java-11-openjdk-11.0.15.0.9-2.el7

エラータID: AXSA:2022-3150:06

Release date: 
Thursday, April 21, 2022 - 03:14
Subject: 
java-11-openjdk-11.0.15.0.9-2.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and
the OpenJDK 11 Java Software Development Kit.

The following packages have been upgraded to a later upstream version:
java-11-openjdk (11.0.15.0.9).

Security Fix(es):

* OpenJDK: Defective secure validation in Apache Santuario (Libraries,
8278008) (CVE-2022-21476)
* OpenJDK: Unbounded memory allocation when compiling crafted XPath
expressions (JAXP, 8270504) (CVE-2022-21426)
* OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler
(Libraries, 8277672) (CVE-2022-21434)
* OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)
(CVE-2022-21443)
* OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

CVE-2022-21426
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product
of Oracle Java SE (component: JAXP). Supported versions that are affected are
Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise
Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows
unauthenticated attacker with network access via multiple protocols to
compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks
of this vulnerability can result in unauthorized ability to cause a partial
denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise
Edition. Note: This vulnerability applies to Java deployments, typically in
clients running sandboxed Java Web Start applications or sandboxed Java applets,
that load and run untrusted code (e.g., code that comes from the internet) and
rely on the Java sandbox for security. This vulnerability can also be exploited
by using APIs in the specified Component, e.g., through a web service which
supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS
Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21434
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product
of Oracle Java SE (component: Libraries). Supported versions that are affected
are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise
Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows
unauthenticated attacker with network access via multiple protocols to
compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks
of this vulnerability can result in unauthorized update, insert or delete access
to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.
Note: This vulnerability applies to Java deployments, typically in clients
running sandboxed Java Web Start applications or sandboxed Java applets, that
load and run untrusted code (e.g., code that comes from the internet) and rely
on the Java sandbox for security. This vulnerability can also be exploited by
using APIs in the specified Component, e.g., through a web service which
supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS
Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2022-21443
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product
of Oracle Java SE (component: Libraries). Supported versions that are affected
are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise
Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows
unauthenticated attacker with network access via multiple protocols to
compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks
of this vulnerability can result in unauthorized ability to cause a partial
denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise
Edition. Note: This vulnerability applies to Java deployments, typically in
clients running sandboxed Java Web Start applications or sandboxed Java applets,
that load and run untrusted code (e.g., code that comes from the internet) and
rely on the Java sandbox for security. This vulnerability can also be exploited
by using APIs in the specified Component, e.g., through a web service which
supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS
Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21476
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product
of Oracle Java SE (component: Libraries). Supported versions that are affected
are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise
Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows
unauthenticated attacker with network access via multiple protocols to
compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks
of this vulnerability can result in unauthorized access to critical data or
complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition
accessible data. Note: This vulnerability applies to Java deployments, typically
in clients running sandboxed Java Web Start applications or sandboxed Java
applets, that load and run untrusted code (e.g., code that comes from the
internet) and rely on the Java sandbox for security. This vulnerability can also
be exploited by using APIs in the specified Component, e.g., through a web
service which supplies data to the APIs. CVSS 3.1 Base Score 7.5
(Confidentiality impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVE-2022-21496
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product
of Oracle Java SE (component: JNDI). Supported versions that are affected are
Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise
Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows
unauthenticated attacker with network access via multiple protocols to
compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks
of this vulnerability can result in unauthorized update, insert or delete access
to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.
Note: This vulnerability applies to Java deployments, typically in clients
running sandboxed Java Web Start applications or sandboxed Java applets, that
load and run untrusted code (e.g., code that comes from the internet) and rely
on the Java sandbox for security. This vulnerability can also be exploited by
using APIs in the specified Component, e.g., through a web service which
supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS
Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

Solution: 

Update packages.

CVEs: 
CVE-2022-21426
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21434
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2022-21443
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21476
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVE-2022-21496
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
Additional Info: 

N/A

Download: 

SRPMS
  1. java-11-openjdk-11.0.15.0.9-2.el7.src.rpm
    MD5: e490a2a75837faad1faf540ba0953dc2
    SHA-256: 7ec21888fd2b198b1d42120a1c3d40cb1f94ad6b1eef2afff994f463b8404c85
    Size: 75.00 MB

