Bug 2228078 (CVE-2022-40609)

Summary: CVE-2022-40609 IBM JDK: unsafe deserialization flaw in the Object Request Broker (ORB)
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jhuttana
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: java-1.8.0-ibm 8.0.8.5 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in IBM SDK, Java Technology Edition, which could allow a remote attacker to execute arbitrary code on the system caused by an unsafe deserialization flaw. An attacker could exploit this vulnerability by sending specially-crafted data to execute arbitrary code on the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-01 17:37:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2215911, 2215912, 2215913    
Bug Blocks: 2228082    

Description Mauro Matteo Cascella 2023-08-01 10:35:11 UTC 
IBM SDK, Java Technology Edition could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By sending specially-crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system.

Reference:
https://www.ibm.com/support/pages/java-sdk-security-vulnerabilities#IBM_Security_Update_August_2023
https://www.ibm.com/support/pages/node/7017032
Comment 1 Mauro Matteo Cascella 2023-08-01 10:53:14 UTC 
This issue was fixed in IBM JDK 8 SR8 FP5 (8.0.8.5). The java-1.8.0-ibm packages as shipped in Red Hat Enterprise Linux 7 and 8 were previously updated to a version that contains the fix via the following errata:

java-1.8.0-ibm in Red Hat Enterprise Linux 7 Supplementary
https://access.redhat.com/errata/RHSA-2023:4160

java-1.8.0-ibm in Red Hat Enterprise Linux 8
https://access.redhat.com/errata/RHSA-2023:4103
Comment 2 Product Security DevOps Team 2023-08-01 17:37:48 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-40609