It was discovered that the Hotspot component of OpenJDK did not properly restrict access to the invokeBasic() method of the MethodHandle class. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions.
Public now via Oracle CPU July 2022: https://www.oracle.com/security-alerts/cpujul2022.html#AppendixJAVA Fixed in Oracle Java SE 7u351, 8u341, 11.0.16, 17.0.4, 18.0.2. Release notes: https://www.oracle.com/java/technologies/javase/7-support-relnotes.html#R170_351 https://www.oracle.com/java/technologies/javase/8u341-relnotes.html https://www.oracle.com/java/technologies/javase/11-0-16-relnotes.html https://www.oracle.com/java/technologies/javase/17-0-4-relnotes.html https://www.oracle.com/java/technologies/javase/18-0-2-relnotes.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:5685 https://access.redhat.com/errata/RHSA-2022:5685
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:5684 https://access.redhat.com/errata/RHSA-2022:5684
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:5683 https://access.redhat.com/errata/RHSA-2022:5683
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:5681 https://access.redhat.com/errata/RHSA-2022:5681
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2022:5687 https://access.redhat.com/errata/RHSA-2022:5687
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:5695 https://access.redhat.com/errata/RHSA-2022:5695
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:5701 https://access.redhat.com/errata/RHSA-2022:5701
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:5697 https://access.redhat.com/errata/RHSA-2022:5697
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:5696 https://access.redhat.com/errata/RHSA-2022:5696
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:5700 https://access.redhat.com/errata/RHSA-2022:5700
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2022:5698 https://access.redhat.com/errata/RHSA-2022:5698
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:5709 https://access.redhat.com/errata/RHSA-2022:5709
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:5726 https://access.redhat.com/errata/RHSA-2022:5726
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:5736 https://access.redhat.com/errata/RHSA-2022:5736
This issue has been addressed in the following products: Red Hat Build of OpenJDK 8u342 Via RHSA-2022:5753 https://access.redhat.com/errata/RHSA-2022:5753
This issue has been addressed in the following products: Red Hat Build of OpenJDK 8u342 Via RHSA-2022:5754 https://access.redhat.com/errata/RHSA-2022:5754
This issue has been addressed in the following products: Red Hat Build of OpenJDK 11.0.16 Via RHSA-2022:5755 https://access.redhat.com/errata/RHSA-2022:5755
This issue has been addressed in the following products: Red Hat Build of OpenJDK 11.0.16 Via RHSA-2022:5756 https://access.redhat.com/errata/RHSA-2022:5756
This issue has been addressed in the following products: Red Hat Build of OpenJDK 17.0.4 Via RHSA-2022:5757 https://access.redhat.com/errata/RHSA-2022:5757
This issue has been addressed in the following products: Red Hat Build of OpenJDK 17.0.4 Via RHSA-2022:5758 https://access.redhat.com/errata/RHSA-2022:5758
OpenJDK-17 upstream commit: https://github.com/openjdk/jdk17u/commit/860464e46105b98ccf21e98abe2dc6e80155887c OpenJDK-11 upstream commit: https://github.com/openjdk/jdk11u/commit/132745902a4601dc64b2c8ca112ca30292feccb4 OpenJDK-8 upstream commit: https://github.com/openjdk/jdk8u/commit/f14e35d20e1a4d0f507f05838844152f2242c6d3
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-21541