sevko sevko - 2 years ago 74
Java Question

Detecting a patched version of OpenJDK

I need to determine whether a user's version of OpenJDK is susceptible to a particular security vulnerability. As an example, CVE-2016-0695 was discovered in OpenJDK 8u77, as revealed in the April 2016 Critical Patch Update. Ideally, detecting whether a user's OpenJDK version is vulnerable would be as simple as checking whether it's

<= 8u77
or
> 8u77
and accordingly marking it as vulnerable or not (assuming that all previous versions are also vulnerable and that the fix gets applied by the next version). The picture gets muddied by manual patches, though.

If I understand correctly, the April 2016 patch would be automatically bundled into the next version of OpenJDK8 (8u91, in this case), but would also be available for manual application. The latter would probably be an attractive option to risk-averse users who want to keep their Java version as-is while patching security holes. If a user manually applies the patch to their 8u77 install, is there any way for me to detect that? For instance, does the version number reported by
java -version
change? Or is there no indicator that a patch had been applied?

Answer Source

If the OpenJDK build comes from a vendor, the vendor may publish security information. For example, here is the CVE-2016-0695 security information from Debian. This information typically contains the first fixed package version, according to some vendor-specific versioning scheme.

However, in general, you need to obtain the sources for that OpenJDK build and review them if they have to fix.

To find the patch corresponding to a particular CVE ID (say CVE-2016-0695), in most cases, the easiest way is to go to the Red Hat Bugzilla tracker, here the flaw bug for CVE-2016-0695, and note the internal Oracle bug number listed there, 8138593 in this case. Then you need to check out the appropriate OpenJDK sub-tree, in this case for the jdk component:

hg clone http://hg.openjdk.java.net/jdk8u/jdk8u/jdk

And look in the history for the appropriate commit, based on the Oracle bug number (8138593):

changeset:   11581:594e8dca337c
user:        igerasim
date:        Thu Dec 24 08:42:10 2015 +0300
summary:     8138593: Make DSA more fair

The commit themselves do not contain CVE IDs (which are often not available when the fix is written, so this is understandable), so the detour via the Red Hat bug tracker is needed. (I have not seen a CVE-ID-to-bug-number mapping from Oracle.)

You can view the patch using another Mercurial command:

hg export 594e8dca337c

Once you have the patch, it is a matter of review the source code to check whether it has been applied. If you cannot obtain the source code for some reason, for changes to the jdk, it is often sufficient to disassemble the relevant classes using javap -c. For native code, you need a different disassembler (such as objdump -dr).

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download