Bug 2403082 (CVE-2025-53057)

Summary: CVE-2025-53057 openjdk: Enhance certificate handling (Oracle CPU 2025-10)
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ahughes, fferrari, fitzsim, khosford, nathanmassey922, neugens, pjindal, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2025-10-21   

Description OSIDB Bzimport 2025-10-10 13:13:31 UTC 
Java APIs in certain cases may return Distinguished Name strings that
are incorrect representations of the encoded form of BMPString,
PrintableString, and IA5String.
Comment 2 Michal Findra 2025-10-24 13:39:22 UTC 
OpenJDK-8 upstream commit:
https://github.com/openjdk/jdk8u/commit/d5ac2ad89a369697a48e7f3e6b889e22afa50a2f

OpenJDK-11 upstream commit:
https://github.com/openjdk/jdk11u/commit/d3b1c2be9e87aad07cac29d94679130fe5807c17

OpenJDK-17 upstream commit:
https://github.com/openjdk/jdk17u/commit/cbba8b9dc39c7e484549fd765c9eb8feb7e122e0

OpenJDK-21 upstream commit:
https://github.com/openjdk/jdk21u/commit/643330569baa7c835c2970f0272e9c83883d2a31
Comment 3 Michal Findra 2025-10-24 13:46:29 UTC 
This CVE was fixed in Oracle Java SE 8u471, 11.0.29, 17.0.17, 21.0.9, 25.0.1. 

https://www.oracle.com/java/technologies/javase/8u471-relnotes.html#R180_471
https://www.oracle.com/java/technologies/javase/11-0-29-relnotes.html#R11_0_29
https://www.oracle.com/java/technologies/javase/17-0-17-relnotes.html#R17_0_17
https://www.oracle.com/java/technologies/javase/21-0-9-relnotes.html
https://www.oracle.com/java/technologies/javase/25-0-1-relnotes.html
Comment 4 errata-xmlrpc 2025-12-03 20:46:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support
  Red Hat Enterprise Linux 10

Via RHSA-2025:22672 https://access.redhat.com/errata/RHSA-2025:22672
Comment 6 Orville Briggs 2026-01-15 08:13:01 UTC 
Some Java APIs (for example X500Principal.getName()) may return Distinguished Name strings that do not correctly represent the original ASN.1 encoding when DN attributes are encoded as BMPString, PrintableString, or IA5String. In such cases, Java normalizes the values to UTF-8, which can cause the returned DN string to differ from the actual encoded form in the certificate. https://geometrydash-lite.co