Bug 1639834 (CVE-2018-3149) - CVE-2018-3149 OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (JNDI, 8199177)
Summary: CVE-2018-3149 OpenJDK: Incomplete enforcement of the trustURLCodebase restric...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-3149
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20181016,repo...
Depends On: 1633820 1633821 1633822 1639728 1639729 1639730 1639731 1639732 1639733 1639734 1639736 1639737 1639780 1640178 1640179 1640180 1646173 1646174 1646175 1649854 1649855 1649856 1652094 1652099 1652100
Blocks: 1633819
TreeView+ depends on / blocked
 
Reported: 2018-10-16 17:30 UTC by Tomas Hoger
Modified: 2019-06-08 23:39 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-12-18 21:53:30 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2942 None None None 2018-10-17 21:22:22 UTC
Red Hat Product Errata RHSA-2018:2943 None None None 2018-10-17 21:23:01 UTC
Red Hat Product Errata RHSA-2018:3000 None None None 2018-10-24 22:06:06 UTC
Red Hat Product Errata RHSA-2018:3001 None None None 2018-10-24 22:06:41 UTC
Red Hat Product Errata RHSA-2018:3002 None None None 2018-10-24 22:07:16 UTC
Red Hat Product Errata RHSA-2018:3003 None None None 2018-10-24 22:08:01 UTC
Red Hat Product Errata RHSA-2018:3007 None None None 2018-10-24 21:39:24 UTC
Red Hat Product Errata RHSA-2018:3008 None None None 2018-10-24 21:39:59 UTC
Red Hat Product Errata RHSA-2018:3350 None None None 2018-10-30 09:18:56 UTC
Red Hat Product Errata RHSA-2018:3409 None None None 2018-10-30 16:59:52 UTC
Red Hat Product Errata RHSA-2018:3521 None None None 2018-11-07 18:13:32 UTC
Red Hat Product Errata RHSA-2018:3533 None None None 2018-11-09 11:49:27 UTC
Red Hat Product Errata RHSA-2018:3534 None None None 2018-11-09 11:50:01 UTC
Red Hat Product Errata RHSA-2018:3671 None None None 2018-11-26 15:43:05 UTC
Red Hat Product Errata RHSA-2018:3672 None None None 2018-11-26 15:43:44 UTC
Red Hat Product Errata RHSA-2018:3779 None None None 2018-12-05 15:53:28 UTC
Red Hat Product Errata RHSA-2018:3852 None None None 2018-12-18 15:51:13 UTC

Description Tomas Hoger 2018-10-16 17:30:21 UTC
It was discovered that the JNDI comment of OpenJDK did not properly enforce the restriction controlled by the com.sun.jndi.ldap.object.trustURLCodebase system property.  In certain cases, a Java LDAP client could unexpectedly load and execute code form an LDAP server.

Comment 1 Tomas Hoger 2018-10-16 19:21:41 UTC
The restriction on loading classes from remote URL and the com.sun.jndi.ldap.object.trustURLCodebase system property was introduced via this commit:

http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/255dcd4f19b6

as the fix for CVE-2009-1094.

Comment 2 Tomas Hoger 2018-10-16 20:55:01 UTC
Public now via Oracle CPU October 2018:

https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixJAVA

The issue was fixed in Oracle JDK 11.0.1, 8u191, 7u201, and 6u211.

Comment 4 errata-xmlrpc 2018-10-17 21:22:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2942 https://access.redhat.com/errata/RHSA-2018:2942

Comment 5 errata-xmlrpc 2018-10-17 21:22:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:2943 https://access.redhat.com/errata/RHSA-2018:2943

Comment 6 Tomas Hoger 2018-10-19 20:33:02 UTC
OpenJDK-8 upstream commit:
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/28d4d67065ab

OpenJDK-11 upstream commit:
http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/e62c1f2ef2dd

Comment 7 errata-xmlrpc 2018-10-24 21:39:17 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2018:3007 https://access.redhat.com/errata/RHSA-2018:3007

Comment 8 errata-xmlrpc 2018-10-24 21:39:53 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2018:3008 https://access.redhat.com/errata/RHSA-2018:3008

Comment 9 errata-xmlrpc 2018-10-24 22:06:01 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2018:3000 https://access.redhat.com/errata/RHSA-2018:3000

Comment 10 errata-xmlrpc 2018-10-24 22:06:35 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2018:3001 https://access.redhat.com/errata/RHSA-2018:3001

Comment 11 errata-xmlrpc 2018-10-24 22:07:11 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2018:3002 https://access.redhat.com/errata/RHSA-2018:3002

Comment 12 errata-xmlrpc 2018-10-24 22:07:54 UTC
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2018:3003 https://access.redhat.com/errata/RHSA-2018:3003

Comment 14 errata-xmlrpc 2018-10-30 09:18:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3350 https://access.redhat.com/errata/RHSA-2018:3350

Comment 15 errata-xmlrpc 2018-10-30 16:59:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:3409 https://access.redhat.com/errata/RHSA-2018:3409

Comment 16 errata-xmlrpc 2018-11-07 18:13:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3521 https://access.redhat.com/errata/RHSA-2018:3521

Comment 17 errata-xmlrpc 2018-11-09 11:49:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2018:3533 https://access.redhat.com/errata/RHSA-2018:3533

Comment 18 errata-xmlrpc 2018-11-09 11:49:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2018:3534 https://access.redhat.com/errata/RHSA-2018:3534

Comment 21 errata-xmlrpc 2018-11-26 15:43:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2018:3671 https://access.redhat.com/errata/RHSA-2018:3671

Comment 22 errata-xmlrpc 2018-11-26 15:43:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2018:3672 https://access.redhat.com/errata/RHSA-2018:3672

Comment 23 errata-xmlrpc 2018-12-05 15:53:22 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 5.6
  Red Hat Satellite 5.7

Via RHSA-2018:3779 https://access.redhat.com/errata/RHSA-2018:3779

Comment 24 errata-xmlrpc 2018-12-18 15:51:12 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 5.8

Via RHSA-2018:3852 https://access.redhat.com/errata/RHSA-2018:3852


Note You need to log in before you can comment on or make changes to this bug.