Bug 2133745 (CVE-2022-21619)

Summary: CVE-2022-21619 OpenJDK: improper handling of long NTLM client hostnames (Security, 8286526)
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ahughes, caswilli, chazlett, dbhole, dffrench, dfitzmau, fjansen, gzaronik, jdowland, jhuttana, jochrist, jvanek, kaycoth, nengard, neugens, ngough, pjindal, rgodfrey, security-response-team, sraghupu, sthirugn, vkrizan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-14 06:00:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2133708, 2133711, 2133718, 2133721, 2133727, 2133730, 2133701, 2133703, 2133704, 2133705, 2133706, 2133707, 2133709, 2133710, 2133712, 2133713, 2133714, 2133715, 2133716, 2133717, 2133719, 2133720, 2133722, 2133723, 2133724, 2133725, 2133726, 2133728, 2133729, 2134564, 2142628, 2142629, 2144796, 2144907    
Bug Blocks: 2133694    

Description Mauro Matteo Cascella 2022-10-11 09:30:07 UTC 
It was discovered that the NTLM implementation in the Security component of OpenJDK did not properly handle long client hostnames. This could potentially lead to an integer truncation issue and data corruption on the server side.
Comment 17 Mauro Matteo Cascella 2022-10-19 15:09:28 UTC 
Public now via Oracle CPU October 2022:

https://www.oracle.com/security-alerts/cpuoct2022.html#AppendixJAVA

Fixed in Oracle Java SE 8u351, 11.0.17, 17.0.5, 19.0.1.

Release notes:
https://www.oracle.com/java/technologies/javase/8u351-relnotes.html
https://www.oracle.com/java/technologies/javase/11-0-17-relnotes.html
https://www.oracle.com/java/technologies/javase/17-0-5-relnotes.html
https://www.oracle.com/java/technologies/javase/19-0-1-relnotes.html
Comment 18 errata-xmlrpc 2022-10-19 21:11:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:7009 https://access.redhat.com/errata/RHSA-2022:7009
Comment 19 errata-xmlrpc 2022-10-19 21:17:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:7004 https://access.redhat.com/errata/RHSA-2022:7004
Comment 20 errata-xmlrpc 2022-10-19 21:30:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:7003 https://access.redhat.com/errata/RHSA-2022:7003
Comment 21 errata-xmlrpc 2022-10-19 22:09:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:7002 https://access.redhat.com/errata/RHSA-2022:7002
Comment 22 errata-xmlrpc 2022-10-19 22:11:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:7005 https://access.redhat.com/errata/RHSA-2022:7005
Comment 23 errata-xmlrpc 2022-10-19 22:18:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7006 https://access.redhat.com/errata/RHSA-2022:7006
Comment 24 errata-xmlrpc 2022-10-19 22:22:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:7001 https://access.redhat.com/errata/RHSA-2022:7001
Comment 25 errata-xmlrpc 2022-10-19 22:25:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:7011 https://access.redhat.com/errata/RHSA-2022:7011
Comment 26 errata-xmlrpc 2022-10-19 22:28:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:7010 https://access.redhat.com/errata/RHSA-2022:7010
Comment 27 errata-xmlrpc 2022-10-19 22:30:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:7008 https://access.redhat.com/errata/RHSA-2022:7008
Comment 28 errata-xmlrpc 2022-10-19 22:33:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7012 https://access.redhat.com/errata/RHSA-2022:7012
Comment 29 errata-xmlrpc 2022-10-19 22:37:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7000 https://access.redhat.com/errata/RHSA-2022:7000
Comment 30 errata-xmlrpc 2022-10-20 08:02:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:7007 https://access.redhat.com/errata/RHSA-2022:7007
Comment 31 errata-xmlrpc 2022-10-20 08:04:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:7013 https://access.redhat.com/errata/RHSA-2022:7013
Comment 32 errata-xmlrpc 2022-10-20 08:05:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:6999 https://access.redhat.com/errata/RHSA-2022:6999
Comment 33 errata-xmlrpc 2022-10-20 10:09:40 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 8u352

Via RHSA-2022:7049 https://access.redhat.com/errata/RHSA-2022:7049
Comment 34 errata-xmlrpc 2022-10-20 10:10:45 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 8u352

Via RHSA-2022:7050 https://access.redhat.com/errata/RHSA-2022:7050
Comment 35 errata-xmlrpc 2022-10-20 10:18:34 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 11.0.17

Via RHSA-2022:7052 https://access.redhat.com/errata/RHSA-2022:7052
Comment 36 errata-xmlrpc 2022-10-20 10:19:28 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 11.0.17

Via RHSA-2022:7054 https://access.redhat.com/errata/RHSA-2022:7054
Comment 37 errata-xmlrpc 2022-10-20 10:25:52 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 17.0.5

Via RHSA-2022:7051 https://access.redhat.com/errata/RHSA-2022:7051
Comment 38 errata-xmlrpc 2022-10-20 10:27:25 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 17.0.5

Via RHSA-2022:7053 https://access.redhat.com/errata/RHSA-2022:7053
Comment 39 Mauro Matteo Cascella 2022-10-20 13:27:39 UTC 
OpenJDK-17 upstream commit:
https://github.com/openjdk/jdk17u/commit/183d43d38cdeedb5b8667359a32acb484850a2e9

OpenJDK-11 upstream commit:
https://github.com/openjdk/jdk11u/commit/749d4ed10ef7e7a0887be887ee166b4f83b6fe74

OpenJDK-8 upstream commit:
https://github.com/openjdk/jdk8u/commit/62b1b3e5de6285a95a912d5bc62331bad35c151c
Comment 42 errata-xmlrpc 2022-12-07 10:45:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2022:8880 https://access.redhat.com/errata/RHSA-2022:8880
Comment 43 errata-xmlrpc 2023-01-12 08:33:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0128 https://access.redhat.com/errata/RHSA-2023:0128
Comment 44 Product Security DevOps Team 2023-01-14 06:00:38 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-21619