Bug 1639442 (CVE-2018-3139) - CVE-2018-3139 OpenJDK: Leak of sensitive header data via HTTP redirect (Networking, 8196902)
Summary: CVE-2018-3139 OpenJDK: Leak of sensitive header data via HTTP redirect (Netwo...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-3139
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1633820 1633821 1633822 1639728 1639729 1639730 1639731 1639732 1639733 1639734 1639736 1639737 1639780 1640178 1640179 1640180 1646173 1646174 1646175 1649854 1649855 1649856 1652094 1652099 1652100
Blocks: 1633819
TreeView+ depends on / blocked
 
Reported: 2018-10-15 18:07 UTC by Tomas Hoger
Modified: 2021-12-10 17:56 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-12-18 21:49:59 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2942 0 None None None 2018-10-17 21:22:13 UTC
Red Hat Product Errata RHSA-2018:2943 0 None None None 2018-10-17 21:22:46 UTC
Red Hat Product Errata RHSA-2018:3000 0 None None None 2018-10-24 22:05:55 UTC
Red Hat Product Errata RHSA-2018:3001 0 None None None 2018-10-24 22:06:32 UTC
Red Hat Product Errata RHSA-2018:3002 0 None None None 2018-10-24 22:07:05 UTC
Red Hat Product Errata RHSA-2018:3003 0 None None None 2018-10-24 22:07:46 UTC
Red Hat Product Errata RHSA-2018:3007 0 None None None 2018-10-24 21:39:12 UTC
Red Hat Product Errata RHSA-2018:3008 0 None None None 2018-10-24 21:39:46 UTC
Red Hat Product Errata RHSA-2018:3350 0 None None None 2018-10-30 09:18:33 UTC
Red Hat Product Errata RHSA-2018:3409 0 None None None 2018-10-30 16:59:39 UTC
Red Hat Product Errata RHSA-2018:3521 0 None None None 2018-11-07 18:13:21 UTC
Red Hat Product Errata RHSA-2018:3533 0 None None None 2018-11-09 11:49:15 UTC
Red Hat Product Errata RHSA-2018:3534 0 None None None 2018-11-09 11:49:50 UTC
Red Hat Product Errata RHSA-2018:3671 0 None None None 2018-11-26 15:42:55 UTC
Red Hat Product Errata RHSA-2018:3672 0 None None None 2018-11-26 15:43:31 UTC
Red Hat Product Errata RHSA-2018:3779 0 None None None 2018-12-05 15:53:16 UTC
Red Hat Product Errata RHSA-2018:3852 0 None None None 2018-12-18 15:51:04 UTC

Description Tomas Hoger 2018-10-15 18:07:49 UTC
An information leak flaw was found in the Networking component of OpenJDK.  The HttpURLConnection class implementation could re-send HTTP headers containing sensitive data (such as Cookie or Authorization headers) to a different host when following HTTP redirects.  This could lead to exposure of data to unintended HTTP hosts.

Comment 1 Tomas Hoger 2018-10-16 19:39:35 UTC
A related entry in the Oracle JDK 11.0.1, 8u191, 7u201, and 6u211:

  core-libs
  Better HTTP Redirection Support 

  In this release, the behavior of methods which application code uses to
  set request properties in java.net.HttpURLConnection has changed. When a
  redirect occurs automatically from the original destination server to a
  resource on a different server, then all such properties are cleared for
  the redirect and any subsequent redirects. If these properties are required
  to be set on the redirected requests, then the redirect responses should be
  handled by the application by calling
  HttpURLConnection.setInstanceFollowRedirects(false) for the original
  request.

  JDK-8196902 (not public)

https://www.oracle.com/technetwork/java/javase/11-0-1-relnotes-5032023.html
https://www.oracle.com/technetwork/java/javase/8u191-relnotes-5032181.html
https://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html#R170_201
https://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html#R160_211

Comment 2 Tomas Hoger 2018-10-16 21:01:36 UTC
Public now via Oracle CPU October 2018:

https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixJAVA

The issue was fixed in Oracle JDK 11.0.1, 8u191, 7u201, and 6u211.

Comment 4 errata-xmlrpc 2018-10-17 21:22:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2942 https://access.redhat.com/errata/RHSA-2018:2942

Comment 5 errata-xmlrpc 2018-10-17 21:22:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:2943 https://access.redhat.com/errata/RHSA-2018:2943

Comment 6 Tomas Hoger 2018-10-19 20:34:30 UTC
OpenJDK-8 upstream commit:
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/791a21c79ab0

OpenJDK-11 upstream commit:
http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/11c8538d53a7

Comment 7 errata-xmlrpc 2018-10-24 21:39:06 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2018:3007 https://access.redhat.com/errata/RHSA-2018:3007

Comment 8 errata-xmlrpc 2018-10-24 21:39:40 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2018:3008 https://access.redhat.com/errata/RHSA-2018:3008

Comment 9 errata-xmlrpc 2018-10-24 22:05:48 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2018:3000 https://access.redhat.com/errata/RHSA-2018:3000

Comment 10 errata-xmlrpc 2018-10-24 22:06:27 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2018:3001 https://access.redhat.com/errata/RHSA-2018:3001

Comment 11 errata-xmlrpc 2018-10-24 22:06:59 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2018:3002 https://access.redhat.com/errata/RHSA-2018:3002

Comment 12 errata-xmlrpc 2018-10-24 22:07:41 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2018:3003 https://access.redhat.com/errata/RHSA-2018:3003

Comment 14 errata-xmlrpc 2018-10-30 09:18:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3350 https://access.redhat.com/errata/RHSA-2018:3350

Comment 15 errata-xmlrpc 2018-10-30 16:59:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:3409 https://access.redhat.com/errata/RHSA-2018:3409

Comment 16 errata-xmlrpc 2018-11-07 18:13:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3521 https://access.redhat.com/errata/RHSA-2018:3521

Comment 17 errata-xmlrpc 2018-11-09 11:49:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2018:3533 https://access.redhat.com/errata/RHSA-2018:3533

Comment 18 errata-xmlrpc 2018-11-09 11:49:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2018:3534 https://access.redhat.com/errata/RHSA-2018:3534

Comment 21 errata-xmlrpc 2018-11-26 15:42:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2018:3671 https://access.redhat.com/errata/RHSA-2018:3671

Comment 22 errata-xmlrpc 2018-11-26 15:43:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2018:3672 https://access.redhat.com/errata/RHSA-2018:3672

Comment 23 errata-xmlrpc 2018-12-05 15:53:08 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 5.6
  Red Hat Satellite 5.7

Via RHSA-2018:3779 https://access.redhat.com/errata/RHSA-2018:3779

Comment 24 errata-xmlrpc 2018-12-18 15:51:03 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 5.8

Via RHSA-2018:3852 https://access.redhat.com/errata/RHSA-2018:3852


Note You need to log in before you can comment on or make changes to this bug.