Bugzilla – Bug 1216379
VUL-0: CVE-2023-22067: java-1_8_0-openjdk: IOR deserialization issue in CORBA
Last modified: 2024-05-24 11:11:21 UTC
Vulnerability in Oracle Java SE (component: CORBA). Supported versions that are affected are Oracle Java SE: 8u381 and 8u381-perf. Easily exploitable vulnerability allows unauthenticated attacker with network access via CORBA to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-22067
SUSE-SU-2023:4507-1: An update that solves three vulnerabilities can now be installed. Category: security (moderate) Bug References: 1211968, 1216374, 1216379 CVE References: CVE-2015-4000, CVE-2023-22067, CVE-2023-22081 Sources used: SUSE Linux Enterprise High Performance Computing 12 SP5 (src): java-1_8_0-openjdk-1.8.0.392-27.93.1 SUSE Linux Enterprise Server 12 SP5 (src): java-1_8_0-openjdk-1.8.0.392-27.93.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): java-1_8_0-openjdk-1.8.0.392-27.93.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4506-1: An update that solves three vulnerabilities can now be installed. Category: security (moderate) Bug References: 1211968, 1216374, 1216379 CVE References: CVE-2015-4000, CVE-2023-22067, CVE-2023-22081 Sources used: SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): java-1_8_0-openjdk-1.8.0.392-150000.3.85.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): java-1_8_0-openjdk-1.8.0.392-150000.3.85.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): java-1_8_0-openjdk-1.8.0.392-150000.3.85.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): java-1_8_0-openjdk-1.8.0.392-150000.3.85.1 SUSE Enterprise Storage 7.1 (src): java-1_8_0-openjdk-1.8.0.392-150000.3.85.1 SUSE CaaS Platform 4.0 (src): java-1_8_0-openjdk-1.8.0.392-150000.3.85.1 openSUSE Leap 15.4 (src): java-1_8_0-openjdk-1.8.0.392-150000.3.85.1 openSUSE Leap 15.5 (src): java-1_8_0-openjdk-1.8.0.392-150000.3.85.1 Legacy Module 15-SP4 (src): java-1_8_0-openjdk-1.8.0.392-150000.3.85.1 Legacy Module 15-SP5 (src): java-1_8_0-openjdk-1.8.0.392-150000.3.85.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): java-1_8_0-openjdk-1.8.0.392-150000.3.85.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): java-1_8_0-openjdk-1.8.0.392-150000.3.85.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): java-1_8_0-openjdk-1.8.0.392-150000.3.85.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): java-1_8_0-openjdk-1.8.0.392-150000.3.85.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4572-1: An update that solves four vulnerabilities and has two security fixes can now be installed. Category: security (important) Bug References: 1204264, 1216339, 1216374, 1216379, 1216640, 1217214 CVE References: CVE-2023-22025, CVE-2023-22067, CVE-2023-22081, CVE-2023-5676 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4614-1: An update that solves four vulnerabilities and has two security fixes can now be installed. Category: security (important) Bug References: 1204264, 1216339, 1216374, 1216379, 1216640, 1217214 CVE References: CVE-2023-22025, CVE-2023-22067, CVE-2023-22081, CVE-2023-5676 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4612-1: An update that solves three vulnerabilities can now be installed. Category: security (moderate) Bug References: 1216374, 1216379, 1217214 CVE References: CVE-2023-22067, CVE-2023-22081, CVE-2023-5676 Sources used: openSUSE Leap 15.4 (src): java-1_8_0-openj9-1.8.0.392-150200.3.39.1 openSUSE Leap 15.5 (src): java-1_8_0-openj9-1.8.0.392-150200.3.39.1 SUSE Package Hub 15 15-SP5 (src): java-1_8_0-openj9-1.8.0.392-150200.3.39.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
I will do, but in few days I will have even another security update from January 2024 CPU, will then submit there too and we will have it in sync with SLE.
A question: is there not a possibility to just link the package to SUSE:SLE-15:Update java-1_8_0-openjdk, so that it receives the updates automatically. I use exactly the same spec for everything starting with SLE-12-SP1 ending with Factory. This would avoid us to have to submit the same stuff everywhere and would make it less error-prone.
ALP is fixed also. I think this one can be closed now.
Released. Closing bug.