Bug 2187724 (CVE-2023-21939)

Summary: CVE-2023-21939 OpenJDK: Swing HTML parsing issue (8296832)
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ahughes, caswilli, chazlett, dbhole, dffrench, dfitzmau, fjansen, gzaronik, hbraun, jdowland, jhuttana, jvanek, kaycoth, neugens, ngough, pjindal, rgodfrey, security-response-team, sraghupu, sthirugn, vkrizan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-04-25 16:41:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2185197, 2185198, 2185199, 2185200, 2185201, 2185202, 2185203, 2185204, 2185205, 2185206, 2185207, 2185208, 2185209, 2185210, 2185211, 2185212, 2185213, 2185214, 2185215, 2185216, 2185217, 2185218, 2185219, 2185220, 2185221, 2185222, 2185223, 2185224, 2185225, 2185226, 2185227, 2185228, 2185229, 2188616, 2215911, 2215912, 2215913    
Bug Blocks: 2185177    

Description Mauro Matteo Cascella 2023-04-18 14:29:56 UTC 
An HTML validation flaw was found in the Swing component of OpenJDK. A specially crafted HTML document could cause a Swing Java application to misbehave leading to integrity problems.
Comment 7 Mauro Matteo Cascella 2023-04-19 10:25:05 UTC 
OpenJDK-8 upstream commit:
https://github.com/openjdk/jdk8u/commit/6089a4fcc583ab156c22eae8196ce5073bf90032

OpenJDK-11 upstream commit:
https://github.com/openjdk/jdk11u/commit/91328b328524a69b6623c09e1fadc9ef9b8010a9

OpenJDK-17 upstream commit:
https://github.com/openjdk/jdk17u/commit/0c49bb77f0dd35878a9a6bb01843b7cac8241c69
Comment 8 Mauro Matteo Cascella 2023-04-19 10:57:14 UTC 
Public now via Oracle CPU April 2023:

https://www.oracle.com/security-alerts/cpuapr2023.html#AppendixJAVA

Fixed in Oracle Java SE 8u371, 11.0.19, 17.0.7, 20.0.1.

Release notes:
https://www.oracle.com/java/technologies/javase/8u371-relnotes.html
https://www.oracle.com/java/technologies/javase/11-0-19-relnotes.html
https://www.oracle.com/java/technologies/javase/17-0-7-relnotes.html
https://www.oracle.com/java/technologies/javase/20-0-1-relnotes.html
Comment 9 Mauro Matteo Cascella 2023-04-19 11:07:38 UTC 
A new security property was introduced as part of the fix:

- System Property to Handle HTML ObjectView Creation

Quoting from JDK release notes: "Some Swing components, such as JLabels and JButtons, which display application text, will try to interpret that text as HTML, principally to enable styled text. The HTML processing of the text for these components will no longer recognize the <object> tag which allows for subclasses of java.awt.Component to be rendered on the component. To re-enable this, applications must specify -Dswing.html.object=true."
Comment 10 errata-xmlrpc 2023-04-19 13:31:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:1875 https://access.redhat.com/errata/RHSA-2023:1875
Comment 11 errata-xmlrpc 2023-04-19 13:58:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:1877 https://access.redhat.com/errata/RHSA-2023:1877
Comment 12 errata-xmlrpc 2023-04-19 14:19:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:1878 https://access.redhat.com/errata/RHSA-2023:1878
Comment 13 errata-xmlrpc 2023-04-19 15:07:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1879 https://access.redhat.com/errata/RHSA-2023:1879
Comment 14 errata-xmlrpc 2023-04-19 15:27:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1880 https://access.redhat.com/errata/RHSA-2023:1880
Comment 15 errata-xmlrpc 2023-04-19 19:27:32 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 11.0.19

Via RHSA-2023:1883 https://access.redhat.com/errata/RHSA-2023:1883
Comment 16 errata-xmlrpc 2023-04-19 19:27:46 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 11.0.19

Via RHSA-2023:1882 https://access.redhat.com/errata/RHSA-2023:1882
Comment 17 errata-xmlrpc 2023-04-19 19:36:31 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 17.0.7

Via RHSA-2023:1885 https://access.redhat.com/errata/RHSA-2023:1885
Comment 18 errata-xmlrpc 2023-04-19 19:36:45 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 17.0.7

Via RHSA-2023:1884 https://access.redhat.com/errata/RHSA-2023:1884
Comment 19 errata-xmlrpc 2023-04-20 00:29:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1889 https://access.redhat.com/errata/RHSA-2023:1889
Comment 20 errata-xmlrpc 2023-04-20 00:48:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1890 https://access.redhat.com/errata/RHSA-2023:1890
Comment 21 errata-xmlrpc 2023-04-20 01:14:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:1891 https://access.redhat.com/errata/RHSA-2023:1891
Comment 22 errata-xmlrpc 2023-04-20 01:36:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:1892 https://access.redhat.com/errata/RHSA-2023:1892
Comment 23 errata-xmlrpc 2023-04-20 02:02:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1895 https://access.redhat.com/errata/RHSA-2023:1895
Comment 24 errata-xmlrpc 2023-04-20 02:30:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1898 https://access.redhat.com/errata/RHSA-2023:1898
Comment 25 errata-xmlrpc 2023-04-20 02:47:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1899 https://access.redhat.com/errata/RHSA-2023:1899
Comment 26 errata-xmlrpc 2023-04-20 03:01:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1900 https://access.redhat.com/errata/RHSA-2023:1900
Comment 28 errata-xmlrpc 2023-04-25 02:49:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:1904 https://access.redhat.com/errata/RHSA-2023:1904
Comment 29 errata-xmlrpc 2023-04-25 03:08:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:1911 https://access.redhat.com/errata/RHSA-2023:1911
Comment 30 errata-xmlrpc 2023-04-25 03:20:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:1905 https://access.redhat.com/errata/RHSA-2023:1905
Comment 31 errata-xmlrpc 2023-04-25 03:43:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:1906 https://access.redhat.com/errata/RHSA-2023:1906
Comment 32 errata-xmlrpc 2023-04-25 04:01:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1909 https://access.redhat.com/errata/RHSA-2023:1909
Comment 33 errata-xmlrpc 2023-04-25 04:18:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1908 https://access.redhat.com/errata/RHSA-2023:1908
Comment 34 errata-xmlrpc 2023-04-25 10:24:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1910 https://access.redhat.com/errata/RHSA-2023:1910
Comment 35 errata-xmlrpc 2023-04-25 10:40:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1907 https://access.redhat.com/errata/RHSA-2023:1907
Comment 36 errata-xmlrpc 2023-04-25 11:06:17 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 8u362

Via RHSA-2023:1912 https://access.redhat.com/errata/RHSA-2023:1912
Comment 37 errata-xmlrpc 2023-04-25 11:06:30 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 8u362

Via RHSA-2023:1903 https://access.redhat.com/errata/RHSA-2023:1903
Comment 38 Product Security DevOps Team 2023-04-25 16:41:20 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-21939
Comment 40 errata-xmlrpc 2023-07-17 08:48:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:4103 https://access.redhat.com/errata/RHSA-2023:4103
Comment 41 errata-xmlrpc 2023-07-31 09:30:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2023:4160 https://access.redhat.com/errata/RHSA-2023:4160