2108540 – (CVE-2022-21540) CVE-2022-21540 OpenJDK: class compilation issue (Hotspot, 8281859)

Bug 2108540 (CVE-2022-21540) - CVE-2022-21540 OpenJDK: class compilation issue (Hotspot, 8281859)

Summary: CVE-2022-21540 OpenJDK: class compilation issue (Hotspot, 8281859)

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-21540
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2106502 2106503 2106504 2106505 2106506 2106507 2106508 2106509 2106510 2106511 2106512 2106513 2106514 2106515 2106516 2106517 2106518 2106519 2106520 2106521 2106522 2106523 2106524 2121469
Blocks:	2106494
TreeView+	depends on / blocked

Reported:	2022-07-19 09:20 UTC by Mauro Matteo Cascella
Modified:	2024-03-19 13:01 UTC (History)
CC List:	21 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-08-30 16:25:54 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2022:5690	None	None	None	2022-07-21 21:02:28 UTC
Red Hat Product Errata	RHBA-2022:5705	None	None	None	2022-07-25 22:03:04 UTC
Red Hat Product Errata	RHBA-2022:5706	None	None	None	2022-07-25 22:00:56 UTC
Red Hat Product Errata	RHBA-2022:5707	None	None	None	2022-07-25 21:57:33 UTC
Red Hat Product Errata	RHBA-2022:5708	None	None	None	2022-07-25 22:05:11 UTC
Red Hat Product Errata	RHBA-2022:5710	None	None	None	2022-07-26 10:15:28 UTC
Red Hat Product Errata	RHBA-2022:5712	None	None	None	2022-07-26 12:16:35 UTC
Red Hat Product Errata	RHBA-2022:5722	None	None	None	2022-07-26 15:58:42 UTC
Red Hat Product Errata	RHBA-2022:5724	None	None	None	2022-07-26 16:26:33 UTC
Red Hat Product Errata	RHBA-2022:5728	None	None	None	2022-07-26 21:37:30 UTC
Red Hat Product Errata	RHBA-2022:5750	None	None	None	2022-07-28 12:40:17 UTC
Red Hat Product Errata	RHBA-2022:5751	None	None	None	2022-07-28 12:38:16 UTC
Red Hat Product Errata	RHBA-2022:5752	None	None	None	2022-07-28 14:13:06 UTC
Red Hat Product Errata	RHBA-2022:5763	None	None	None	2022-07-28 19:43:58 UTC
Red Hat Product Errata	RHBA-2022:5782	None	None	None	2022-08-01 11:50:18 UTC
Red Hat Product Errata	RHBA-2022:5783	None	None	None	2022-08-01 11:53:09 UTC
Red Hat Product Errata	RHBA-2022:5784	None	None	None	2022-08-01 11:54:57 UTC
Red Hat Product Errata	RHBA-2022:5873	None	None	None	2022-08-03 08:58:45 UTC
Red Hat Product Errata	RHBA-2022:5882	None	None	None	2022-08-03 10:35:37 UTC
Red Hat Product Errata	RHBA-2022:5885	None	None	None	2022-08-03 15:36:47 UTC
Red Hat Product Errata	RHBA-2022:5886	None	None	None	2022-08-03 15:38:06 UTC
