Bug 2160421 (CVE-2023-21835)
| Summary: | CVE-2023-21835 OpenJDK: handshake DoS attack against DTLS connections (JSSE, 8287411) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Mauro Matteo Cascella <mcascell> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | ahughes, caswilli, chazlett, dbhole, dffrench, dfitzmau, fjansen, gzaronik, hbraun, jdowland, jhuttana, jvanek, jwon, kaycoth, neugens, ngough, pjindal, rgodfrey, security-response-team, sraghupu, sthirugn, vkrizan |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-01-25 23:52:15 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2160126, 2160127, 2160128, 2160129, 2160130, 2160131, 2160132, 2160133, 2160134, 2160135, 2160138, 2160139, 2160140, 2160141, 2160142, 2160143, 2160144, 2160145, 2160146, 2164052 | ||
| Bug Blocks: | 2159709 | ||
|
Description
Mauro Matteo Cascella
2023-01-12 11:28:06 UTC
OpenJDK-17 upstream commit: https://github.com/openjdk/jdk17u/commit/04f32aacb592cd8f9c963278f01310a138a940ff OpenJDK-11 upstream commit: https://github.com/openjdk/jdk11u/commit/57f29406b9d729a69410113518094f641c5799ea This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:0202 https://access.redhat.com/errata/RHSA-2023:0202 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:0193 https://access.redhat.com/errata/RHSA-2023:0193 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:0190 https://access.redhat.com/errata/RHSA-2023:0190 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:0199 https://access.redhat.com/errata/RHSA-2023:0199 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2023:0196 https://access.redhat.com/errata/RHSA-2023:0196 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2023:0197 https://access.redhat.com/errata/RHSA-2023:0197 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2023:0198 https://access.redhat.com/errata/RHSA-2023:0198 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:0201 https://access.redhat.com/errata/RHSA-2023:0201 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2023:0191 https://access.redhat.com/errata/RHSA-2023:0191 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:0192 https://access.redhat.com/errata/RHSA-2023:0192 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:0200 https://access.redhat.com/errata/RHSA-2023:0200 Public now via Oracle CPU January 2023: https://www.oracle.com/security-alerts/cpujan2023.html#AppendixJAVA Fixed in Oracle Java SE 11.0.18, 17.0.6, 19.0.2. A new security property was introduced as part of the fix: - DTLS Resumption Uses HelloVerifyRequest Messages With this fix the SunJSSE DTLS implementation will by default exchange cookies for all handshakes (new and resumed) unless the System property jdk.tls.enableDtlsResumeCookie is false. The property only affects the cookie exchange for resumption. For more information, see the following release notes: https://www.oracle.com/java/technologies/javase/11-0-18-relnotes.html https://www.oracle.com/java/technologies/javase/17-0-6-relnotes.html https://www.oracle.com/java/technologies/javase/19-0-2-relnotes.html This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:0194 https://access.redhat.com/errata/RHSA-2023:0194 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2023:0195 https://access.redhat.com/errata/RHSA-2023:0195 This issue has been addressed in the following products: Red Hat Build of OpenJDK 11.0.18 Via RHSA-2023:0353 https://access.redhat.com/errata/RHSA-2023:0353 This issue has been addressed in the following products: Red Hat Build of OpenJDK 11.0.18 Via RHSA-2023:0388 https://access.redhat.com/errata/RHSA-2023:0388 This issue has been addressed in the following products: Red Hat Build of OpenJDK 17.0.6 Via RHSA-2023:0352 https://access.redhat.com/errata/RHSA-2023:0352 This issue has been addressed in the following products: Red Hat Build of OpenJDK 17.0.6 Via RHSA-2023:0389 https://access.redhat.com/errata/RHSA-2023:0389 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-21835 |