java-11-openjdk-11.0.12.0.7-0.el8

エラータID: AXSA:2021-2247:11

Release date: 
Friday, November 26, 2021 - 10:17
Subject: 
java-11-openjdk-11.0.12.0.7-0.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.

Security Fix(es):

* OpenJDK: Incorrect comparison during range check elimination (Hotspot, 8264066) (CVE-2021-2388)
* OpenJDK: FTP PASV command response can cause FtpClient to connect to arbitrary host (Networking, 8258432) (CVE-2021-2341)
* OpenJDK: Incorrect verification of JAR files with multiple MANIFEST.MF files (Library, 8260967) (CVE-2021-2369)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2021-2341
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u301, 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).
CVE-2021-2369
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Library). Supported versions that are affected are Java SE: 7u301, 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N).
CVE-2021-2388
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Java SE: 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).

Solution: 

Update packages.

CVEs: 
CVE-2021-2341
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u301, 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).
CVE-2021-2369
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Library). Supported versions that are affected are Java SE: 7u301, 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N).
CVE-2021-2388
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Java SE: 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).
Additional Info: 

N/A

Download: 

SRPMS
  1. java-11-openjdk-11.0.12.0.7-0.el8.src.rpm
    MD5: 572ed1220155574c14c1267dca412d7b
    SHA-256: 5b67d1752672e500b32711fae4834ac29fffde4a2d76646a5caf16d8819ef30e
    Size: 75.12 MB

Asianux Server 8 for x86_64
  1. java-11-openjdk-11.0.12.0.7-0.el8.x86_64.rpm
    MD5: 2b002f6f42484feb8bd4bdfc1748ea76
    SHA-256: 04c2166122af80fe9e2a4873ea1518dfb8d2d1e6efcbe6dd24a8d21950ff4533
    Size: 260.27 kB
  2. java-11-openjdk-demo-11.0.12.0.7-0.el8.x86_64.rpm
    MD5: 3521bc5f097fb362e51970eff9c05b0f
    SHA-256: 88a96c27362e57703c9fd2530bb8f1f15c7cfec935ffdff830e7eeb7710ab260
    Size: 4.36 MB
  3. java-11-openjdk-devel-11.0.12.0.7-0.el8.x86_64.rpm
    MD5: f1fd0a062766622ec3cc1e59e815ae2a
    SHA-256: 6f6d4ea04359c10913277f023ba5af1380fad31dcd20fde423a841d3b2435ca0
    Size: 3.37 MB
  4. java-11-openjdk-headless-11.0.12.0.7-0.el8.x86_64.rpm
    MD5: 2bff2f19781c89c30512a60e3b52305b
    SHA-256: d27395d33040a1ce26bfd8a495bba8f39cad5636ecd2b3a123a1f13d2d8e53dd
    Size: 39.48 MB
  5. java-11-openjdk-javadoc-11.0.12.0.7-0.el8.x86_64.rpm
    MD5: afc5574f6fe3d9ae5c4085d4fe0f8bb0
    SHA-256: 2911886b2d7ba3c21f96cb8d2b42cbae43c2bdb27ce61290b7df0e899c993001
    Size: 15.97 MB
  6. java-11-openjdk-javadoc-zip-11.0.12.0.7-0.el8.x86_64.rpm
    MD5: 627e37d57f2e0bc349fec5e14d1ca8ce
    SHA-256: 1b40f9b85c9f94e707d03cb14f413e7a1f035cf90250b4e80071bb0a28d38f42
    Size: 41.97 MB
  7. java-11-openjdk-jmods-11.0.12.0.7-0.el8.x86_64.rpm
    MD5: e11fdfe281da3617d31ab38cb13b8d47
    SHA-256: c0cf0c4317a81be004d233b7a970949748d1ca14b4ee9b03d09b6d9e4435d0f5
    Size: 317.70 MB
  8. java-11-openjdk-src-11.0.12.0.7-0.el8.x86_64.rpm
    MD5: 95d088836b7d9e31781e3ec190eefa13
    SHA-256: 050cb2eb59e348c2fac02579ca6c0b84c9249f0a0660c55909b9d31c9463014b
    Size: 50.36 MB
  9. java-11-openjdk-static-libs-11.0.12.0.7-0.el8.x86_64.rpm
    MD5: c24dc8eca1ef758c976d06d4a5aa78ca
    SHA-256: 5f5220a4aa9c242ccf238c49f9910e26d79b0e7565adf5f18cef0a519f77eec9
    Size: 18.81 MB