First published: Tue Oct 18 2016(Updated: )
A flaw was found in the way the Networking component of OpenJDK handled HTTP proxy authentication. A Java application could possibly expose HTTPS server authentication credentials via a plain text network connection to an HTTP proxy if proxy asked for authentication. Two new network system properties are introduced as part of the fix which restrict HTTP authentication schemes that can be used for authentication to proxy depending on whether proxied request is HTTP or HTTPS: - jdk.http.auth.proxying.disabledSchemes lists authentication schemes that can not be used for proxy authentication when proxying HTTP request. No schemes are disabled by default. - jdk.http.auth.tunneling.disabledSchemes lists authentication schemes that can not be used for proxy authentication when proxying HTTPS request (using HTTP CONNECT method). The 'Basic' HTTP authentication scheme is disabled by default.
Credit: secalert_us@oracle.com
Affected Software | Affected Version | How to fix |
---|---|---|
Oracle JDK 6 | =1.6.0-update121 | |
Oracle JDK 6 | =1.7.0-update111 | |
Oracle JDK 6 | =1.8.0-update101 | |
Oracle JDK 6 | =1.8.0-update102 | |
Oracle Java Runtime Environment (JRE) | =1.6.0-update121 | |
Oracle Java Runtime Environment (JRE) | =1.7.0-update111 | |
Oracle Java Runtime Environment (JRE) | =1.8.0-update101 | |
Oracle Java Runtime Environment (JRE) | =1.8.0-update102 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2016-5597 is classified as a medium severity vulnerability.
To mitigate CVE-2016-5597, update to a patched version of Oracle JDK or JRE that addresses this vulnerability.
CVE-2016-5597 affects Oracle JDK versions 1.6.0-update121, 1.7.0-update111, and 1.8.0-update101 and 1.8.0-update102, as well as the corresponding JRE versions.
Java applications utilizing HTTP proxy authentication may expose HTTPS server authentication credentials due to CVE-2016-5597.
Yes, CVE-2016-5597 could potentially be exploited remotely if a Java application is misconfigured to use an insecure HTTP proxy.