Bug 2243637 (CVE-2023-22067)

Summary: CVE-2023-22067 OpenJDK: IOR deserialization issue in CORBA (8303384)
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ahughes, caswilli, chazlett, fjansen, kaycoth, khosford, mbalao, neugens, pjindal, security-response-team, sraghupu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2250284    
Bug Blocks: 2242826    

Description Mauro Matteo Cascella 2023-10-12 10:55:04 UTC 
A flaw was discovered in the CORBA component of OpenJDK in the way it performed deserialization of IOR (Interoperable Object Reference) string objects. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions.
Comment 1 errata-xmlrpc 2023-10-18 16:22:48 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 8u392

Via RHSA-2023:5726 https://access.redhat.com/errata/RHSA-2023:5726
Comment 2 errata-xmlrpc 2023-10-18 16:22:51 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 8u392

Via RHSA-2023:5725 https://access.redhat.com/errata/RHSA-2023:5725
Comment 3 errata-xmlrpc 2023-10-18 22:31:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:5761 https://access.redhat.com/errata/RHSA-2023:5761
Comment 4 errata-xmlrpc 2023-10-18 22:55:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5731 https://access.redhat.com/errata/RHSA-2023:5731
Comment 5 errata-xmlrpc 2023-10-18 23:01:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:5732 https://access.redhat.com/errata/RHSA-2023:5732
Comment 6 errata-xmlrpc 2023-10-18 23:01:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:5727 https://access.redhat.com/errata/RHSA-2023:5727
Comment 7 errata-xmlrpc 2023-10-18 23:01:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:5728 https://access.redhat.com/errata/RHSA-2023:5728
Comment 8 errata-xmlrpc 2023-10-18 23:04:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:5729 https://access.redhat.com/errata/RHSA-2023:5729
Comment 9 errata-xmlrpc 2023-10-18 23:04:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5733 https://access.redhat.com/errata/RHSA-2023:5733
Comment 10 errata-xmlrpc 2023-10-18 23:27:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:5730 https://access.redhat.com/errata/RHSA-2023:5730
Comment 11 Mauro Matteo Cascella 2023-10-27 17:36:52 UTC 
OpenJDK-8 upstream commit:
https://github.com/openjdk/jdk8u/commit/6930f190778e62c88ee0d7d382f61515031563e4
Comment 12 Mauro Matteo Cascella 2023-10-27 17:54:18 UTC 
Oracle CPU October 2023:

https://www.oracle.com/security-alerts/cpuoct2023.html#AppendixJAVA

Fixed in Oracle Java SE 8u391, 8u391-perf.

Release notes:
https://www.oracle.com/java/technologies/javase/8u391-relnotes.html
https://www.oracle.com/java/technologies/javase/8u391-perf-relnotes.html
Comment 13 Mauro Matteo Cascella 2023-10-27 19:05:18 UTC 
The readObject method has been amended such that, when reading the stringified IOR from serialized data, it will, by default, accept stringified IORs in IOR: URI format only. A system property was introduced, com.sun.CORBA.DynamicAny.Stubs.allowCorbanameInIOR, which when set to true, will revert the readObject method to its current behavior and disable the additional IOR checks. A system property was introduced, com.sun.CORBA.IDL.Stubs.allowCorbanameInIOR, which when set to false, will activate an IOR check when reading a stringified IOR from serialised data and constrain a stringified IOR to that of IOR: URI format. The default value of both system properties is true.

For further information, see https://www.oracle.com/java/technologies/javase/8u391-relnotes.html.
Comment 16 errata-xmlrpc 2024-02-19 17:59:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0866 https://access.redhat.com/errata/RHSA-2024:0866
Comment 17 errata-xmlrpc 2024-02-20 08:57:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2024:0879 https://access.redhat.com/errata/RHSA-2024:0879