It was discovered that the Libraries component in OpenJDK failed to properly verify ECDSA (Elliptic Curve Digital Signature Algorithm) signatures. A remote attacker could use this flaw to make a Java application compute an invalid signature for arbitrary forged content, thus bypassing the signature verification process.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1445 https://access.redhat.com/errata/RHSA-2022:1445
OpenJDK-17 upstream commit: https://github.com/openjdk/jdk17u/commit/2d4103a3d929e05edca98e7703e0869077966be7
Oracle CPU April 2022: https://www.oracle.com/security-alerts/cpuapr2022.html#AppendixJAVA Fixed in Oracle Java SE 7u341, 8u331, 11.0.15, 17.0.3, 18.0.1.
This issue was found and responsibly disclosed to Oracle by ForgeRock. For a detailed description of the bug and possible consequences, see Neil Madden's blog post: https://neilmadden.blog/2022/04/19/psychic-signatures-in-java.
Will the 17.0.3 release be picked up for EL7 automatically? Thanks in advance!
@bernhard.schuhmann We do not provide OpenJDK 17 as part of RHEL7.
(In reply to Jonathan Dowland from comment #8) > @bernhard.schuhmann We do not provide OpenJDK 17 as part of RHEL7. @jdowland, I was referring to EPEL repository for CentOS 7, which provides OpenJDK 17.0.2. Wanted to ask if this version would get updated 'automatically' or what would be the process to ask for an update there?
This issue has been addressed in the following products: Red Hat Build of OpenJDK 17.0.3 Via RHSA-2022:1436 https://access.redhat.com/errata/RHSA-2022:1436
This issue has been addressed in the following products: Red Hat Build of OpenJDK 17.0.3 Via RHSA-2022:1437 https://access.redhat.com/errata/RHSA-2022:1437
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-21449
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:1729 https://access.redhat.com/errata/RHSA-2022:1729