Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition

Summary

This bulletin covers all applicable Java SE CVEs published by Oracle as part of their January 2023 Critical Patch Update. For more information please refer to Oracle’s January 2023 CPU Advisory and the X-Force database entries referenced below.

Vulnerability Details

CVEID:CVE-2023-21830
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Serialization component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/245038 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2023-21843
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Sound component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/245037 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

7.1.0.0 - 7.1.5.16
8.0.0.0 - 8.0.7.20

For detailed information on which CVEs affect which releases, please refer to the IBM SDK, Java Technology Edition Security Vulnerabilities page.

Remediation/Fixes

7.1.5.17 (restricted access)
8.0.8.0

IBM SDK, Java Technology Edition releases can be downloaded, subject to the terms of the developerWorks license, from the Java Developer Center.

IBM customers requiring an update for an SDK shipped with an IBM product should contact IBM support, and/or refer to the appropriate product security bulletin.

APAR numbers are as follows:

IX90193 (CVE-2023-21830)
IJ45272 (CVE-2023-21843)

Workarounds and Mitigations

None