A flaw was found in the object reclamation process of the Hotspot JVM garbage collector in the way it enqueued references. An untrusted Java application or applet could use this flaw to possibly bypass Java sandbox restrictions and access sensitive information.
OpenJDK-8 upstream commit: https://github.com/openjdk/jdk8u/commit/1a42e35729d1a0b049a13b762b0cbb4f046081ea OpenJDK-11 upstream commit: https://github.com/openjdk/jdk11u/commit/780327d1de4fee3e77c3e48018908bf0c3fcd55a OpenJDK-17 upstream commit: https://github.com/openjdk/jdk17u/commit/dfded6daaafb3a517bac6a07bcb4ec40db4a4a2e
Public now via Oracle CPU April 2023: https://www.oracle.com/security-alerts/cpuapr2023.html#AppendixJAVA Fixed in Oracle Java SE 8u371, 11.0.19, 17.0.7. Release notes: https://www.oracle.com/java/technologies/javase/8u371-relnotes.html https://www.oracle.com/java/technologies/javase/11-0-19-relnotes.html https://www.oracle.com/java/technologies/javase/17-0-7-relnotes.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2023:1875 https://access.redhat.com/errata/RHSA-2023:1875
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2023:1877 https://access.redhat.com/errata/RHSA-2023:1877
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2023:1878 https://access.redhat.com/errata/RHSA-2023:1878
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:1879 https://access.redhat.com/errata/RHSA-2023:1879
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:1880 https://access.redhat.com/errata/RHSA-2023:1880
This issue has been addressed in the following products: Red Hat Build of OpenJDK 11.0.19 Via RHSA-2023:1883 https://access.redhat.com/errata/RHSA-2023:1883
This issue has been addressed in the following products: Red Hat Build of OpenJDK 11.0.19 Via RHSA-2023:1882 https://access.redhat.com/errata/RHSA-2023:1882
This issue has been addressed in the following products: Red Hat Build of OpenJDK 17.0.7 Via RHSA-2023:1885 https://access.redhat.com/errata/RHSA-2023:1885
This issue has been addressed in the following products: Red Hat Build of OpenJDK 17.0.7 Via RHSA-2023:1884 https://access.redhat.com/errata/RHSA-2023:1884
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2023:1889 https://access.redhat.com/errata/RHSA-2023:1889
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2023:1890 https://access.redhat.com/errata/RHSA-2023:1890
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:1891 https://access.redhat.com/errata/RHSA-2023:1891
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:1892 https://access.redhat.com/errata/RHSA-2023:1892
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:1895 https://access.redhat.com/errata/RHSA-2023:1895
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:1898 https://access.redhat.com/errata/RHSA-2023:1898
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:1899 https://access.redhat.com/errata/RHSA-2023:1899
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:1900 https://access.redhat.com/errata/RHSA-2023:1900
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2023:1904 https://access.redhat.com/errata/RHSA-2023:1904
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2023:1911 https://access.redhat.com/errata/RHSA-2023:1911
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2023:1905 https://access.redhat.com/errata/RHSA-2023:1905
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:1906 https://access.redhat.com/errata/RHSA-2023:1906
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:1909 https://access.redhat.com/errata/RHSA-2023:1909
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:1908 https://access.redhat.com/errata/RHSA-2023:1908
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:1910 https://access.redhat.com/errata/RHSA-2023:1910
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2023:1907 https://access.redhat.com/errata/RHSA-2023:1907
This issue has been addressed in the following products: Red Hat Build of OpenJDK 8u362 Via RHSA-2023:1912 https://access.redhat.com/errata/RHSA-2023:1912
This issue has been addressed in the following products: Red Hat Build of OpenJDK 8u362 Via RHSA-2023:1903 https://access.redhat.com/errata/RHSA-2023:1903
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-21954