Bug 2160490 (CVE-2023-21830) - CVE-2023-21830 OpenJDK: improper restrictions in CORBA deserialization (Serialization, 8285021)
Summary: CVE-2023-21830 OpenJDK: improper restrictions in CORBA deserialization (Seria...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2023-21830
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2160115 2160116 2160117 2160118 2160119 2160120 2160121 2160122 2160123 2160124 2164052 2183464 2183465 2184080 2184081
Blocks: 2159709
TreeView+ depends on / blocked
 
Reported: 2023-01-12 15:16 UTC by Mauro Matteo Cascella
Modified: 2023-08-07 09:25 UTC (History)
22 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-01-29 10:52:10 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:0203 0 None None None 2023-01-24 09:00:27 UTC
Red Hat Product Errata RHSA-2023:0204 0 None None None 2023-01-23 15:23:29 UTC
Red Hat Product Errata RHSA-2023:0205 0 None None None 2023-01-23 17:53:39 UTC
Red Hat Product Errata RHSA-2023:0206 0 None None None 2023-01-23 17:58:19 UTC
Red Hat Product Errata RHSA-2023:0207 0 None None None 2023-01-23 18:21:50 UTC
Red Hat Product Errata RHSA-2023:0208 0 None None None 2023-01-26 21:05:17 UTC
Red Hat Product Errata RHSA-2023:0209 0 None None None 2023-01-23 18:17:57 UTC
Red Hat Product Errata RHSA-2023:0210 0 None None None 2023-01-26 15:56:04 UTC
Red Hat Product Errata RHSA-2023:0354 0 None None None 2023-01-23 22:34:05 UTC
Red Hat Product Errata RHSA-2023:0387 0 None None None 2023-01-23 22:33:50 UTC
Red Hat Product Errata RHSA-2023:3136 0 None None None 2023-05-16 18:14:19 UTC

Description Mauro Matteo Cascella 2023-01-12 15:16:14 UTC 
An unspecified flaw was found in the way the Serialization component of OpenJDK performed deserialization of data from serialized input. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions.
Comment 3 Mauro Matteo Cascella 2023-01-18 09:54:59 UTC 
OpenJDK-8 upstream commit:
https://github.com/openjdk/jdk8u/commit/259a33e4e11236f26ecebb4239771aafe59a0229
Comment 4 Mauro Matteo Cascella 2023-01-18 10:37:45 UTC 
Public now via Oracle CPU January 2023:

https://www.oracle.com/security-alerts/cpujan2023.html#AppendixJAVA

Fixed in Oracle Java SE 8u361.

Release notes:
https://www.oracle.com/java/technologies/javase/8u361-relnotes.html
Comment 5 errata-xmlrpc 2023-01-23 15:23:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:0204 https://access.redhat.com/errata/RHSA-2023:0204
Comment 6 errata-xmlrpc 2023-01-23 17:53:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:0205 https://access.redhat.com/errata/RHSA-2023:0205
Comment 7 errata-xmlrpc 2023-01-23 17:58:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:0206 https://access.redhat.com/errata/RHSA-2023:0206
Comment 8 errata-xmlrpc 2023-01-23 18:17:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:0209 https://access.redhat.com/errata/RHSA-2023:0209
Comment 9 errata-xmlrpc 2023-01-23 18:21:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:0207 https://access.redhat.com/errata/RHSA-2023:0207
Comment 10 errata-xmlrpc 2023-01-23 22:33:49 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 8u362

Via RHSA-2023:0387 https://access.redhat.com/errata/RHSA-2023:0387
Comment 11 errata-xmlrpc 2023-01-23 22:34:03 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 8u362

Via RHSA-2023:0354 https://access.redhat.com/errata/RHSA-2023:0354
Comment 12 errata-xmlrpc 2023-01-24 09:00:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:0203 https://access.redhat.com/errata/RHSA-2023:0203
Comment 14 errata-xmlrpc 2023-01-26 15:56:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0210 https://access.redhat.com/errata/RHSA-2023:0210
Comment 15 errata-xmlrpc 2023-01-26 21:05:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0208 https://access.redhat.com/errata/RHSA-2023:0208
Comment 16 Product Security DevOps Team 2023-01-29 10:52:07 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-21830
Comment 17 errata-xmlrpc 2023-05-16 18:14:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2023:3136 https://access.redhat.com/errata/RHSA-2023:3136
Note You need to log in before you can comment on or make changes to this bug.