USN-5898-1: OpenJDK vulnerabilities

Releases

• Ubuntu 22.10
• Ubuntu 22.04 LTS
• Ubuntu 20.04 LTS
• Ubuntu 18.04 ESM
• Ubuntu 16.04 ESM

Packages

• openjdk-8 - Open Source Java implementation

Details

It was discovered that the Serialization component of OpenJDK did not
properly handle the deserialization of some CORBA objects. An attacker
could possibly use this to bypass Java sandbox restrictions.
(CVE-2023-21830)

Markus Loewe discovered that the Java Sound subsystem in OpenJDK did not
properly validate the origin of a Soundbank. An attacker could use this to
specially craft an untrusted Java application or applet that could load a
Soundbank from an attacker controlled remote URL. (CVE-2023-21843)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 22.10

• openjdk-8-jdk - 8u362-ga-0ubuntu1~22.10
• openjdk-8-jre-headless - 8u362-ga-0ubuntu1~22.10
• openjdk-8-jre - 8u362-ga-0ubuntu1~22.10
• openjdk-8-jre-zero - 8u362-ga-0ubuntu1~22.10

Ubuntu 22.04

• openjdk-8-jdk - 8u362-ga-0ubuntu1~22.04
• openjdk-8-jre-headless - 8u362-ga-0ubuntu1~22.04
• openjdk-8-jre - 8u362-ga-0ubuntu1~22.04
• openjdk-8-jre-zero - 8u362-ga-0ubuntu1~22.04

Ubuntu 20.04

• openjdk-8-jdk - 8u362-ga-0ubuntu1~20.04.1
• openjdk-8-jre-headless - 8u362-ga-0ubuntu1~20.04.1
• openjdk-8-jre - 8u362-ga-0ubuntu1~20.04.1
• openjdk-8-jre-zero - 8u362-ga-0ubuntu1~20.04.1

Ubuntu 18.04

• openjdk-8-jdk - 8u362-ga-0ubuntu1~18.04.1
• openjdk-8-jre-headless - 8u362-ga-0ubuntu1~18.04.1
• openjdk-8-jre - 8u362-ga-0ubuntu1~18.04.1
• openjdk-8-jre-zero - 8u362-ga-0ubuntu1~18.04.1

Ubuntu 16.04

• openjdk-8-jdk - 8u362-ga-0ubuntu1~16.04.1
  Available with Ubuntu Pro
• openjdk-8-jre-headless - 8u362-ga-0ubuntu1~16.04.1
  Available with Ubuntu Pro
• openjdk-8-jre - 8u362-ga-0ubuntu1~16.04.1
  Available with Ubuntu Pro
• openjdk-8-jre-zero - 8u362-ga-0ubuntu1~16.04.1
  Available with Ubuntu Pro

This update uses a new upstream release, which includes additional
bug fixes. After a standard system update you need to restart any
Java applications or applets to make all the necessary changes.

References

• CVE-2023-21830
• CVE-2023-21843

Related notices

• USN-5897-1: openjdk-19-demo, openjdk-11-demo, openjdk-19-jdk, openjdk-11-jre-zero, openjdk-17-jre, openjdk-19-source, openjdk-19-doc, openjdk-11-jre-headless, openjdk-17-jre-zero, openjdk-19, openjdk-19-jre-headless, openjdk-17-doc, openjdk-11-jdk, openjdk-17-jdk-headless, openjdk-11-doc, openjdk-19-jdk-headless, openjdk-19-jre, openjdk-11-jdk-headless, openjdk-17-source, openjdk-19-jre-zero, openjdk-11-source, openjdk-17-demo, openjdk-17-jre-headless, openjdk-lts, openjdk-17-jdk, openjdk-11-jre, openjdk-17