Bug 2224658 (CVE-2023-22043)

Summary: CVE-2023-22043 JavaFX: unauthorized creation, deletion or modification access to critical data via multiple protocols
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ahughes, dbhole, jvanek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-07-21 20:55:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2221090    

Description Mauro Matteo Cascella 2023-07-21 20:50:41 UTC 
NVD description: Vulnerability in Oracle Java SE (component: JavaFX). The supported version that is affected is Oracle Java SE: 8u371. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

Reference:
https://www.oracle.com/security-alerts/cpujul2023.html#AppendixJAVA
Comment 1 Mauro Matteo Cascella 2023-07-21 20:55:36 UTC 
This is not an OpenJDK issue, but rather JavaFX / OpenJFX, which is not currently shipped as part of any Red Hat product. See https://access.redhat.com/solutions/3299701.