It was discovered that the TransformerImpl class implementation in the JAXP component of OpenJDK did not properly check access restrictions when performing URI resolution. This could possibly lead to information disclosure when performing XSLT transformations.
Public now via Oracle CPU January 2022: https://www.oracle.com/security-alerts/cpujan2022.html#AppendixJAVA Fixed in Oracle Java SE 17.0.2, 11.0.14, 8u321, and 7u331.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0161 https://access.redhat.com/errata/RHSA-2022:0161
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:0233 https://access.redhat.com/errata/RHSA-2022:0233
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:0209 https://access.redhat.com/errata/RHSA-2022:0209
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0185 https://access.redhat.com/errata/RHSA-2022:0185
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:0211 https://access.redhat.com/errata/RHSA-2022:0211
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2022:0204 https://access.redhat.com/errata/RHSA-2022:0204
This issue has been addressed in the following products: Red Hat Build of OpenJDK 17.0.2 Via RHSA-2022:0166 https://access.redhat.com/errata/RHSA-2022:0166
This issue has been addressed in the following products: Red Hat Build of OpenJDK 17.0.2 Via RHSA-2022:0165 https://access.redhat.com/errata/RHSA-2022:0165
This issue has been addressed in the following products: Red Hat Build of OpenJDK 11.0.14 Via RHSA-2022:0228 https://access.redhat.com/errata/RHSA-2022:0228
This issue has been addressed in the following products: Red Hat Build of OpenJDK 11.0.14 Via RHSA-2022:0229 https://access.redhat.com/errata/RHSA-2022:0229
OpenJDK-17 upstream commit: https://github.com/openjdk/jdk17u/commit/592542fb28e26479ac591e9c08f83bd4a3988070 OpenJDK-11 upstream commit: https://github.com/openjdk/jdk11u-dev/commit/62af7d0aaeb16107a5e8bb22b3f164be407f4499 OpenJDK-8 upstream commit: http://hg.openjdk.java.net/jdk8u/monojdk8u/rev/fb79a897664c
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:0304 https://access.redhat.com/errata/RHSA-2022:0304
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:0305 https://access.redhat.com/errata/RHSA-2022:0305
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0307 https://access.redhat.com/errata/RHSA-2022:0307
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2022:0306 https://access.redhat.com/errata/RHSA-2022:0306
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:0312 https://access.redhat.com/errata/RHSA-2022:0312
This issue has been addressed in the following products: Red Hat Build of OpenJDK 8u322 Via RHSA-2022:0321 https://access.redhat.com/errata/RHSA-2022:0321
This issue has been addressed in the following products: Red Hat Build of OpenJDK 8u322 Via RHSA-2022:0317 https://access.redhat.com/errata/RHSA-2022:0317
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-21282