A flaw was discovered in the DTLS in JSSE component of OpenJDK, allowing malicious clients to make a DTLS server consume excessive resources by repeatedly transmitting a series of handshake initiation requests. The malicious client could also use this flaw to send pre-generated messages with a spoofed source, causing the server to send replies to a victim machine, thus potentially flooding it.
OpenJDK-17 upstream commit: https://github.com/openjdk/jdk17u/commit/04f32aacb592cd8f9c963278f01310a138a940ff OpenJDK-11 upstream commit: https://github.com/openjdk/jdk11u/commit/57f29406b9d729a69410113518094f641c5799ea
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:0202 https://access.redhat.com/errata/RHSA-2023:0202
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:0193 https://access.redhat.com/errata/RHSA-2023:0193
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:0190 https://access.redhat.com/errata/RHSA-2023:0190
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:0199 https://access.redhat.com/errata/RHSA-2023:0199
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2023:0196 https://access.redhat.com/errata/RHSA-2023:0196
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2023:0197 https://access.redhat.com/errata/RHSA-2023:0197
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2023:0198 https://access.redhat.com/errata/RHSA-2023:0198
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:0201 https://access.redhat.com/errata/RHSA-2023:0201
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2023:0191 https://access.redhat.com/errata/RHSA-2023:0191
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:0192 https://access.redhat.com/errata/RHSA-2023:0192
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:0200 https://access.redhat.com/errata/RHSA-2023:0200
Public now via Oracle CPU January 2023: https://www.oracle.com/security-alerts/cpujan2023.html#AppendixJAVA Fixed in Oracle Java SE 11.0.18, 17.0.6, 19.0.2. A new security property was introduced as part of the fix: - DTLS Resumption Uses HelloVerifyRequest Messages With this fix the SunJSSE DTLS implementation will by default exchange cookies for all handshakes (new and resumed) unless the System property jdk.tls.enableDtlsResumeCookie is false. The property only affects the cookie exchange for resumption. For more information, see the following release notes: https://www.oracle.com/java/technologies/javase/11-0-18-relnotes.html https://www.oracle.com/java/technologies/javase/17-0-6-relnotes.html https://www.oracle.com/java/technologies/javase/19-0-2-relnotes.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:0194 https://access.redhat.com/errata/RHSA-2023:0194
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2023:0195 https://access.redhat.com/errata/RHSA-2023:0195
This issue has been addressed in the following products: Red Hat Build of OpenJDK 11.0.18 Via RHSA-2023:0353 https://access.redhat.com/errata/RHSA-2023:0353
This issue has been addressed in the following products: Red Hat Build of OpenJDK 11.0.18 Via RHSA-2023:0388 https://access.redhat.com/errata/RHSA-2023:0388
This issue has been addressed in the following products: Red Hat Build of OpenJDK 17.0.6 Via RHSA-2023:0352 https://access.redhat.com/errata/RHSA-2023:0352
This issue has been addressed in the following products: Red Hat Build of OpenJDK 17.0.6 Via RHSA-2023:0389 https://access.redhat.com/errata/RHSA-2023:0389
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-21835