Bug 20165 - java-1.8.0-openjdk new security issues
Summary: java-1.8.0-openjdk new security issues
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://lwn.net/Vulnerabilities/712058/
Whiteboard: MGA5-64-OK mga5-32-ok advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-01-23 13:03 CET by David Walser
Modified: 2017-02-05 21:43 CET (History)
6 users (show)

See Also:
Source RPM: java-1.8.0-openjdk-1.8.0.111-1.b16.1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-01-23 13:03:02 CET
RedHat has issued an advisory on January 20:
https://rhn.redhat.com/errata/RHSA-2017-0180.html

Corresponding Oracle CPU:
http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
David Walser 2017-01-23 13:03:20 CET

Whiteboard: (none) => MGA5TOO

David Walser 2017-01-24 02:38:59 CET

URL: (none) => https://lwn.net/Vulnerabilities/712058/

Comment 1 Marja Van Waes 2017-01-24 13:05:42 CET
Assigning to the registered maintainer

Assignee: bugsquad => mageia
CC: (none) => marja11

Comment 2 David Walser 2017-01-26 00:08:38 CET
We'll probably want to update copy-jdk-configs with this as well:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GZOPXPD7WPE3LDX5KRJVFVVHZ5J2MY6O/
Comment 3 David Walser 2017-01-27 23:33:13 CET
Hi Nicolas,

I checked the changes for java-1.8.0-openjdk into SVN, but I can't update the Source1 tarball.  Hg doesn't have u121 tagged.  Maybe we need to solve this problem differently, like modifying SOURCES/pr1983-jdk.patch?

CC: (none) => nicolas.salguero

Comment 4 David Walser 2017-01-27 23:39:05 CET
copy-jdk-configs update checked into SVN as well for when this is ready.
Comment 5 Nicolas Salguero 2017-01-28 17:38:49 CET
(In reply to David Walser from comment #3)
> Hi Nicolas,

Hi David,

> I checked the changes for java-1.8.0-openjdk into SVN, but I can't update
> the Source1 tarball.  Hg doesn't have u121 tagged.  Maybe we need to solve
> this problem differently, like modifying SOURCES/pr1983-jdk.patch?

Maybe you could use the previous version of my script: http://svnweb.mageia.org/packages/cauldron/java-1.8.0-openjdk/current/SOURCES/mga-add-missing-files.sh?view=markup&pathrev=1043832 (with "aarch64-jdk8u121-b13" as argument since it is the latest tag possible in the branch jdk8u).
Comment 6 David Walser 2017-01-28 21:33:16 CET
Thanks Nicolas!  That's worth a shot.
Comment 7 David Walser 2017-01-29 19:10:15 CET
See https://bugs.mageia.org/show_bug.cgi?id=14051#c4 for useful links to test java

Advisory:
========================

Updated java-1.8.0-openjdk packages fix security vulnerabilities:

It was discovered that the RMI registry and DCG implementations in the RMI
component of OpenJDK performed deserialization of untrusted inputs. A remote
attacker could possibly use this flaw to execute arbitrary code with the
privileges of RMI registry or a Java RMI application (CVE-2017-3241).

This issue was addressed by introducing whitelists of classes that can be
deserialized by RMI registry or DCG. These whitelists can be customized using
the newly introduced sun.rmi.registry.registryFilter and
sun.rmi.transport.dgcFilter security properties.

Multiple flaws were discovered in the Libraries and Hotspot components in
OpenJDK. An untrusted Java application or applet could use these flaws to
completely bypass Java sandbox restrictions (CVE-2017-3272, CVE-2017-3289).

A covert timing channel flaw was found in the DSA implementation in the
Libraries component of OpenJDK. A remote attacker could possibly use this flaw
to extract certain information about the used key via a timing side channel
(CVE-2016-5548).

It was discovered that the Libraries component of OpenJDK accepted ECSDA
signatures using non-canonical DER encoding. This could cause a Java application
to accept signature in an incorrect format not accepted by other cryptographic
tools (CVE-2016-5546).

It was discovered that the 2D component of OpenJDK performed parsing of iTXt
and zTXt PNG image chunks even when configured to ignore metadata. An attacker
able to make a Java application parse a specially crafted PNG image could cause
the application to consume an excessive amount of memory (CVE-2017-3253).

It was discovered that the Libraries component of OpenJDK did not validate the
length of the object identifier read from the DER input before allocating memory
to store the OID. An attacker able to make a Java application decode a specially
crafted DER input could cause the application to consume an excessive amount of
memory (CVE-2016-5547).

It was discovered that the JAAS component of OpenJDK did not use the correct
way to extract user DN from the result of the user search LDAP query. A
specially crafted user LDAP entry could cause the application to use an
incorrect DN (CVE-2017-3252).

It was discovered that the Networking component of OpenJDK failed to properly
parse user info from the URL. A remote attacker could cause a Java application
to incorrectly parse an attacker supplied URL and interpret it differently from
other applications processing the same URL (CVE-2016-5552).

Multiple flaws were found in the Networking components in OpenJDK. An
untrusted Java application or applet could use these flaws to bypass certain
Java sandbox restrictions (CVE-2017-3261, CVE-2017-3231).

