CVE-2016-5597

Priority
Description
Unspecified vulnerability in Oracle Java SE 6u121, 7u111, 8u102; and Java
SE Embedded 8u101 allows remote attackers to affect confidentiality via
vectors related to Networking.
Ubuntu-Description
It was discovered that OpenJDK did not properly handle HTTP proxy
authentication. An attacker could use this to expose HTTPS server
authentication credentials.
Notes
sbeattiefrom the upstream release notes:
In some environments, certain authentication schemes
may be undesirable when proxying HTTPS. Accordingly,
the Basic authentication scheme has been deactivated, by
default, in the Oracle Java Runtime, by adding Basic to the
jdk.http.auth.tunneling.disabledSchemes networking property. Now,
proxies requiring Basic authentication when setting up a tunnel
for HTTPS will no longer succeed by default. If required, this
authentication scheme can be reactivated by removing Basic from
the jdk.http.auth.tunneling.disabledSchemes networking property,
or by setting a system property of the same name to "" ( empty )
on the command line.
.
Additionally, the jdk.http.auth.tunneling.disabledSchemes and
jdk.http.auth.proxying.disabledSchemes networking properties,
and system properties of the same name, can be used to disable
other authentication schemes that may be active when setting up
a tunnel for HTTPS, or proxying plain HTTP, respectively.
Package
Upstream:needs-triage
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was released [6b40-1.13.12-0ubuntu0.14.04.3])
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Package
Upstream:needs-triage
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was released [7u121-2.6.8-1ubuntu0.14.04.1])
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Package
Upstream:needs-triage
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (8u111-b14-2ubuntu0.16.04.2)
More Information

Updated: 2019-12-05 18:45:46 UTC (commit dd38ff22974aae499eb50644b9d5a2817483cbdb)