Red Hat Product Errata	RHBA-2022:6025	None	None	None	2022-08-10 03:14:34 UTC
Red Hat Product Errata	RHBA-2022:6031	None	None	None	2022-08-10 07:22:21 UTC
Red Hat Product Errata	RHBA-2022:6045	None	None	None	2022-08-10 14:41:23 UTC
Red Hat Product Errata	RHBA-2022:6049	None	None	None	2022-08-10 17:01:08 UTC
Red Hat Product Errata	RHBA-2022:6050	None	None	None	2022-08-10 17:47:19 UTC
Red Hat Product Errata	RHBA-2022:6059	None	None	None	2022-08-15 08:39:56 UTC
Red Hat Product Errata	RHBA-2022:6067	None	None	None	2022-08-15 10:45:05 UTC
Red Hat Product Errata	RHBA-2022:6076	None	None	None	2022-08-16 10:39:10 UTC
Red Hat Product Errata	RHBA-2022:6077	None	None	None	2022-08-16 10:35:00 UTC
Red Hat Product Errata	RHBA-2022:6112	None	None	None	2022-08-18 11:44:21 UTC
Red Hat Product Errata	RHBA-2022:6140	None	None	None	2022-08-23 18:08:48 UTC
Red Hat Product Errata	RHBA-2022:6186	None	None	None	2022-08-25 08:14:05 UTC
Red Hat Product Errata	RHSA-2022:5681	None	None	None	2022-07-21 15:26:24 UTC
Red Hat Product Errata	RHSA-2022:5683	None	None	None	2022-07-21 15:23:48 UTC
Red Hat Product Errata	RHSA-2022:5684	None	None	None	2022-07-21 15:00:38 UTC
Red Hat Product Errata	RHSA-2022:5685	None	None	None	2022-07-21 14:10:00 UTC
Red Hat Product Errata	RHSA-2022:5687	None	None	None	2022-07-21 16:48:25 UTC
Red Hat Product Errata	RHSA-2022:5695	None	None	None	2022-07-25 14:52:13 UTC
Red Hat Product Errata	RHSA-2022:5696	None	None	None	2022-07-25 15:42:03 UTC
Red Hat Product Errata	RHSA-2022:5697	None	None	None	2022-07-25 15:40:30 UTC
Red Hat Product Errata	RHSA-2022:5698	None	None	None	2022-07-25 18:17:34 UTC
Red Hat Product Errata	RHSA-2022:5700	None	None	None	2022-07-25 15:52:47 UTC
Red Hat Product Errata	RHSA-2022:5701	None	None	None	2022-07-25 15:29:54 UTC
Red Hat Product Errata	RHSA-2022:5709	None	None	None	2022-07-25 23:15:26 UTC
Red Hat Product Errata	RHSA-2022:5726	None	None	None	2022-07-26 18:20:57 UTC
Red Hat Product Errata	RHSA-2022:5736	None	None	None	2022-07-27 13:19:54 UTC
Red Hat Product Errata	RHSA-2022:5753	None	None	None	2022-07-28 15:32:42 UTC
Red Hat Product Errata	RHSA-2022:5754	None	None	None	2022-07-28 15:33:27 UTC
Red Hat Product Errata	RHSA-2022:5755	None	None	None	2022-07-28 15:40:18 UTC
Red Hat Product Errata	RHSA-2022:5756	None	None	None	2022-07-28 15:41:01 UTC
Red Hat Product Errata	RHSA-2022:5757	None	None	None	2022-07-28 15:46:20 UTC
Red Hat Product Errata	RHSA-2022:5758	None	None	None	2022-07-28 15:47:04 UTC

