Java: Possible RCEs in X.509 certificate validation [CVE-2018-2633][CVE-2017-10116]

January 20, 2018

Executive summary, so that you don’t have a heart attack before we get into the gritty details.

CVE-2018-2633 - fixed in the January 2018 CPU - allows remote code execution under two conditions:

  • com.sun.security.enableAIAcaIssuers==true - which is hopefully as uncommon as a google search suggests, or
  • CRL checking/downloads are enabled (mostly com.sun.security.enableCRLDP==true, but also possibly other configurations) and the attacker can forge a otherwise valid/trusted certificate with an invalid CRL distribution point URL.

CVE-2017-10116 - fixed in the July 2017 CPU - possibly allowed code execution through Java deserialization for an attacker in a MITM position.

All of these apply to all regular X.509 certificate validation using Java’s built-in implementation, i.e. TLS client, TLS server (if client certificates are used), JAR verification… but only under aforementioned conditions.

Read More