Bug 1357516 (CVE-2016-3485) - CVE-2016-3485 OpenJDK: weak authentication secret in Pipe implementation on Windows (Networking, 8145446)
Summary: CVE-2016-3485 OpenJDK: weak authentication secret in Pipe implementation on W...
Alias: CVE-2016-3485
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
Blocks: 1350028
TreeView+ depends on / blocked
Reported: 2016-07-18 12:13 UTC by Tomas Hoger
Modified: 2021-02-17 03:36 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2016-07-18 12:17:23 UTC

Attachments (Terms of Use)

Description Tomas Hoger 2016-07-18 12:13:40 UTC
It was discovered that the Pipe (java.nio.channels.Pipe) implementation in the Networking component of OpenJDK that is used on the Microsoft Windows platformed used an insecure method to authenticate process which can use the Pipe. A local attacker could possibly use the flaw to connect to the Pipes created by other Java programs running on the system.

This issue did not affect OpenJDK versions running on Linux, where Pipe is implemented using the pipe() system call.  On Windows, Pipe support is implemented via a network socket listening on a loopback address ( and using authentication with a secret value to prevent unauthorized access to the Pipe.  A weak method to generate the secret could possibly allow bypass of the authentication mechanism.

Comment 1 Tomas Hoger 2016-07-20 07:46:34 UTC
Public now via Oracle CPU July 2016, fixed in Oracle JDK 8u101, 7u111, and 6u121.

External References:


Comment 2 Tomas Hoger 2016-07-20 09:40:01 UTC
OpenJDK 8 upstream commit:


Note You need to log in before you can comment on or make changes to this bug.