Vigil@nce: OpenJDK, IcedTea6, bypassing JNLP signature
February 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can create a Java JNLP application which is not fully
signed, and which is not blocked by the OpenJDK compiled with
IcedTea6.
– Severity: 2/4
– Creation date: 03/02/2011
IMPACTED PRODUCTS
– OpenSUSE
– SUSE Linux Enterprise Server
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
IcedTea6 tools compile the source code of OpenJDK with free
software.
The JNLP (Java Network Launching Protocol) protocol is used to
deploy Java applications.
A JNLP file can indicate several JAR archives, which all have to
be signed. However, if a certificate only signs a few JAR
archives, the other JAR archives are automatically processed as if
they were signed.
An attacker can therefore create a Java JNLP application which is
not fully signed, and which is not blocked by the OpenJDK compiled
with IcedTea6.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/OpenJDK-IcedTea6-bypassing-JNLP-signature-10323