Bug 2221645 (CVE-2023-22045) - CVE-2023-22045 OpenJDK: array indexing integer overflow issue (8304468)
Summary: CVE-2023-22045 OpenJDK: array indexing integer overflow issue (8304468)
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2023-22045
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2221108 2221109 2221110 2221111 2221112 2221113 2221114 2221115 2221116 2221118 2221119 2221120 2221121 2221122 2221123 2221124 2221125 2221126 2221127 2221128 2221129 2221130 2221131 2221132 2221133 2222049 2222050 2224350
Blocks: 2221090
TreeView+ depends on / blocked
 
Reported: 2023-07-10 13:32 UTC by Mauro Matteo Cascella
Modified: 2024-05-16 11:35 UTC (History)
19 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-08-07 14:10:55 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:4157 0 None None None 2023-07-19 17:23:53 UTC
Red Hat Product Errata RHSA-2023:4158 0 None None None 2023-07-20 12:14:00 UTC
Red Hat Product Errata RHSA-2023:4159 0 None None None 2023-07-20 12:17:44 UTC
Red Hat Product Errata RHSA-2023:4161 0 None None None 2023-07-20 12:11:48 UTC
Red Hat Product Errata RHSA-2023:4162 0 None None None 2023-07-19 17:21:56 UTC
Red Hat Product Errata RHSA-2023:4163 0 None None None 2023-07-19 17:24:23 UTC
Red Hat Product Errata RHSA-2023:4164 0 None None None 2023-07-19 17:23:28 UTC
Red Hat Product Errata RHSA-2023:4165 0 None None None 2023-07-19 17:21:39 UTC
Red Hat Product Errata RHSA-2023:4166 0 None None None 2023-07-21 13:57:55 UTC
Red Hat Product Errata RHSA-2023:4167 0 None None None 2023-07-19 17:20:53 UTC
Red Hat Product Errata RHSA-2023:4168 0 None None None 2023-07-19 17:21:03 UTC
Red Hat Product Errata RHSA-2023:4169 0 None None None 2023-07-19 17:24:02 UTC
Red Hat Product Errata RHSA-2023:4170 0 None None None 2023-07-19 17:14:41 UTC
Red Hat Product Errata RHSA-2023:4171 0 None None None 2023-07-19 17:17:52 UTC
Red Hat Product Errata RHSA-2023:4172 0 None None None 2023-07-19 17:24:04 UTC
Red Hat Product Errata RHSA-2023:4173 0 None None None 2023-07-19 17:23:32 UTC
Red Hat Product Errata RHSA-2023:4174 0 None None None 2023-07-19 17:33:58 UTC
Red Hat Product Errata RHSA-2023:4175 0 None None None 2023-07-20 12:17:53 UTC
Red Hat Product Errata RHSA-2023:4176 0 None None None 2023-07-20 12:17:28 UTC
Red Hat Product Errata RHSA-2023:4177 0 None None None 2023-07-20 12:13:56 UTC
Red Hat Product Errata RHSA-2023:4178 0 None None None 2023-07-20 13:04:32 UTC
Red Hat Product Errata RHSA-2023:4208 0 None None None 2023-07-20 12:11:53 UTC
Red Hat Product Errata RHSA-2023:4209 0 None None None 2023-07-20 12:11:36 UTC
Red Hat Product Errata RHSA-2023:4210 0 None None None 2023-07-20 12:12:10 UTC
Red Hat Product Errata RHSA-2023:4211 0 None None None 2023-07-20 12:12:16 UTC
Red Hat Product Errata RHSA-2023:4212 0 None None None 2023-07-20 12:11:41 UTC
Red Hat Product Errata RHSA-2023:4233 0 None None None 2023-07-21 14:01:15 UTC

