Debian Bug report logs - #653964
glassfish predictable hash collisions

Package: glassfish; Maintainer for glassfish is Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>;

Reported by: Thijs Kinkhorst <thijs@debian.org>

Date: Sun, 1 Jan 2012 22:54:12 UTC

Severity: serious

Tags: security

Done: Moritz Muehlenhoff <jmm@inutil.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#653964; Package glassfish. (Sun, 01 Jan 2012 22:54:15 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Sun, 01 Jan 2012 22:54:15 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: submit@bugs.debian.org
Subject: glassfish predictable hash collisions
Date: Sun, 1 Jan 2012 23:53:36 +0100
[Message part 1 (text/plain, inline)]
Package: glassfish
Severity: serious
Tags: security

Hi,

It was reported that Glassfish is affected by the predictable hash collisions 
attack that made its rounds around the net this week. This is tracked at
http://security-tracker.debian.org/tracker/CVE-2011-5035

Can you ensure that fixed packages are uploaded to sid as soon as possible, 
and assert whether a fix for lenny and squeeze would be necessary?

Cheers,
Thijs
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#653964; Package glassfish. (Mon, 02 Jan 2012 08:58:17 GMT) Full text and rfc822 format available.

Acknowledgement sent to Torsten Werner <twerner@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Mon, 02 Jan 2012 08:58:24 GMT) Full text and rfc822 format available.

Message #10 received at 653964@bugs.debian.org (full text, mbox):

From: Torsten Werner <twerner@debian.org>
To: Thijs Kinkhorst <thijs@debian.org>, 653964@bugs.debian.org
Subject: Re: Bug#653964: glassfish predictable hash collisions
Date: Mon, 2 Jan 2012 09:56:20 +0100
Hi,

On Sun, Jan 1, 2012 at 11:53 PM, Thijs Kinkhorst <thijs@debian.org> wrote:
> It was reported that Glassfish is affected by the predictable hash collisions
> attack that made its rounds around the net this week. This is tracked at
> http://security-tracker.debian.org/tracker/CVE-2011-5035

I do not think that we are vulnerable because Debian does not ship a
full glassfish stack. We build some core libs only.

> Can you ensure that fixed packages are uploaded to sid as soon as possible,
> and assert whether a fix for lenny and squeeze would be necessary?

I do not even understand how to reproduce the issue. May you elaborate
on that, please?

Thanks,
Torsten




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#653964; Package glassfish. (Mon, 02 Jan 2012 09:42:26 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Mon, 02 Jan 2012 09:42:39 GMT) Full text and rfc822 format available.

Message #15 received at 653964@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: "Torsten Werner" <twerner@debian.org>
Cc: 653964@bugs.debian.org
Subject: Re: Bug#653964: glassfish predictable hash collisions
Date: Mon, 2 Jan 2012 10:40:12 +0100
On Mon, January 2, 2012 09:56, Torsten Werner wrote:
> Hi,
>
> On Sun, Jan 1, 2012 at 11:53 PM, Thijs Kinkhorst <thijs@debian.org> wrote:
>> It was reported that Glassfish is affected by the predictable hash
>> collisions
>> attack that made its rounds around the net this week. This is tracked at
>> http://security-tracker.debian.org/tracker/CVE-2011-5035
>
> I do not think that we are vulnerable because Debian does not ship a
> full glassfish stack. We build some core libs only.

Perhaps that depends on whether the affected function is in those libs and
hence exposed in some way to outside-facing services.

>> Can you ensure that fixed packages are uploaded to sid as soon as
>> possible,
>> and assert whether a fix for lenny and squeeze would be necessary?
>
> I do not even understand how to reproduce the issue. May you elaborate
> on that, please?

It's a generic vulnerability. More details on that are in here:
http://www.kb.cert.org/vuls/id/903934
I do not immediately know how this relates to Glassfish specifically, but
in the general case it boils down to doing a crafted request which
exploits complexity in the implementation such that all processing power
is consumed by dealing with the request.

For the specific case, there's apparently "Oracle security ticket
S0104869", but I don't know how to access that. Ocert says: "Oracle
reports that the issue is fixed in the main codeline and scheduled for a
future CPU".

Does this help you a bit?