A flaw was found in the way the DES/3DES cipher was used as part of the
TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover
some plaintext data by capturing large amounts of encrypted traffic between
TLS/SSL server and client if the communication used a DES/3DES based
ciphersuite (CVE-2016-2183).

This update mitigates the CVE-2016-2183 issue by adding 3DES cipher suites to
the list of legacy algorithms (defined using the jdk.tls.legacyAlgorithms
security property) so they are only used if connecting TLS/SSL client and server
do not share any other non-legacy cipher suite.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5546
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5547
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5548
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5552
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3231
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3241
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3252
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3253
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3261
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3272
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3289
http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
https://rhn.redhat.com/errata/RHSA-2017-0180.html
========================

Updated packages in core/updates_testing:
========================
copy-jdk-configs-2.0-1.mga5
java-1.8.0-openjdk-1.8.0.121-1.b14.1.mga5
java-1.8.0-openjdk-headless-1.8.0.121-1.b14.1.mga5
java-1.8.0-openjdk-devel-1.8.0.121-1.b14.1.mga5
java-1.8.0-openjdk-demo-1.8.0.121-1.b14.1.mga5
java-1.8.0-openjdk-src-1.8.0.121-1.b14.1.mga5
java-1.8.0-openjdk-javadoc-1.8.0.121-1.b14.1.mga5
java-1.8.0-openjdk-accessibility-1.8.0.121-1.b14.1.mga5

from SRPMS:
copy-jdk-configs-2.0-1.mga5.src.rpm
java-1.8.0-openjdk-1.8.0.121-1.b14.1.mga5.src.rpm

Version: Cauldron => 5
Assignee: mageia => qa-bugs
Whiteboard: MGA5TOO => (none)
CC: (none) => mageia

Comment 8 Lewis Smith 2017-01-31 21:39:10 CET
Testing pointer: https://bugs.mageia.org/show_bug.cgi?id=19626#c8
--------------
I wasted time in vain on this before, and this link includes things that eventually proved useful. Remember to have 'icedtea-web' installed, and ensure that Firefox knows it is there (plugin). Be aware that you have a *lot* of clicking to get through the various examples.

CC: (none) => lewyssmith

Comment 9 Lewis Smith 2017-02-01 09:53:20 CET
Testing M5_64

Had better luck with the tests than reported in the link above; by mistake, I used Opera 12:

 http://www.java.com/en/download/installed.jsp
Verified Java Version
Congratulations!
You have the recommended Java installed (Version 8 Update 121).

 http://javatester.org/version.html
Correctly showed the pink triangle with
 "Java Version: 1.8.0_121 from Oracle Corporation"

 http://www.w3.org/People/mimasa/test/object/java/
All 5 tests worked; the first with 2 rows of several clocks; the rest popping up Othello games. To start these, you need to first click on the "Press space bar to start game" control, then press it. Did not persue.

 https://docs.oracle.com/javase/tutorial/deployment/applet/examplesIndex.html
At least some of these worked OK; did not try them all.

Update looks good. OK.

Whiteboard: (none) => MGA5-64-OK

Comment 10 Lewis Smith 2017-02-01 10:15:27 CET
Forgot to specify the updated package versions tested:
 java-1.8.0-openjdk-1.8.0.121-1.b14.1.mga5
 java-1.8.0-openjdk-headless-1.8.0.121-1.b14.1.mga5

Advisory uploaded.

Whiteboard: MGA5-64-OK => MGA5-64-OK advisory

Comment 11 Brian Rockwell 2017-02-04 20:47:46 CET
The following 6 packages are going to be installed:

- java-1.8.0-openjdk-1.8.0.121-1.b14.1.mga5.i586
- java-1.8.0-openjdk-accessibility-1.8.0.121-1.b14.1.mga5.i586
- java-1.8.0-openjdk-devel-1.8.0.121-1.b14.1.mga5.i586
- java-1.8.0-openjdk-headless-1.8.0.121-1.b14.1.mga5.i586
- java-1.8.0-openjdk-javadoc-1.8.0.121-1.b14.1.mga5.noarch
- java-atk-wrapper-0.30.4-6.mga5.i586

309MB of additional disk space will be used.



[brian@localhost ~]$ uname -a
Linux localhost 4.4.39-desktop-1.mga5 #1 SMP Fri Dec 16 18:52:20 UTC 2016 i686 i686 i686 GNU/Linux
[brian@localhost ~]$ 

[brian@localhost ~]$ java -version
openjdk version "1.8.0_121"
OpenJDK Runtime Environment (build 1.8.0_121-b14)
OpenJDK Server VM (build 25.121-b14, mixed mode)


[brian@localhost ~]$ javac -version
javac 1.8.0_121

I ran one of my old programs รข seems to be working as designed.  Fun!

[brian@localhost BookReader]$ java GUIBookStart
0
/media/sf_vmshare/BookReader/TERMC10.TXT
Average Columns 31
14
Average Columns 55
Average Columns 55

Saving position: 21318
[brian@localhost BookReader]$

CC: (none) => brtians1

Brian Rockwell 2017-02-04 20:48:13 CET

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK advisory => MGA5-64-OK mga5-32-ok advisory
CC: (none) => sysadmin-bugs

Comment 12 Mageia Robot 2017-02-05 21:43:20 CET
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0041.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.