Common Vulnerabilities and Exposures Fixes for July 2023

Table of Contents

July 2023 CVE Fix
In-Depth Non-CVE Security Fixes

Need help?

Schedule a consultation with an Azul performance expert.

The following Azul Platform Prime releases contain the July 2023 CPU release of OpenJDK:

CPU	PSU
23.02.300.0	23.07.0.0
-	23.02.400.0

CPU

PSU

23.02.300.0

23.07.0.0

23.02.400.0

The following table lists the latest CVE fixes added in the Azul Platform Prime CPU release. The CVE IDs in the table apply to JDK 8, JDK 11, and JDK 17 unless noted otherwise.

July 2023 CVE Fix

CVSS VERSION 3.1 RISK

CVE #	Component	Protocol	Remote Exploit w/o Auth.	Base Score	Attack Vector	Attack Complex	Privileges Req’d	User Interact	Scope	Confiden-tiality	Integrity	Availability	Versions Affected	Notes
CVE-2023-22041	Hotspot	None	No	5.1	Local	High	None	None	Unchanged	High	None	None	17, 11	Note 1
CVE-2023-22036	Utility	Multiple	Yes	3.7	Network	High	None	None	Unchanged	None	None	Low	17, 11	Note 2
CVE-2023-22049	Libraries	Multiple	Yes	3.7	Network	High	None	None	Unchanged	None	Low	None	17, 11, 8	Note 2
CVE-2023-25193	2D (Harfbuzz)	Multiple	Yes	3.7	Network	High	None	None	Unchanged	None	None	Low	17, 11	Note 2
CVE-2023-22006	Networking	Multiple	Yes	3.1	Network	High	None	Required	Unchanged	None	Low	None	17, 11	Note 1
CVE-2023-22043 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	JavaFX	Multiple	Yes	5.9	Network	High	None	None	Unchanged	None	High	None	None	Note 1
CVE-2023-22044 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Hotspot	Multiple	Yes	3.7	Network	High	None	None	Unchanged	Low	None	None	None	Note 2
CVE-2023-22045 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Hotspot	Multiple	Yes	3.7	Network	High	None	None	Unchanged	Low	None	None	None	Note 2
CVE-2023-22051 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	GraalVM Compiler	Multiple	Yes	3.7	Network	High	None	None	Unchanged	Low	None	None	None

CVE #

Component

Protocol

Remote Exploit w/o Auth.

Base Score

Attack Vector

Attack Complex

Privileges Req’d

User Interact

Scope

Confiden-tiality

Integrity

Availability

Versions Affected

Notes

CVE-2023-22041

Hotspot

None

5.1

Local

High

None

Unchanged

High

None

17, 11

Note 1

CVE-2023-22036

Utility

Multiple

Yes

3.7

Network

High

None

Unchanged

None

Low

17, 11

Note 2

CVE-2023-22049

Libraries

Multiple

Yes

3.7

Network

High

None

Unchanged

None

Low

None

17, 11, 8

Note 2

CVE-2023-25193

2D (Harfbuzz)

Multiple

Yes

3.7

Network

High

None

Unchanged

None

Low

17, 11

Note 2

CVE-2023-22006

Networking

Multiple

Yes

3.1

Network

High

None

Required

Unchanged

None

Low

None

17, 11

Note 1

CVE-2023-22043 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

JavaFX

Multiple

Yes

5.9

Network

High

None

Unchanged

None

High

None

Note 1

CVE-2023-22044 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

3.7

Network

High

None

Unchanged

Low

None

Note 2

CVE-2023-22045 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

3.7

Network

High

None

Unchanged

Low

None

Note 2

CVE-2023-22051 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

GraalVM Compiler

Multiple

Yes

3.7

Network

High

None

Unchanged

Low

None

Notes:

ID	Notes
1	This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
2	This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

Notes

This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

Base and Impact Metric:

Metrics	Values
Attack Vector	Network (N), Adjacent (A), Local (L), and Physical (P)
Attack Complexity	Low (L) and High (H)
Privileges Required	None (N), Low (L), and High (H)
User Interaction	None (N) and Required (R)
Scope	Unchanged (U) and Changed (C)
Confidentiality Impact	High (H), Low (L), and None (N)
Integrity Impact	High (H), Low (L), and None (N)
Availability Impact	High (H), Low (L), and None (N)

Metrics

Values

Attack Vector

Network (N), Adjacent (A), Local (L), and Physical (P)

Attack Complexity

Low (L) and High (H)

Privileges Required

None (N), Low (L), and High (H)

User Interaction

None (N) and Required (R)

Scope

Unchanged (U) and Changed (C)

Confidentiality Impact

High (H), Low (L), and None (N)

Integrity Impact

High (H), Low (L), and None (N)

Availability Impact

High (H), Low (L), and None (N)

In-Depth Non-CVE Security Fixes

The following table lists the in-depth non-CVE security fixes implemented specifically for Azul Platform Prime.

July 2023 Non-CVE Security Fix

OpenJDK Patch ID	Azul Prime Version	Synopsis	CPU/PSUCPU fixes are included in both CPU and PSU bundles. PSU fixes are included in the PSU bundles only.
JDK-8294323	17	Improve Shared Class Data	CPU,PSU
JDK-8296565	17	Enhanced archival support	CPU,PSU
JDK-8298676	8, 11, 17	Enhanced Look and Feel	CPU,PSU
JDK-8300285	11, 17	Enhance TLS data handling	CPU,PSU
JDK-8300596	8, 11, 17	Enhance Jar Signature validation	CPU,PSU
JDK-8301014	8, 11, 17	Update libxml	CPU,PSU
JDK-8303376	11, 17	Better launching of JDI	CPU,PSU
JDK-8306311	8, 11, 17	Better XML support	CPU,PSU

OpenJDK Patch ID

Azul Prime Version

Synopsis

JDK-8294323

Improve Shared Class Data

CPU,PSU

JDK-8296565

Enhanced archival support

CPU,PSU

JDK-8298676

8, 11, 17

Enhanced Look and Feel