Hide Forgot
It was discovered that the CORBA component of OpenJDK did not sufficiently restrict the use of custom ValueHandler when performing object deserialization. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions.
Public now via Oracle CPU July 2016, fixed in Oracle JDK 8u101, 7u111, and 6u121. External References: http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixJAVA
There is an entry in the release notes related to this issue: http://www.oracle.com/technetwork/java/javase/8u101-relnotes-3021761.html other-libs/corba Improve access control to javax.rmi.CORBA.ValueHandler The javax.rmi.CORBA.Util class provides methods that can be used by stubs and ties to perform common operations. It also acts as a factory for ValueHandlers. The javax.rmi.CORBA.ValueHandler interface provides services to support the reading and writing of value types to GIOP streams. The security awareness of these utilities has been enhanced with the introduction of a permission java.io.SerializablePermission("enableCustomValueHanlder"). This is used to establish a trust relationship between the users of the javax.rmi.CORBA.Util and javax.rmi.CORBA.ValueHandler APIs. The required permission is "enableCustomValueHanlder" SerializablePermission. Third party code running with a SecurityManager installed, but not having the new permission while invoking Util.createValueHandler(), will fail with an AccessControlException. This permission check behaviour can be overridden, in JDK8u and previous releases, by defining a system property, "jdk.rmi.CORBA.allowCustomValueHandler". As such, external applications that explicitly call javax.rmi.CORBA.Util.createValueHandler require a configuration change to function when a SecurityManager is installed and neither of the following two requirements is met: 1. The java.io.SerializablePermission("enableCustomValueHanlder") is not granted by SecurityManager. 2. In the case of applications running on JDK8u and before, the system property "jdk.rmi.CORBA.allowCustomValueHandler" is either not defined or is defined equal to "false" (case insensitive). Please note that the "enableCustomValueHanlder" typo will be corrected in the October 2016 releases. In those and future JDK releases, "enableCustomValueHandler" will be the correct SerializationPermission to use. JDK-8079718 (not public) Note that OpenJDK packages in Red Hat Enterprise Linux will use correctly spelt name for the "enableCustomValueHandler" permission, but will also recognize mis-spelt "enableCustomValueHanlder" for compatibility with Oracle JDK.
OpenJDK 8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/corba/rev/4821afbaa2a6
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Via RHSA-2016:1458 https://access.redhat.com/errata/RHSA-2016:1458
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 5 Oracle Java for Red Hat Enterprise Linux 7 Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2016:1477 https://access.redhat.com/errata/RHSA-2016:1477
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 5 Oracle Java for Red Hat Enterprise Linux 7 Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2016:1476 https://access.redhat.com/errata/RHSA-2016:1476
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2016:1475 https://access.redhat.com/errata/RHSA-2016:1475
This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Via RHSA-2016:1504 https://rhn.redhat.com/errata/RHSA-2016-1504.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2016:1776 https://rhn.redhat.com/errata/RHSA-2016-1776.html