Bug 1216379 (CVE-2023-22067)

Summary: VUL-0: CVE-2023-22067: java-1_8_0-openjdk: IOR deserialization issue in CORBA
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, fstrba, gabriele.sonnu, gianluca.gabrielli, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/382184/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-22067:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-10-18 13:09:12 UTC 
Vulnerability in Oracle Java SE (component: CORBA).  Supported versions that are affected are Oracle Java SE: 8u381 and  8u381-perf. Easily exploitable vulnerability allows unauthenticated attacker with network access via CORBA to compromise Oracle Java SE.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.

CVSS 3.1 Base Score 5.3 (Integrity impacts).  
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-22067
Comment 4 Maintenance Automation 2023-11-21 16:30:22 UTC 
SUSE-SU-2023:4507-1: An update that solves three vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1211968, 1216374, 1216379
CVE References: CVE-2015-4000, CVE-2023-22067, CVE-2023-22081
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): java-1_8_0-openjdk-1.8.0.392-27.93.1
SUSE Linux Enterprise Server 12 SP5 (src): java-1_8_0-openjdk-1.8.0.392-27.93.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): java-1_8_0-openjdk-1.8.0.392-27.93.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Maintenance Automation 2023-11-21 16:30:25 UTC 
SUSE-SU-2023:4506-1: An update that solves three vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1211968, 1216374, 1216379
CVE References: CVE-2015-4000, CVE-2023-22067, CVE-2023-22081
Sources used:
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): java-1_8_0-openjdk-1.8.0.392-150000.3.85.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): java-1_8_0-openjdk-1.8.0.392-150000.3.85.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): java-1_8_0-openjdk-1.8.0.392-150000.3.85.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): java-1_8_0-openjdk-1.8.0.392-150000.3.85.1
SUSE Enterprise Storage 7.1 (src): java-1_8_0-openjdk-1.8.0.392-150000.3.85.1
SUSE CaaS Platform 4.0 (src): java-1_8_0-openjdk-1.8.0.392-150000.3.85.1
openSUSE Leap 15.4 (src): java-1_8_0-openjdk-1.8.0.392-150000.3.85.1
openSUSE Leap 15.5 (src): java-1_8_0-openjdk-1.8.0.392-150000.3.85.1
Legacy Module 15-SP4 (src): java-1_8_0-openjdk-1.8.0.392-150000.3.85.1
Legacy Module 15-SP5 (src): java-1_8_0-openjdk-1.8.0.392-150000.3.85.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): java-1_8_0-openjdk-1.8.0.392-150000.3.85.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): java-1_8_0-openjdk-1.8.0.392-150000.3.85.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): java-1_8_0-openjdk-1.8.0.392-150000.3.85.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): java-1_8_0-openjdk-1.8.0.392-150000.3.85.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Maintenance Automation 2023-11-27 12:30:53 UTC 
SUSE-SU-2023:4572-1: An update that solves four vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1204264, 1216339, 1216374, 1216379, 1216640, 1217214
CVE References: CVE-2023-22025, CVE-2023-22067, CVE-2023-22081, CVE-2023-5676
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Maintenance Automation 2023-11-29 16:30:01 UTC 
SUSE-SU-2023:4614-1: An update that solves four vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1204264, 1216339, 1216374, 1216379, 1216640, 1217214
CVE References: CVE-2023-22025, CVE-2023-22067, CVE-2023-22081, CVE-2023-5676
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Maintenance Automation 2023-11-29 16:30:06 UTC 
SUSE-SU-2023:4612-1: An update that solves three vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1216374, 1216379, 1217214
CVE References: CVE-2023-22067, CVE-2023-22081, CVE-2023-5676
Sources used:
openSUSE Leap 15.4 (src): java-1_8_0-openj9-1.8.0.392-150200.3.39.1
openSUSE Leap 15.5 (src): java-1_8_0-openj9-1.8.0.392-150200.3.39.1
SUSE Package Hub 15 15-SP5 (src): java-1_8_0-openj9-1.8.0.392-150200.3.39.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Fridrich Strba 2024-01-29 16:59:55 UTC 
I will do, but in few days I will have even another security update from January 2024 CPU, will then submit there too and we will have it in sync with SLE.
Comment 13 Fridrich Strba 2024-01-30 05:33:49 UTC 
A question: is there not a possibility to just link the package to SUSE:SLE-15:Update java-1_8_0-openjdk, so that it receives the updates automatically. I use exactly the same spec for everything starting with SLE-12-SP1 ending with Factory. This would avoid us to have to submit the same stuff everywhere and would make it less error-prone.
Comment 14 Fridrich Strba 2024-03-05 09:29:42 UTC 
ALP is fixed also. I think this one can be closed now.
Comment 15 Alexander Bergmann 2024-05-24 11:11:21 UTC 
Released. Closing bug.