Thijs




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#653964; Package glassfish. (Mon, 02 Jan 2012 18:27:12 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Mon, 02 Jan 2012 18:27:12 GMT) Full text and rfc822 format available.

Message #20 received at 653964@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Torsten Werner <twerner@debian.org>
Cc: Thijs Kinkhorst <thijs@debian.org>, 653964@bugs.debian.org
Subject: Re: Bug#653964: glassfish predictable hash collisions
Date: Mon, 2 Jan 2012 19:24:05 +0100
On Mon, Jan 02, 2012 at 09:56:20AM +0100, Torsten Werner wrote:
> Hi,
> 
> On Sun, Jan 1, 2012 at 11:53 PM, Thijs Kinkhorst <thijs@debian.org> wrote:
> > It was reported that Glassfish is affected by the predictable hash collisions
> > attack that made its rounds around the net this week. This is tracked at
> > http://security-tracker.debian.org/tracker/CVE-2011-5035
> 
> I do not think that we are vulnerable because Debian does not ship a
> full glassfish stack. We build some core libs only.
> 
> > Can you ensure that fixed packages are uploaded to sid as soon as possible,
> > and assert whether a fix for lenny and squeeze would be necessary?
> 
> I do not even understand how to reproduce the issue. May you elaborate
> on that, please?

The advisory can be found here: http://www.nruns.com/_downloads/advisory28122011.pdf

I'm not sure where to find "Oracle security ticket S0104869", though.

Cheers,
         Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#653964; Package glassfish. (Sun, 13 May 2012 22:15:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Damien Raude-Morvan" <drazzib@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Sun, 13 May 2012 22:15:05 GMT) Full text and rfc822 format available.

Message #25 received at 653964@bugs.debian.org (full text, mbox):

From: "Damien Raude-Morvan" <drazzib@debian.org>
To: Steve McIntyre <steve@einval.com>
Cc: Julien Cristau <jcristau@debian.org>, Moritz Muehlenhoff <jmm@debian.org>, 611138@bugs.debian.org, 653964@bugs.debian.org
Subject: CVE-2010-4438 / CVE-2011-5035
Date: Mon, 14 May 2012 00:13:50 +0200
[Message part 1 (text/plain, inline)]
Hi all,

Le dimanche 13 mai 2012 18:54:38, Steve McIntyre a écrit :
> >Sadly, no :/ I must admit that Oracle does not publish details of its
> >fixes so it's hard to confirm firmly what's component is exactly
> >impacted.
> >
> >I'll try to revive my contact @Oracle to get some feedback on this
> >issue (on future security issues).
> 
> Hi,
> 
> Any news on this?

I'll just start by restating my initial comment on both issues :
-----
We don't build any real "Glassfish Server" but just some parts of API 
library used as Java EE specifications. As for any specification, this is just a 
collection of interfaces and don't have much more implementations than dumb or 
stub code.
-----

So I don't think that CVE-2010-4438 or CVE-2011-5035 affect Debian binary 
packages. 

But I cannot be 100% sure since :
- Upstream bugtracker [1] doesn't contains ref to those security issues
- My Oracle contact (GlassFish community manager) only told me that 
"CVE-2011-5035 is integrated in GlassFish 3.1.1 Patch 2 (an update to 3.1.1 
for paying customers). The fix is in the trunk and will be integrated in the 
3.1.2 release scheduled for later this quarter"

I don't think I'll do further investigation on those issues...
At least, there is one instructing thing : we have to think twice before 
integrating of a full blown Glassfish JEE server (ie. not just API) into Debian 
as from my point of view Glassfish Security is not handled as an open source 
should.

[1] http://java.net/jira/browse/GLASSFISH

Cheers,
-- 
Damien - Debian Developper
http://wiki.debian.org/DamienRaudeMorvan
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#653964; Package glassfish. (Mon, 14 May 2012 14:54:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steve McIntyre <steve@einval.com>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Mon, 14 May 2012 14:54:05 GMT) Full text and rfc822 format available.

