A flaw was found in the way the HashMap and the HashSet classes implementations in the Utility component of OpenJDK validated the load factor value during deserialization. A specially crafted serialized data stream could cause a Java application to allocate an excessive amount of memory and possibly terminate on out-of-memory condition when deserialized.
Public now via Oracle CPU October 2021: https://www.oracle.com/security-alerts/cpuoct2021.html#AppendixJAVA Fixed in Oracle Java SE 17.0.1, 11.0.13, 8u311, and 7u321.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:3886 https://access.redhat.com/errata/RHSA-2021:3886
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:3884 https://access.redhat.com/errata/RHSA-2021:3884
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:3885 https://access.redhat.com/errata/RHSA-2021:3885
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3893 https://access.redhat.com/errata/RHSA-2021:3893
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:3887 https://access.redhat.com/errata/RHSA-2021:3887
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3891 https://access.redhat.com/errata/RHSA-2021:3891
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-35561
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:3889 https://access.redhat.com/errata/RHSA-2021:3889
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:3892 https://access.redhat.com/errata/RHSA-2021:3892
This issue has been addressed in the following products: Red Hat Build of OpenJDK 8u312 Via RHSA-2021:3960 https://access.redhat.com/errata/RHSA-2021:3960
This issue has been addressed in the following products: Red Hat Build of OpenJDK 8u312 Via RHSA-2021:3961 https://access.redhat.com/errata/RHSA-2021:3961
This issue has been addressed in the following products: Red Hat Build of OpenJDK 11.0.13 Via RHSA-2021:3967 https://access.redhat.com/errata/RHSA-2021:3967
This issue has been addressed in the following products: Red Hat Build of OpenJDK 11.0.13 Via RHSA-2021:3968 https://access.redhat.com/errata/RHSA-2021:3968
OpenJDK-11 upstream commit: https://github.com/openjdk/jdk11u-dev/commit/0eaadbd17cdde5f394f27ce7fa6a08ab6dc932d1 OpenJDK-8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/f143814b41fb
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4135 https://access.redhat.com/errata/RHSA-2021:4135
This issue has been addressed in the following products: Red Hat Build of OpenJDK 17.0.1 Via RHSA-2021:4532 https://access.redhat.com/errata/RHSA-2021:4532
This issue has been addressed in the following products: Red Hat Build of OpenJDK 17.0.1 Via RHSA-2021:4531 https://access.redhat.com/errata/RHSA-2021:4531
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Via RHSA-2022:4957 https://access.redhat.com/errata/RHSA-2022:4957
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Via RHSA-2022:4959 https://access.redhat.com/errata/RHSA-2022:4959
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:5837 https://access.redhat.com/errata/RHSA-2022:5837