Bug 1665953 (CVE-2019-2426) - CVE-2019-2426 OpenJDK: transparent NTLM authentication enabled by default (Networking, 8209094)
Summary: CVE-2019-2426 OpenJDK: transparent NTLM authentication enabled by default (Ne...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2019-2426
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1661579
TreeView+ depends on / blocked
 
Reported: 2019-01-14 14:43 UTC by Tomas Hoger
Modified: 2022-03-13 16:44 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-01-14 14:44:48 UTC
Embargoed:

Attachments (Terms of Use)

Description Tomas Hoger 2019-01-14 14:43:33 UTC 
It was discovered that the HTTP client implementation in the Networking component of OpenJDK enabled transparent NTLM authentication by default.  This could lead to an information leak in communication with untrusted servers.

The fix introduces a new network property jdk.http.ntlm.transparentAuth, which can be used to control the use of the transparent NTLM authentication, and that can take values of disabled (default), allHosts, or trustedHosts.

This issue only affected version of OpenJDK for Microsoft Windows, versions for Linux were not affected.
Comment 1 Tomas Hoger 2019-01-15 22:07:58 UTC 
Public now via Oracle CPU January 2019:

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html#AppendixJAVA

Fixed in Oracle Java 11.0.2, 8u201, and 7u211.
Comment 2 Tomas Hoger 2019-02-13 16:30:02 UTC 
OpenJDK-8 upstream commit:
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/d0d0b71e3a2a

OpenJDK-11 upstream commit:
http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/12084427f1e2
Note You need to log in before you can comment on or make changes to this bug.