Asianux Server 7 for x86_64
  1. java-11-openjdk-11.0.15.0.9-2.el7.x86_64.rpm
    MD5: 6e8d0d3ae8e48794ae42adbb0609fa2b
    SHA-256: d196c0cf6a6229c962651c5db3ba50e4a9795c507d7b791840cfd7bf2d11669e
    Size: 234.20 kB
  2. java-11-openjdk-debug-11.0.15.0.9-2.el7.x86_64.rpm
    MD5: 6c8fa9f782749a9cd71a0078a2c9fa8d
    SHA-256: 76126ed20f061c430203411d376f58081e8a404a3e9d2195def73ecb55c00f5d
    Size: 239.35 kB
  3. java-11-openjdk-demo-11.0.15.0.9-2.el7.x86_64.rpm
    MD5: 8a91b52f1f50d81d78ba895d91fb2462
    SHA-256: 520d107d11b3a23c386a41160204ac7188c47bd19275797ebb155dcdbed12e10
    Size: 4.36 MB
  4. java-11-openjdk-demo-debug-11.0.15.0.9-2.el7.x86_64.rpm
    MD5: dfdd68172e54b301f9fb40900fc591dc
    SHA-256: 281c9a4eda6908f3d1bd40e43ad5126770fef707ec0cd55110e209183fd72383
    Size: 4.36 MB
  5. java-11-openjdk-devel-11.0.15.0.9-2.el7.x86_64.rpm
    MD5: 32a819a6d23a824e6877564155041e80
    SHA-256: 3528d40ac0dbb6542c2afe44147dc8bb5529770b45bf13c2babe62a03839e830
    Size: 3.38 MB
  6. java-11-openjdk-devel-debug-11.0.15.0.9-2.el7.x86_64.rpm
    MD5: cab0684605bc22732a8c97e5c6e82993
    SHA-256: c712c2fef16387413c80c31cf4e83feea6089b554e6327822f7d9a38d652cc4e
    Size: 3.38 MB
  7. java-11-openjdk-headless-11.0.15.0.9-2.el7.x86_64.rpm
    MD5: 436559d9ce6a49f5fd7e4465534c6a68
    SHA-256: 8592d4deb4b84e6547efe5cc6ad93154eb20cff8554702d92e00d9ce71a453b0
    Size: 39.28 MB
  8. java-11-openjdk-headless-debug-11.0.15.0.9-2.el7.x86_64.rpm
    MD5: 2ad9e6ee016c0ed6508bf54e26d5acd1
    SHA-256: 912957146cffce5c9758b4fe23239836e22da10408bdbf9d508c8dd7e17b4088
    Size: 41.88 MB
  9. java-11-openjdk-javadoc-11.0.15.0.9-2.el7.x86_64.rpm
    MD5: e270b8d34b0c7a44d7509b9a182b4b89
    SHA-256: 8b37629b5ddc760e24b7bc9077fe8b4b46e2b9ee8c4a1a5e7c59807f8700ab5b
    Size: 16.11 MB
  10. java-11-openjdk-javadoc-debug-11.0.15.0.9-2.el7.x86_64.rpm
    MD5: 929f56438cdf38f31418531302d3ceec
    SHA-256: 5f1d62fd2d78ba3555c52375a11a15d3c65c77ba091a0343574eeb0e50f102a9
    Size: 16.11 MB
  11. java-11-openjdk-javadoc-zip-11.0.15.0.9-2.el7.x86_64.rpm
    MD5: 04ee7d29be08e413ca28f9b8b72723d0
    SHA-256: adaa041d6af71d41f5ade7eb522e299b27cbb350a38b05db2a505a8e4ca43303
    Size: 41.97 MB
  12. java-11-openjdk-javadoc-zip-debug-11.0.15.0.9-2.el7.x86_64.rpm
    MD5: 6c60efd6930238427959377d41a2f148
    SHA-256: 75f9badbce7074b4cce1854a6e995456ee2b87228b72908df20217e7b1389159
    Size: 41.97 MB
  13. java-11-openjdk-jmods-11.0.15.0.9-2.el7.x86_64.rpm
    MD5: 5d55c66482ca9136e2b44b56d5b4860e
    SHA-256: 0f312e9648c9d9e2cc5101ffca652adcc7d66e648d6dd83e31349ff0f329ac71
    Size: 310.95 MB
  14. java-11-openjdk-jmods-debug-11.0.15.0.9-2.el7.x86_64.rpm
    MD5: 58055b7f5163a3e30c6217b256c40224
    SHA-256: 27560abb8f8923587a2c9d48dbc6aa9cbe49a89b9f620be59a7a9e90dd4fdb72
    Size: 177.61 MB
  15. java-11-openjdk-src-11.0.15.0.9-2.el7.x86_64.rpm
    MD5: cd084f37cf35835e2e468640225528d6
    SHA-256: 04b163e6e005ac7310aa3a12704ed51f202c2123816af655ff3d322fc99fd9f1
    Size: 50.37 MB
  16. java-11-openjdk-src-debug-11.0.15.0.9-2.el7.x86_64.rpm
    MD5: f7ea228fb450b860df9c29936562ac06
    SHA-256: 7c219b3a362047d7072feaaca82d71f17f0ca8d130c4bff17614e321b62f7b52
