Bug 1213485 (CVE-2023-22043)

Summary: VUL-0: CVE-2023-22043: java-17-openjdk,java-11-openjdk,java-1_8_0-ibm,java-1_8_0-openjdk: Vulnerability in Oracle Java SE (component: JavaFX). The supported version that is affected is Oracle Java SE: 8u371
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Leroy <thomas.leroy>
Component: IncidentsAssignee: Fridrich Strba <fstrba>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: fstrba, security-team, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/372911/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-22043:5.9:(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Leroy 2023-07-19 13:46:50 UTC 
CVE-2023-22043

Vulnerability in Oracle Java SE (component: JavaFX).   The supported version
that is affected is Oracle Java SE: 8u371. Difficult to exploit vulnerability
allows unauthenticated attacker with network access via multiple protocols to
compromise Oracle Java SE.  Successful attacks of this vulnerability can result
in  unauthorized creation, deletion or modification access to critical data or
all Oracle Java SE accessible data. Note: This vulnerability applies to Java
deployments, typically in clients running sandboxed Java Web Start applications
or sandboxed Java applets, that load and run untrusted code (e.g., code that
comes from the internet) and rely on the Java sandbox for security. This
vulnerability does not apply to Java deployments, typically in servers, that
load and run only trusted code (e.g., code installed by an administrator). CVSS
3.1 Base Score 5.9 (Integrity impacts).  CVSS Vector:
(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-22043
https://www.cve.org/CVERecord?id=CVE-2023-22043
https://www.oracle.com/security-alerts/cpujul2023.html
Comment 1 Thomas Leroy 2023-07-19 13:47:22 UTC 
Fridrich, what are the packages shipping Java SE?