CVE-2016-5597
Published: 25 October 2016
Unspecified vulnerability in Oracle Java SE 6u121, 7u111, 8u102; and Java SE Embedded 8u101 allows remote attackers to affect confidentiality via vectors related to Networking.
From the Ubuntu Security Team
It was discovered that OpenJDK did not properly handle HTTP proxy authentication. An attacker could use this to expose HTTPS server authentication credentials.
Notes
| Author | Note |
|---|---|
| sbeattie | from the upstream release notes: In some environments, certain authentication schemes may be undesirable when proxying HTTPS. Accordingly, the Basic authentication scheme has been deactivated, by default, in the Oracle Java Runtime, by adding Basic to the jdk.http.auth.tunneling.disabledSchemes networking property. Now, proxies requiring Basic authentication when setting up a tunnel for HTTPS will no longer succeed by default. If required, this authentication scheme can be reactivated by removing Basic from the jdk.http.auth.tunneling.disabledSchemes networking property, or by setting a system property of the same name to "" ( empty ) on the command line. . Additionally, the jdk.http.auth.tunneling.disabledSchemes and jdk.http.auth.proxying.disabledSchemes networking properties, and system properties of the same name, can be used to disable other authentication schemes that may be active when setting up a tunnel for HTTPS, or proxying plain HTTP, respectively. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
openjdk-6 Launchpad, Ubuntu, Debian |
precise |
Released
(6b40-1.13.12-0ubuntu0.12.04.2)
|
| trusty |
Released
(6b40-1.13.12-0ubuntu0.14.04.3)
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
|
openjdk-7 Launchpad, Ubuntu, Debian |
precise |
Released
(7u121-2.6.8-1ubuntu0.12.04.1)
|
| trusty |
Released
(7u121-2.6.8-1ubuntu0.14.04.1)
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
|
openjdk-8 Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Released
(8u111-b14-2ubuntu0.16.04.2)
|
|
| yakkety |
Released
(8u111-b14-2ubuntu0.16.10.2)
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.9 |
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
References
- http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/d689f7b806c8
- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixJAVA
- http://www.oracle.com/technetwork/java/javase/8u111-relnotes-3124969.html
- https://ubuntu.com/security/notices/USN-3121-1
- https://ubuntu.com/security/notices/USN-3130-1
- https://ubuntu.com/security/notices/USN-3154-1
- https://www.cve.org/CVERecord?id=CVE-2016-5597
- NVD
- Launchpad
- Debian