Description Mauro Matteo Cascella 2022-07-19 09:20:38 UTC

A flaw was found in the way the Hotspot component of OpenJDK generated class code. An untrusted Java application or applet could potentially use this flaw to bypass Java sandbox restrictions.

Comment 1 Mauro Matteo Cascella 2022-07-19 23:41:05 UTC

Public now via Oracle CPU July 2022:

https://www.oracle.com/security-alerts/cpujul2022.html#AppendixJAVA

Fixed in Oracle Java SE 7u351, 8u341, 11.0.16, 17.0.4, 18.0.2.

Release notes:
https://www.oracle.com/java/technologies/javase/7-support-relnotes.html#R170_351
https://www.oracle.com/java/technologies/javase/8u341-relnotes.html
https://www.oracle.com/java/technologies/javase/11-0-16-relnotes.html
https://www.oracle.com/java/technologies/javase/17-0-4-relnotes.html
https://www.oracle.com/java/technologies/javase/18-0-2-relnotes.html

Comment 8 errata-xmlrpc 2022-07-21 14:09:58 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:5685 https://access.redhat.com/errata/RHSA-2022:5685

Comment 9 errata-xmlrpc 2022-07-21 15:00:36 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:5684 https://access.redhat.com/errata/RHSA-2022:5684

Comment 10 errata-xmlrpc 2022-07-21 15:23:46 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5683 https://access.redhat.com/errata/RHSA-2022:5683

Comment 11 errata-xmlrpc 2022-07-21 15:26:23 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:5681 https://access.redhat.com/errata/RHSA-2022:5681

Comment 12 errata-xmlrpc 2022-07-21 16:48:23 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:5687 https://access.redhat.com/errata/RHSA-2022:5687

Comment 13 errata-xmlrpc 2022-07-25 14:52:10 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5695 https://access.redhat.com/errata/RHSA-2022:5695

Comment 14 errata-xmlrpc 2022-07-25 15:29:52 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:5701 https://access.redhat.com/errata/RHSA-2022:5701

Comment 15 errata-xmlrpc 2022-07-25 15:40:27 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:5697 https://access.redhat.com/errata/RHSA-2022:5697

Comment 16 errata-xmlrpc 2022-07-25 15:42:01 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5696 https://access.redhat.com/errata/RHSA-2022:5696

Comment 17 errata-xmlrpc 2022-07-25 15:52:44 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:5700 https://access.redhat.com/errata/RHSA-2022:5700

Comment 18 errata-xmlrpc 2022-07-25 18:17:31 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:5698 https://access.redhat.com/errata/RHSA-2022:5698

Comment 19 errata-xmlrpc 2022-07-25 23:15:23 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5709 https://access.redhat.com/errata/RHSA-2022:5709

Comment 20 errata-xmlrpc 2022-07-26 18:20:54 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5726 https://access.redhat.com/errata/RHSA-2022:5726

Comment 21 errata-xmlrpc 2022-07-27 13:19:51 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5736 https://access.redhat.com/errata/RHSA-2022:5736

Comment 22 errata-xmlrpc 2022-07-28 15:32:40 UTC

This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 8u342

Via RHSA-2022:5753 https://access.redhat.com/errata/RHSA-2022:5753

Comment 23 errata-xmlrpc 2022-07-28 15:33:24 UTC

This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 8u342

Via RHSA-2022:5754 https://access.redhat.com/errata/RHSA-2022:5754

Comment 24 errata-xmlrpc 2022-07-28 15:40:15 UTC

This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 11.0.16

Via RHSA-2022:5755 https://access.redhat.com/errata/RHSA-2022:5755

Comment 25 errata-xmlrpc 2022-07-28 15:40:58 UTC

This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 11.0.16

Via RHSA-2022:5756 https://access.redhat.com/errata/RHSA-2022:5756

Comment 26 errata-xmlrpc 2022-07-28 15:46:18 UTC

This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 17.0.4

Via RHSA-2022:5757 https://access.redhat.com/errata/RHSA-2022:5757

Comment 27 errata-xmlrpc 2022-07-28 15:47:01 UTC

This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 17.0.4

Via RHSA-2022:5758 https://access.redhat.com/errata/RHSA-2022:5758

Comment 28 Mauro Matteo Cascella 2022-07-29 17:03:48 UTC

OpenJDK-17 upstream commit:
https://github.com/openjdk/jdk17u/commit/8be0fc09f0ba2dd1dbfd6627456fa929d5574b04

OpenJDK-11 upstream commit:
https://github.com/openjdk/jdk11u/commit/6c0ba0785a2f0900be301f72764cf4dcfa720991

OpenJDK-8 upstream commit:
https://github.com/openjdk/jdk8u/commit/1dafef08cc922ee85a8e216387100dc681a5484d

Comment 30 Product Security DevOps Team 2022-08-30 16:25:52 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-21540

Note You need to log in before you can comment on or make changes to this bug.

ahughes
caswilli
chazlett
dbhole
dffrench
dfitzmau
fjansen
gzaronik
jdowland
jochrist
jvanek
kaycoth
nengard
neugens
ngough
pjindal
rgodfrey
security-response-team
sraghupu
sthirugn
vkrizan