CVE-2016-5597: Infoleak
First published: Tue Oct 18 2016(Updated: )
A flaw was found in the way the Networking component of OpenJDK handled HTTP proxy authentication. A Java application could possibly expose HTTPS server authentication credentials via a plain text network connection to an HTTP proxy if proxy asked for authentication. Two new network system properties are introduced as part of the fix which restrict HTTP authentication schemes that can be used for authentication to proxy depending on whether proxied request is HTTP or HTTPS: - jdk.http.auth.proxying.disabledSchemes lists authentication schemes that can not be used for proxy authentication when proxying HTTP request. No schemes are disabled by default. - jdk.http.auth.tunneling.disabledSchemes lists authentication schemes that can not be used for proxy authentication when proxying HTTPS request (using HTTP CONNECT method). The 'Basic' HTTP authentication scheme is disabled by default.
Credit: secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Oracle JDK | =1.6.0-update121 | |
| Oracle JDK | =1.7.0-update111 | |
| Oracle JDK | =1.8.0-update101 | |
| Oracle JDK | =1.8.0-update102 | |
| Oracle JRE | =1.6.0-update121 | |
| Oracle JRE | =1.7.0-update111 | |
| Oracle JRE | =1.8.0-update101 | |
| Oracle JRE | =1.8.0-update102 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://rhn.redhat.com/errata/RHSA-2016-2079.html
- http://rhn.redhat.com/errata/RHSA-2016-2088.html
- http://rhn.redhat.com/errata/RHSA-2016-2089.html
- http://rhn.redhat.com/errata/RHSA-2016-2090.html
- http://rhn.redhat.com/errata/RHSA-2016-2136.html
- http://rhn.redhat.com/errata/RHSA-2016-2137.html
- http://rhn.redhat.com/errata/RHSA-2016-2138.html
- http://rhn.redhat.com/errata/RHSA-2016-2658.html
- http://rhn.redhat.com/errata/RHSA-2016-2659.html
- http://rhn.redhat.com/errata/RHSA-2017-0061.html
- http://www.debian.org/security/2016/dsa-3707
- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
- http://www.securityfocus.com/bid/93636
- http://www.securitytracker.com/id/1037040
- http://www.ubuntu.com/usn/USN-3130-1
- http://www.ubuntu.com/usn/USN-3154-1
- https://access.redhat.com/errata/RHSA-2017:1216
- https://security.gentoo.org/glsa/201611-04
- https://security.gentoo.org/glsa/201701-43
- https://security.netapp.com/advisory/ntap-20161019-0001/
- http://docs.oracle.com/javase/8/docs/technotes/guides/net/http-auth.html
- http://www.oracle.com/technetwork/java/javase/8u111-relnotes-3124969.html
- http://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html#R170_121
- http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html#R160_131
- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixJAVA
- http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/d689f7b806c8
- https://rhn.redhat.com/errata/RHSA-2016-2079.html
- https://rhn.redhat.com/errata/RHSA-2016-2088.html
- https://rhn.redhat.com/errata/RHSA-2016-2090.html
- https://rhn.redhat.com/errata/RHSA-2016-2089.html
- https://rhn.redhat.com/errata/RHSA-2016-2138.html
- https://rhn.redhat.com/errata/RHSA-2016-2137.html
- https://rhn.redhat.com/errata/RHSA-2016-2136.html
- https://rhn.redhat.com/errata/RHSA-2016-2659.html
- https://rhn.redhat.com/errata/RHSA-2016-2658.html
- https://rhn.redhat.com/errata/RHSA-2017-0061.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1386103
- collector/nvd-index
- agent/weakness
- agent/author
- agent/type
- agent/remedy
- agent/last-modified-date
- agent/first-publish-date
- agent/softwarecombine
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2016-5597
- agent/severity
- agent/references
- agent/tags
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- vendor/oracle
- canonical/oracle jdk
- version/oracle jdk/1.6.0-update121
- version/oracle jdk/1.7.0-update111
- version/oracle jdk/1.8.0-update101
- version/oracle jdk/1.8.0-update102
- canonical/oracle jre
- version/oracle jre/1.6.0-update121
- version/oracle jre/1.7.0-update111
- version/oracle jre/1.8.0-update101
- version/oracle jre/1.8.0-update102