    Size: 50.38 MB
  17. java-11-openjdk-11.0.15.0.9-2.el7.i686.rpm
    MD5: f1bdf5f56dd69d35a0f35f5d969e15e4
    SHA-256: 6b65cebf6aac63e107cc20f78d815cf4512ece4605b0e199328ba86fd60cbfc5
    Size: 230.36 kB
  18. java-11-openjdk-debug-11.0.15.0.9-2.el7.i686.rpm
    MD5: 3a8bd98f23df08c5dcad428f1457ba48
    SHA-256: 4919fd0a7adcd9cd2fe8e13685db58af510130324c63f53f7fff81742fb3f516
    Size: 233.48 kB
  19. java-11-openjdk-demo-11.0.15.0.9-2.el7.i686.rpm
    MD5: 42b1b89e1c59b218beb7288b719ae94d
    SHA-256: 2d8d31dc80b9aa0ce8d3350aebec16c02c42fa6d1d0963f77a232875f5fde87a
    Size: 4.36 MB
  20. java-11-openjdk-demo-debug-11.0.15.0.9-2.el7.i686.rpm
    MD5: 27db80dad5d2794de6b017bbbfbb06d4
    SHA-256: 2e7b0fcad4ab252801f1cd3820865a8be2b9ac59fb3a88c477241118303f8e09
    Size: 4.36 MB
  21. java-11-openjdk-devel-11.0.15.0.9-2.el7.i686.rpm
    MD5: 56ae65b5a7e422257092fe13383ce97d
    SHA-256: 483b258feb25347de34dfef9e991afbc8c04709d2e6dd83ab51e8774b4ab7b2c
    Size: 3.35 MB
  22. java-11-openjdk-devel-debug-11.0.15.0.9-2.el7.i686.rpm
    MD5: 2a9b866c48fee4dfafe40cc5e230b4cd
    SHA-256: 0f71d0b15216e14fd9b13ed90e88e93942fde8d42accb9664b58fb3b0eb1acc8
    Size: 3.35 MB
  23. java-11-openjdk-headless-11.0.15.0.9-2.el7.i686.rpm
    MD5: 1e6a401c3e45c7c62431d8348048b04b
    SHA-256: c98fb99937aeb93b73a19259c9c1f3d44472e63cf46135188efa3ee8af6cbfe4
    Size: 35.38 MB
  24. java-11-openjdk-headless-debug-11.0.15.0.9-2.el7.i686.rpm
    MD5: 4f0bca7b56282ea229129941e251b901
    SHA-256: 89a19bd7d90fe18667d280fe44158e6afe3617f7cd6dd3c686c8f99307efc151
    Size: 37.39 MB
  25. java-11-openjdk-javadoc-11.0.15.0.9-2.el7.i686.rpm
    MD5: 1d3a6898cd692b710e21b4228d1f664a
    SHA-256: e035598a10bd38d9c1a72791a07ade4dd0dd4a4fddbe9c4aca01287c308983e0
    Size: 16.11 MB
  26. java-11-openjdk-javadoc-debug-11.0.15.0.9-2.el7.i686.rpm
    MD5: 6a6133ad97363a6ec8a39c4b5da205b5
    SHA-256: 2a6573f96042bf09df66892e05c6e0c452ab24877ce969537e1bcf2965d66cb1
    Size: 16.11 MB
  27. java-11-openjdk-javadoc-zip-11.0.15.0.9-2.el7.i686.rpm
    MD5: f7f882704e52f0f36d49bc881ec47f4b
    SHA-256: 360e54813279edc26f3a6e9945de2ca298e0a2aa46367e7870a4902148953f54
    Size: 41.99 MB
  28. java-11-openjdk-javadoc-zip-debug-11.0.15.0.9-2.el7.i686.rpm
    MD5: 743d9960cd45ad0fdde21ace08585fa5
    SHA-256: 383b92066045dffa8925775f414190b24f30921747312f1f441d326ac7caef51
    Size: 42.00 MB
  29. java-11-openjdk-jmods-11.0.15.0.9-2.el7.i686.rpm
    MD5: 45e2c23963bfcfe64732322f41f9e742
    SHA-256: 6f2e57a1e9267647c0b603fee446b5cb39c73ce643ccc4ff4b76df982b50feac
    Size: 262.90 MB
  30. java-11-openjdk-jmods-debug-11.0.15.0.9-2.el7.i686.rpm
    MD5: 0b8b33887a2f712da471040a59d68d77
    SHA-256: 68c69a4994a581f0c8f0caf9ea4f8fb13979ec79c98445db80d6cf5c8dc9945e
    Size: 150.71 MB
  31. java-11-openjdk-src-11.0.15.0.9-2.el7.i686.rpm
    MD5: 7a7c21f92cc6ac2675de018cd7d4840c
    SHA-256: dd2501080206b7e8fa17724619181082da45bccda74a29ec06b699076546e67d
    Size: 45.63 MB
  32. java-11-openjdk-src-debug-11.0.15.0.9-2.el7.i686.rpm
    MD5: 4e36effaf172e08c67b1251d69e83345
    SHA-256: f9f7f3f849c361e38b48e2546bfc5eb2d6c7d52c492775f2c5df1e36d6914b7e
    Size: 45.64 MB