java-1.8.0-openjdk-1.8.0.322.b06-2.el8

エラータID: AXSA:2022-3023:02

Release date: 
Thursday, January 27, 2022 - 22:28
Subject: 
java-1.8.0-openjdk-1.8.0.322.b06-2.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

Security Fix(es):

* OpenJDK: Incomplete deserialization class filtering in ObjectInputStream (Serialization, 8264934) (CVE-2022-21248)
* OpenJDK: Insufficient URI checks in the XSLT TransformerImpl (JAXP, 8270492) (CVE-2022-21282)
* OpenJDK: Unexpected exception thrown in regex Pattern (Libraries, 8268813) (CVE-2022-21283)
* OpenJDK: Incomplete checks of StringBuffer and StringBuilder during deserialization (Libraries, 8270392) (CVE-2022-21293)
* OpenJDK: Incorrect IdentityHashMap size checks during deserialization (Libraries, 8270416) (CVE-2022-21294)
* OpenJDK: Incorrect access checks in XMLEntityManager (JAXP, 8270498) (CVE-2022-21296)
* OpenJDK: Infinite loop related to incorrect handling of newlines in XMLEntityScanner (JAXP, 8270646) (CVE-2022-21299)
* OpenJDK: Array indexing issues in LIRGenerator (Hotspot, 8272014) (CVE-2022-21305)
* OpenJDK: Excessive resource use when reading JAR manifest attributes (Libraries, 8272026) (CVE-2022-21340)
* OpenJDK: Insufficient checks when deserializing exceptions in ObjectInputStream (Serialization, 8272236) (CVE-2022-21341)
* OpenJDK: Excessive memory allocation in BMPImageReader (ImageIO, 8273756) (CVE-2022-21360)
* OpenJDK: Integer overflow in BMPImageReader (ImageIO, 8273838) (CVE-2022-21365)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* Previously, OpenJDK would crash when running the Java Flight Recorder (JFR) on PowerPC 64 (ppc64) machines. This was found to be due to missing crash protection in the ppc64 port. With this update, JFR should be run without crashing on ppc64. (BZ#2038935)

CVE-2022-21248
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2022-21282
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
CVE-2022-21283
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21293
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21294
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21296
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
CVE-2022-21299
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21305
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2022-21340
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21341
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21360
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21365
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. java-1.8.0-openjdk-1.8.0.322.b06-2.el8.src.rpm
    MD5: 3371e154a5f7286b58d51f2328f2048a
    SHA-256: 319f16e59f951c50feb7ff1957032744b92f162d32c5d2560c48763449f9e2c5
    Size: 55.69 MB

