Bug 1320650 (CVE-2016-0636) - CVE-2016-0636 OpenJDK: missing type safety checks for MethodHandle calls across class loaders, incorrect CVE-2013-5838 fix (Hotspot, 8151666)
Summary: CVE-2016-0636 OpenJDK: missing type safety checks for MethodHandle calls acro...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-0636
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1320655 1320656 1320657 1320658 1320659 1320661 1320662 1320664 1320665 1320667 1320668 1320669 1320670 1320671 1320672 1320673 1320674 1320675 1320961
Blocks: 1320678
TreeView+ depends on / blocked
 
Reported: 2016-03-23 17:14 UTC by Stefan Cornelius
Modified: 2019-09-29 13:46 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
An improper type safety check was discovered in the Hotspot component. An untrusted Java application or applet could use this flaw to bypass Java Sandbox restrictions.
Clone Of:
Environment:
Last Closed: 2016-03-31 20:08:09 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0511 normal SHIPPED_LIVE Critical: java-1.7.0-openjdk security update 2016-03-25 03:08:41 UTC
Red Hat Product Errata RHSA-2016:0512 normal SHIPPED_LIVE Important: java-1.7.0-openjdk security update 2016-03-25 03:58:39 UTC
Red Hat Product Errata RHSA-2016:0513 normal SHIPPED_LIVE Critical: java-1.8.0-openjdk security update 2016-03-25 03:58:27 UTC
Red Hat Product Errata RHSA-2016:0514 normal SHIPPED_LIVE Important: java-1.8.0-openjdk security update 2016-03-25 03:29:24 UTC
Red Hat Product Errata RHSA-2016:0515 normal SHIPPED_LIVE Critical: java-1.7.0-oracle security update 2017-12-14 22:18:26 UTC
Red Hat Product Errata RHSA-2016:0516 normal SHIPPED_LIVE Critical: java-1.8.0-oracle security update 2017-12-14 21:48:21 UTC

Description Stefan Cornelius 2016-03-23 17:14:42 UTC
It was discovered that the security fix for CVE-2013-5838 was incomplete
and still allowed remote attackers to escape the Java security sandbox
mechanism.

The root problem is that the Reflection API does not properly guarantee
type safety when Method Handle objects were invoked across two different
Class Loader namespaces.

A part of the original patch was to use the "loadersAreRelated()" method
to ensure that the two Class Loaders are related, which is a condition
for correct type safety.

However, this condition could be easily fulfilled by abusing certain
behaviours in the class loading process, which could allow an attacker
to bypass the type safety checks and ultimately escapte the security
sandbox mechanism.

External References:
http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0636-2949497.html
https://blogs.oracle.com/security/entry/security_alert_cve_2016_0636

http://seclists.org/fulldisclosure/2016/Mar/31
http://www.security-explorations.com/materials/SE-2012-01-ORACLE-14.pdf

Comment 5 Tomas Hoger 2016-03-23 20:20:26 UTC
Public now via "Oracle Security Alert for CVE-2016-0636":

http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0636-2949497.html
https://blogs.oracle.com/security/entry/security_alert_cve_2016_0636

Fixed in Oracle Java SE 7u99 and 8u77.

Comment 8 Tomas Hoger 2016-03-23 21:46:38 UTC
This update seems to be addressing this issue from Adam Gowdiak of Security Explorations:

http://seclists.org/fulldisclosure/2016/Mar/31
http://www.security-explorations.com/materials/SE-2012-01-ORACLE-14.pdf

The reported issue in an incorrect fix for CVE-2013-5838 (bug 1019300).

Comment 12 Tomas Hoger 2016-03-24 20:46:36 UTC
(In reply to Tomas Hoger from comment #8)
> This update seems to be addressing this issue from Adam Gowdiak of Security
> Explorations:
> 
> http://seclists.org/fulldisclosure/2016/Mar/31

This is now confirmed by the Security Explorations' site:

http://www.security-explorations.com/en/SE-2012-01-status.html

  24-Mar-2016
  - Oracle provides a status report regarding a broken security fix for Issue
  69. The company informs that it was fixed by Security Alert for CVE-2016-0636
  issued on Mar 23, 2016.

Comment 13 errata-xmlrpc 2016-03-24 23:08:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:0511 https://rhn.redhat.com/errata/RHSA-2016-0511.html

Comment 14 errata-xmlrpc 2016-03-24 23:29:45 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2016:0516 https://rhn.redhat.com/errata/RHSA-2016-0516.html

Comment 15 errata-xmlrpc 2016-03-24 23:30:01 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 5
  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2016:0515 https://rhn.redhat.com/errata/RHSA-2016-0515.html

Comment 16 errata-xmlrpc 2016-03-24 23:30:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:0514 https://rhn.redhat.com/errata/RHSA-2016-0514.html

Comment 17 errata-xmlrpc 2016-03-24 23:58:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:0513 https://rhn.redhat.com/errata/RHSA-2016-0513.html

Comment 18 errata-xmlrpc 2016-03-24 23:59:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 7

Via RHSA-2016:0512 https://rhn.redhat.com/errata/RHSA-2016-0512.html

Comment 19 Tomas Hoger 2016-03-27 12:35:10 UTC
OpenJDK 8 upstream commit:

http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/c44179bce874

Comment 20 Tomas Hoger 2016-03-31 20:08:09 UTC
IBM indicates their JRE/JDK were not affected by this issue:

http://www.ibm.com/developerworks/java/jdk/alerts/#Oracle_Security_Alert_for_CVE-2016-0636


Note You need to log in before you can comment on or make changes to this bug.