Bug 2075821 (CVE-2022-21449)
Summary: | CVE-2022-21449 OpenJDK: Improper ECDSA signature verification (Libraries, 8277233) | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Mauro Matteo Cascella <mcascell> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | ahughes, bernhard.schuhmann, chazlett, dbhole, dfitzmau, jdowland, jhuttana, jochrist, jvanek, nengard, neugens, pjindal, security-response-team, sraghupu |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2022-04-28 23:45:15 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2073575, 2073576, 2073577, 2073578, 2073579 | ||
Bug Blocks: | 2073424 |
Description
Mauro Matteo Cascella
2022-04-15 13:58:01 UTC
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1445 https://access.redhat.com/errata/RHSA-2022:1445 OpenJDK-17 upstream commit: https://github.com/openjdk/jdk17u/commit/2d4103a3d929e05edca98e7703e0869077966be7 Oracle CPU April 2022: https://www.oracle.com/security-alerts/cpuapr2022.html#AppendixJAVA Fixed in Oracle Java SE 7u341, 8u331, 11.0.15, 17.0.3, 18.0.1. This issue was found and responsibly disclosed to Oracle by ForgeRock. For a detailed description of the bug and possible consequences, see Neil Madden's blog post: https://neilmadden.blog/2022/04/19/psychic-signatures-in-java. Will the 17.0.3 release be picked up for EL7 automatically? Thanks in advance! @bernhard.schuhmann We do not provide OpenJDK 17 as part of RHEL7. (In reply to Jonathan Dowland from comment #8) > @bernhard.schuhmann We do not provide OpenJDK 17 as part of RHEL7. @jdowland, I was referring to EPEL repository for CentOS 7, which provides OpenJDK 17.0.2. Wanted to ask if this version would get updated 'automatically' or what would be the process to ask for an update there? This issue has been addressed in the following products: Red Hat Build of OpenJDK 17.0.3 Via RHSA-2022:1436 https://access.redhat.com/errata/RHSA-2022:1436 This issue has been addressed in the following products: Red Hat Build of OpenJDK 17.0.3 Via RHSA-2022:1437 https://access.redhat.com/errata/RHSA-2022:1437 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-21449 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:1729 https://access.redhat.com/errata/RHSA-2022:1729 |