Description Mauro Matteo Cascella 2023-07-10 13:32:08 UTC 
A flaw was found in the way the Hotspot component of OpenJDK handled array accesses in case of overflow in the index computation. This flaw could lead to an access at an invalid array position, leading to an out-of-bounds read vulnerability.
Comment 4 errata-xmlrpc 2023-07-19 17:14:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:4170 https://access.redhat.com/errata/RHSA-2023:4170
Comment 5 errata-xmlrpc 2023-07-19 17:17:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:4171 https://access.redhat.com/errata/RHSA-2023:4171
Comment 6 errata-xmlrpc 2023-07-19 17:20:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:4167 https://access.redhat.com/errata/RHSA-2023:4167
Comment 7 errata-xmlrpc 2023-07-19 17:21:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:4168 https://access.redhat.com/errata/RHSA-2023:4168
Comment 8 errata-xmlrpc 2023-07-19 17:21:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:4165 https://access.redhat.com/errata/RHSA-2023:4165
Comment 9 errata-xmlrpc 2023-07-19 17:21:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:4162 https://access.redhat.com/errata/RHSA-2023:4162
Comment 10 errata-xmlrpc 2023-07-19 17:23:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:4164 https://access.redhat.com/errata/RHSA-2023:4164
Comment 11 errata-xmlrpc 2023-07-19 17:23:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:4173 https://access.redhat.com/errata/RHSA-2023:4173
Comment 12 errata-xmlrpc 2023-07-19 17:23:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:4157 https://access.redhat.com/errata/RHSA-2023:4157
Comment 13 errata-xmlrpc 2023-07-19 17:24:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:4169 https://access.redhat.com/errata/RHSA-2023:4169
Comment 14 errata-xmlrpc 2023-07-19 17:24:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:4172 https://access.redhat.com/errata/RHSA-2023:4172
Comment 15 errata-xmlrpc 2023-07-19 17:24:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:4163 https://access.redhat.com/errata/RHSA-2023:4163
Comment 16 errata-xmlrpc 2023-07-19 17:33:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:4174 https://access.redhat.com/errata/RHSA-2023:4174
Comment 17 errata-xmlrpc 2023-07-20 12:11:34 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 8u382

Via RHSA-2023:4209 https://access.redhat.com/errata/RHSA-2023:4209
Comment 18 errata-xmlrpc 2023-07-20 12:11:39 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 8u382

Via RHSA-2023:4212 https://access.redhat.com/errata/RHSA-2023:4212
Comment 19 errata-xmlrpc 2023-07-20 12:11:46 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 11.0.20

Via RHSA-2023:4161 https://access.redhat.com/errata/RHSA-2023:4161
Comment 20 errata-xmlrpc 2023-07-20 12:11:51 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 11.0.20

Via RHSA-2023:4208 https://access.redhat.com/errata/RHSA-2023:4208
Comment 21 errata-xmlrpc 2023-07-20 12:12:08 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 17.0.8

Via RHSA-2023:4210 https://access.redhat.com/errata/RHSA-2023:4210
Comment 22 errata-xmlrpc 2023-07-20 12:12:14 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 17.0.8

Via RHSA-2023:4211 https://access.redhat.com/errata/RHSA-2023:4211
Comment 23 errata-xmlrpc 2023-07-20 12:13:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:4177 https://access.redhat.com/errata/RHSA-2023:4177
Comment 24 errata-xmlrpc 2023-07-20 12:13:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:4158 https://access.redhat.com/errata/RHSA-2023:4158
Comment 25 errata-xmlrpc 2023-07-20 12:17:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:4176 https://access.redhat.com/errata/RHSA-2023:4176
Comment 26 errata-xmlrpc 2023-07-20 12:17:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:4159 https://access.redhat.com/errata/RHSA-2023:4159
Comment 27 errata-xmlrpc 2023-07-20 12:17:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:4175 https://access.redhat.com/errata/RHSA-2023:4175
Comment 28 errata-xmlrpc 2023-07-20 13:04:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:4178 https://access.redhat.com/errata/RHSA-2023:4178
Comment 29 errata-xmlrpc 2023-07-21 13:57:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:4166 https://access.redhat.com/errata/RHSA-2023:4166
Comment 30 errata-xmlrpc 2023-07-21 14:01:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:4233 https://access.redhat.com/errata/RHSA-2023:4233
Comment 31 Product Security DevOps Team 2023-08-07 14:10:52 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-22045
Comment 32 Mauro Matteo Cascella 2023-08-11 10:12:40 UTC 
OpenJDK-8 upstream commit:
https://github.com/openjdk/jdk8u/commit/ec0818add7069be2fe3854edd1f3d2d7c8e07746

OpenJDK-11 upstream commit:
https://github.com/openjdk/jdk11u/commit/5ba24640f6097262bdf6b4a32a7945c445f2246a

OpenJDK-17 upstream commit:
https://github.com/openjdk/jdk17u/commit/a0846b4065bbd46420adceb912c4e29c74474f3f
Comment 33 Mauro Matteo Cascella 2023-08-11 13:07:46 UTC 
Oracle CPU July 2023:

https://www.oracle.com/security-alerts/cpujul2023.html#AppendixJAVA

Fixed in Oracle Java SE 8u381, 11.0.20, 17.0.8, 20.0.2.

Release notes:
https://www.oracle.com/java/technologies/javase/8u381-relnotes.html
https://www.oracle.com/java/technologies/javase/11-0-20-relnotes.html
https://www.oracle.com/java/technologies/javase/17-0-8-relnotes.html
https://www.oracle.com/java/technologies/javase/20-0-2-relnotes.html
Note You need to log in before you can comment on or make changes to this bug.