Message #30 received at 653964@bugs.debian.org (full text, mbox):

From: Steve McIntyre <steve@einval.com>
To: Damien Raude-Morvan <drazzib@debian.org>
Cc: Julien Cristau <jcristau@debian.org>, Moritz Muehlenhoff <jmm@debian.org>, 611138@bugs.debian.org, 653964@bugs.debian.org
Subject: Re: CVE-2010-4438 / CVE-2011-5035
Date: Mon, 14 May 2012 15:50:30 +0100
On Mon, May 14, 2012 at 12:13:50AM +0200, Damien Raude-Morvan wrote:
>Hi all,
>
>Le dimanche 13 mai 2012 18:54:38, Steve McIntyre a écrit :
>> >Sadly, no :/ I must admit that Oracle does not publish details of its
>> >fixes so it's hard to confirm firmly what's component is exactly
>> >impacted.
>> >
>> >I'll try to revive my contact @Oracle to get some feedback on this
>> >issue (on future security issues).
>> 
>> Hi,
>> 
>> Any news on this?
>
>I'll just start by restating my initial comment on both issues :
>-----
>We don't build any real "Glassfish Server" but just some parts of API 
>library used as Java EE specifications. As for any specification, this is just a 
>collection of interfaces and don't have much more implementations than dumb or 
>stub code.
>-----
>
>So I don't think that CVE-2010-4438 or CVE-2011-5035 affect Debian binary 
>packages. 

OK, fair enough.

>But I cannot be 100% sure since :
>- Upstream bugtracker [1] doesn't contains ref to those security issues
>- My Oracle contact (GlassFish community manager) only told me that 
>"CVE-2011-5035 is integrated in GlassFish 3.1.1 Patch 2 (an update to 3.1.1 
>for paying customers). The fix is in the trunk and will be integrated in the 
>3.1.2 release scheduled for later this quarter"
>
>I don't think I'll do further investigation on those issues...
>At least, there is one instructing thing : we have to think twice before 
>integrating of a full blown Glassfish JEE server (ie. not just API) into Debian 
>as from my point of view Glassfish Security is not handled as an open source 
>should.

Yes, I'd have to agree with that. :-(

If you're *reasonably* confident that we're not affected by those
CVE issues, is it worth maybe dropping the severity of the Debian bugs
from serious?

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
There's no sensation to compare with this
Suspended animation, A state of bliss





Reply sent to Moritz Muehlenhoff <jmm@inutil.org>:
You have taken responsibility. (Tue, 03 Jul 2012 21:07:19 GMT) Full text and rfc822 format available.

Notification sent to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer. (Tue, 03 Jul 2012 21:07:29 GMT) Full text and rfc822 format available.

Message #35 received at 653964-done@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Steve McIntyre <steve@einval.com>
Cc: Damien Raude-Morvan <drazzib@debian.org>, Julien Cristau <jcristau@debian.org>, Moritz Muehlenhoff <jmm@debian.org>, 611138@bugs.debian.org, 653964-done@bugs.debian.org
Subject: Re: CVE-2010-4438 / CVE-2011-5035
Date: Tue, 3 Jul 2012 23:02:45 +0200
On Mon, May 14, 2012 at 03:50:30PM +0100, Steve McIntyre wrote:
> >- Upstream bugtracker [1] doesn't contains ref to those security issues
> >- My Oracle contact (GlassFish community manager) only told me that 
> >"CVE-2011-5035 is integrated in GlassFish 3.1.1 Patch 2 (an update to 3.1.1 
> >for paying customers). The fix is in the trunk and will be integrated in the 
> >3.1.2 release scheduled for later this quarter"
> >
> >I don't think I'll do further investigation on those issues...
> >At least, there is one instructing thing : we have to think twice before 
> >integrating of a full blown Glassfish JEE server (ie. not just API) into Debian 
> >as from my point of view Glassfish Security is not handled as an open source 
> >should.
> 
> Yes, I'd have to agree with that. :-(
> 
> If you're *reasonably* confident that we're not affected by those
> CVE issues, is it worth maybe dropping the severity of the Debian bugs
> from serious?

I'm closing the bug. Even if that issue should affect Debian against all odds,
it will be fixed when the generic hash collision countermeasures are integrated
in openjdk-7 (which will very likely be part of Wheezy at least).

Cheers,
        Moritz




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 01 Aug 2012 07:30:56 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 12:00:32 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.