Bug 2160421 (CVE-2023-21835) - CVE-2023-21835 OpenJDK: handshake DoS attack against DTLS connections (JSSE, 8287411)
Summary: CVE-2023-21835 OpenJDK: handshake DoS attack against DTLS connections (JSSE, ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2023-21835
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2160126 2160127 2160128 2160129 2160130 2160131 2160132 2160133 2160134 2160135 2160138 2160139 2160140 2160141 2160142 2160143 2160144 2160145 2160146 2164052
Blocks: 2159709
TreeView+ depends on / blocked
 
Reported: 2023-01-12 11:28 UTC by Mauro Matteo Cascella
Modified: 2023-08-07 09:25 UTC (History)
22 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-01-25 23:52:15 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:0190 0 None None None 2023-01-18 10:28:24 UTC
Red Hat Product Errata RHSA-2023:0191 0 None None None 2023-01-18 10:29:53 UTC
Red Hat Product Errata RHSA-2023:0192 0 None None None 2023-01-18 10:30:01 UTC
Red Hat Product Errata RHSA-2023:0193 0 None None None 2023-01-18 10:26:32 UTC
Red Hat Product Errata RHSA-2023:0194 0 None None None 2023-01-23 09:21:13 UTC
Red Hat Product Errata RHSA-2023:0195 0 None None None 2023-01-23 09:22:43 UTC
Red Hat Product Errata RHSA-2023:0196 0 None None None 2023-01-18 10:28:50 UTC
Red Hat Product Errata RHSA-2023:0197 0 None None None 2023-01-18 10:29:03 UTC
Red Hat Product Errata RHSA-2023:0198 0 None None None 2023-01-18 10:29:37 UTC
Red Hat Product Errata RHSA-2023:0199 0 None None None 2023-01-18 10:28:39 UTC
Red Hat Product Errata RHSA-2023:0200 0 None None None 2023-01-18 10:30:16 UTC
Red Hat Product Errata RHSA-2023:0201 0 None None None 2023-01-18 10:29:44 UTC
Red Hat Product Errata RHSA-2023:0202 0 None None None 2023-01-18 10:22:36 UTC
Red Hat Product Errata RHSA-2023:0352 0 None None None 2023-01-23 22:44:25 UTC
Red Hat Product Errata RHSA-2023:0353 0 None None None 2023-01-23 22:40:08 UTC
Red Hat Product Errata RHSA-2023:0388 0 None None None 2023-01-23 22:40:29 UTC
Red Hat Product Errata RHSA-2023:0389 0 None None None 2023-01-23 22:44:46 UTC

Description Mauro Matteo Cascella 2023-01-12 11:28:06 UTC 
A flaw was discovered in the DTLS in JSSE component of OpenJDK, allowing malicious clients to make a DTLS server consume excessive resources by repeatedly transmitting a series of handshake initiation requests. The malicious client could also use this flaw to send pre-generated messages with a spoofed source, causing the server to send replies to a victim machine, thus potentially flooding it.
Comment 5 Mauro Matteo Cascella 2023-01-18 09:56:31 UTC 
OpenJDK-17 upstream commit:
https://github.com/openjdk/jdk17u/commit/04f32aacb592cd8f9c963278f01310a138a940ff

OpenJDK-11 upstream commit:
https://github.com/openjdk/jdk11u/commit/57f29406b9d729a69410113518094f641c5799ea
Comment 6 errata-xmlrpc 2023-01-18 10:22:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0202 https://access.redhat.com/errata/RHSA-2023:0202
Comment 7 errata-xmlrpc 2023-01-18 10:26:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:0193 https://access.redhat.com/errata/RHSA-2023:0193
Comment 8 errata-xmlrpc 2023-01-18 10:28:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:0190 https://access.redhat.com/errata/RHSA-2023:0190
Comment 9 errata-xmlrpc 2023-01-18 10:28:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:0199 https://access.redhat.com/errata/RHSA-2023:0199
Comment 10 errata-xmlrpc 2023-01-18 10:28:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:0196 https://access.redhat.com/errata/RHSA-2023:0196
Comment 11 errata-xmlrpc 2023-01-18 10:29:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:0197 https://access.redhat.com/errata/RHSA-2023:0197
Comment 12 errata-xmlrpc 2023-01-18 10:29:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:0198 https://access.redhat.com/errata/RHSA-2023:0198
Comment 13 errata-xmlrpc 2023-01-18 10:29:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:0201 https://access.redhat.com/errata/RHSA-2023:0201
Comment 14 errata-xmlrpc 2023-01-18 10:29:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:0191 https://access.redhat.com/errata/RHSA-2023:0191
Comment 15 errata-xmlrpc 2023-01-18 10:29:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0192 https://access.redhat.com/errata/RHSA-2023:0192
Comment 16 errata-xmlrpc 2023-01-18 10:30:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0200 https://access.redhat.com/errata/RHSA-2023:0200
Comment 17 Mauro Matteo Cascella 2023-01-18 10:36:18 UTC 
Public now via Oracle CPU January 2023:

https://www.oracle.com/security-alerts/cpujan2023.html#AppendixJAVA

Fixed in Oracle Java SE 11.0.18, 17.0.6, 19.0.2.

A new security property was introduced as part of the fix:

- DTLS Resumption Uses HelloVerifyRequest Messages

With this fix the SunJSSE DTLS implementation will by default exchange cookies for all handshakes (new and resumed) unless the System property jdk.tls.enableDtlsResumeCookie is false. The property only affects the cookie exchange for resumption.

For more information, see the following release notes:
https://www.oracle.com/java/technologies/javase/11-0-18-relnotes.html
https://www.oracle.com/java/technologies/javase/17-0-6-relnotes.html
https://www.oracle.com/java/technologies/javase/19-0-2-relnotes.html
Comment 18 errata-xmlrpc 2023-01-23 09:21:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0194 https://access.redhat.com/errata/RHSA-2023:0194
Comment 19 errata-xmlrpc 2023-01-23 09:22:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:0195 https://access.redhat.com/errata/RHSA-2023:0195
Comment 20 errata-xmlrpc 2023-01-23 22:40:06 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 11.0.18

Via RHSA-2023:0353 https://access.redhat.com/errata/RHSA-2023:0353
Comment 21 errata-xmlrpc 2023-01-23 22:40:27 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 11.0.18

Via RHSA-2023:0388 https://access.redhat.com/errata/RHSA-2023:0388
Comment 22 errata-xmlrpc 2023-01-23 22:44:23 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 17.0.6

Via RHSA-2023:0352 https://access.redhat.com/errata/RHSA-2023:0352
Comment 23 errata-xmlrpc 2023-01-23 22:44:44 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 17.0.6

Via RHSA-2023:0389 https://access.redhat.com/errata/RHSA-2023:0389
Comment 25 Product Security DevOps Team 2023-01-25 23:52:12 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-21835
Note You need to log in before you can comment on or make changes to this bug.