It was discovered that the implementation of ProcesBuilder in the Libraries component of OpenJDK did not correctly process NULL characters in command name attributes. This could lead to manipulation of command arguments when executing processes with arguments from untrusted sources.
OpenJDK-8 upstream commit: https://github.com/openjdk/jdk8u/commit/a7fbe33ffece7c28c9808fcc631c2d4db4a59757 OpenJDK-11 upstream commit: https://github.com/openjdk/jdk11u/commit/2d806d0e2f034b24987407a36bb8e246b1734927 OpenJDK-17 upstream commit: https://github.com/openjdk/jdk17u/commit/28958abd0ea9c6296d140d04d0615b99da9370a5
Public now via Oracle CPU April 2023: https://www.oracle.com/security-alerts/cpuapr2023.html#AppendixJAVA Fixed in Oracle Java SE 8u371, 11.0.19, 17.0.7, 20.0.1. Release notes: https://www.oracle.com/java/technologies/javase/8u371-relnotes.html https://www.oracle.com/java/technologies/javase/11-0-19-relnotes.html https://www.oracle.com/java/technologies/javase/17-0-7-relnotes.html https://www.oracle.com/java/technologies/javase/20-0-1-relnotes.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2023:1875 https://access.redhat.com/errata/RHSA-2023:1875
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2023:1877 https://access.redhat.com/errata/RHSA-2023:1877
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2023:1878 https://access.redhat.com/errata/RHSA-2023:1878
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:1879 https://access.redhat.com/errata/RHSA-2023:1879
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:1880 https://access.redhat.com/errata/RHSA-2023:1880
This issue has been addressed in the following products: Red Hat Build of OpenJDK 11.0.19 Via RHSA-2023:1883 https://access.redhat.com/errata/RHSA-2023:1883
This issue has been addressed in the following products: Red Hat Build of OpenJDK 11.0.19 Via RHSA-2023:1882 https://access.redhat.com/errata/RHSA-2023:1882
This issue has been addressed in the following products: Red Hat Build of OpenJDK 17.0.7 Via RHSA-2023:1885 https://access.redhat.com/errata/RHSA-2023:1885
This issue has been addressed in the following products: Red Hat Build of OpenJDK 17.0.7 Via RHSA-2023:1884 https://access.redhat.com/errata/RHSA-2023:1884
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2023:1889 https://access.redhat.com/errata/RHSA-2023:1889
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2023:1890 https://access.redhat.com/errata/RHSA-2023:1890
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:1891 https://access.redhat.com/errata/RHSA-2023:1891
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:1892 https://access.redhat.com/errata/RHSA-2023:1892
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:1895 https://access.redhat.com/errata/RHSA-2023:1895
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:1898 https://access.redhat.com/errata/RHSA-2023:1898
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:1899 https://access.redhat.com/errata/RHSA-2023:1899
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:1900 https://access.redhat.com/errata/RHSA-2023:1900
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2023:1904 https://access.redhat.com/errata/RHSA-2023:1904
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2023:1911 https://access.redhat.com/errata/RHSA-2023:1911
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2023:1905 https://access.redhat.com/errata/RHSA-2023:1905
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:1906 https://access.redhat.com/errata/RHSA-2023:1906
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:1909 https://access.redhat.com/errata/RHSA-2023:1909
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:1908 https://access.redhat.com/errata/RHSA-2023:1908
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:1910 https://access.redhat.com/errata/RHSA-2023:1910
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2023:1907 https://access.redhat.com/errata/RHSA-2023:1907
This issue has been addressed in the following products: Red Hat Build of OpenJDK 8u362 Via RHSA-2023:1912 https://access.redhat.com/errata/RHSA-2023:1912
This issue has been addressed in the following products: Red Hat Build of OpenJDK 8u362 Via RHSA-2023:1903 https://access.redhat.com/errata/RHSA-2023:1903
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-21938
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:4103 https://access.redhat.com/errata/RHSA-2023:4103
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Via RHSA-2023:4160 https://access.redhat.com/errata/RHSA-2023:4160