Asianux Server 8 for x86_64
  1. java-1.8.0-openjdk-1.8.0.322.b06-2.el8.x86_64.rpm
    MD5: 0eed41ead2ff1db7059aa2f0f74df3da
    SHA-256: f154126708d08693b8da3c42ff41c0e145fa96a02b53f962d08afa7f3f891624
    Size: 340.80 kB
  2. java-1.8.0-openjdk-accessibility-1.8.0.322.b06-2.el8.x86_64.rpm
    MD5: 095b499ae02084ee47ae65db2dceb3aa
    SHA-256: f72aa60a4f92a40fdc9cfb2fd56283b57be7e32a6a728e1f3d6f878021ca8996
    Size: 103.42 kB
  3. java-1.8.0-openjdk-accessibility-fastdebug-1.8.0.322.b06-2.el8.x86_64.rpm
    MD5: afe1a0f91b20b44af5cd954be2654eb8
    SHA-256: ed4022fbb2a5688e18555078643e1cbfb74dfab4fb93273f696495e060fe8a5e
    Size: 103.27 kB
  4. java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.322.b06-2.el8.x86_64.rpm
    MD5: 5160be9de9b722a58a864d5b015ad532
    SHA-256: 7fd10dd5b470ff2ddfe02680cbf4681b4221cddb1c5b9c62d20dd11c82c6e1da
    Size: 103.27 kB
  5. java-1.8.0-openjdk-demo-1.8.0.322.b06-2.el8.x86_64.rpm
    MD5: 08698c5974eb2b1f0d04885e2faafedf
    SHA-256: 1d5b154217e2b7dc2b85d66bb65f783a81cccdd6855a9413411928f52dbed3cd
    Size: 2.01 MB
  6. java-1.8.0-openjdk-demo-fastdebug-1.8.0.322.b06-2.el8.x86_64.rpm
    MD5: e45d45e771c4e10a1f70d58b94f9c4e2
    SHA-256: 5f5832b0e19169de89b983b28cf52176b46df83cc51a45aeb8708e4deae26e85
    Size: 2.03 MB
  7. java-1.8.0-openjdk-demo-slowdebug-1.8.0.322.b06-2.el8.x86_64.rpm
    MD5: cbc17adf6f596e31b4906409ca703ec7
    SHA-256: 26bd919ddac86c1d2821ab45f3111676a33aa003dec05b79413ac05170f568d2
    Size: 2.03 MB
  8. java-1.8.0-openjdk-devel-1.8.0.322.b06-2.el8.x86_64.rpm
    MD5: c5aabd2d482d4e80302f6d49e0b53abe
    SHA-256: 9d5f87d2c73a7b4153a880d4992afc3a981e41bef0ba06ea92d7e1ced8ebd04b
    Size: 9.87 MB
  9. java-1.8.0-openjdk-devel-fastdebug-1.8.0.322.b06-2.el8.x86_64.rpm
    MD5: 5195f679e05db4ee685cb8a50f78ece8
    SHA-256: 1f03c80a594babc8cacf5970fa6e115c8846c61ed18b7f8b264217c86f1ec76b
    Size: 9.88 MB
  10. java-1.8.0-openjdk-devel-slowdebug-1.8.0.322.b06-2.el8.x86_64.rpm
    MD5: cd974ba3a0e8f5500d2e55e7183a4e5e
    SHA-256: db0a62ce04c0ea5f04fb12340040fecbcb6365f41017f7b4672610e5b88f2b81
    Size: 9.88 MB
  11. java-1.8.0-openjdk-fastdebug-1.8.0.322.b06-2.el8.x86_64.rpm
    MD5: 76ef0428485fdd9cbe79b87c5c2cbc3a
    SHA-256: 34fda96b493818dcd87eb4f4e90712783d77e57eeb416255202cc2baed449c26
    Size: 354.07 kB
  12. java-1.8.0-openjdk-headless-1.8.0.322.b06-2.el8.x86_64.rpm
    MD5: 4bfdf87903ad673162592d9fbd768d07
    SHA-256: 0a4ae91e3e71bed35d933e554d5a2f181e0a3475be702357268f76e8b28b80d2
    Size: 33.92 MB
  13. java-1.8.0-openjdk-headless-fastdebug-1.8.0.322.b06-2.el8.x86_64.rpm
    MD5: ef944e12368a9b83cbbd6fa42f9ceac3
    SHA-256: 80a203cc4a580dd529a650fc98679c09f4d9035c69123b6737d3cace142d81af
    Size: 37.58 MB
  14. java-1.8.0-openjdk-headless-slowdebug-1.8.0.322.b06-2.el8.x86_64.rpm
    MD5: 104b423ba404b5a10f941f0cbc924478
    SHA-256: fe73e48348e231252deb28957cb214ac041201d4338a083c7d9bde3e928a636c
    Size: 35.75 MB
  15. java-1.8.0-openjdk-javadoc-1.8.0.322.b06-2.el8.noarch.rpm
    MD5: cceb6ee777c267131e4d0c9fbaf4345b
    SHA-256: 87e5079d3e52996024c3f661624be718ff3a36c722238e9cfc4206135447bac7
    Size: 15.18 MB
  16. java-1.8.0-openjdk-javadoc-zip-1.8.0.322.b06-2.el8.noarch.rpm
    MD5: 78451a62a03ce7ed89d6c8f2a2b46418
    SHA-256: d2293cbff47243c5d5adda55191d09ef774ed5f737c70fec9c48efe4fc4901f6
    Size: 41.71 MB
  17. java-1.8.0-openjdk-slowdebug-1.8.0.322.b06-2.el8.x86_64.rpm
    MD5: a6b41b5c0bbe444d98040cd5bfc102c9
    SHA-256: bc47793316a7d3c3702871fca9259b661c3081ea36e0682dd10f6d9a0cdca931
    Size: 345.19 kB
  18. java-1.8.0-openjdk-src-1.8.0.322.b06-2.el8.x86_64.rpm
    MD5: 6a70a178cd14ee5624f14a37db204db1
    SHA-256: cfdc9c2502256ac9ff9c67e5223364ff377dd18b641406c2c5753bf452500dc0
    Size: 45.59 MB
  19. java-1.8.0-openjdk-src-fastdebug-1.8.0.322.b06-2.el8.x86_64.rpm
    MD5: d56f0e951c63f930d925d555d9e5c363
    SHA-256: 835a067ca22ef928350fdaa8354de4be5e398905603128439ab8fba79e2bec96
    Size: 45.59 MB
  20. java-1.8.0-openjdk-src-slowdebug-1.8.0.322.b06-2.el8.x86_64.rpm
    MD5: ec0c11191939e7c31c7e01d921c3c9c4
    SHA-256: e60a383865206fa460da5ab2cafb2d51c2901bb764eae535c34fbd1492e43e38
    Size: 45.59 MB