtd.compat.mode=false'

Comment 14 Vincent Danen 2010-12-23 21:31:59 UTC

This was addressed via:

RHEL Supplementary version 5 (java-1.6.0-sun) RHSA-2008:0594
Red Hat Enterprise Linux version 4 Extras (java-1.6.0-ibm) RHSA-2008:0906
RHEL Supplementary version 5 (java-1.6.0-ibm) RHSA-2008:0906

Note You need to log in before you can comment on or make changes to this bug.