java-11-openjdk-11.0.15.0.9-2.el8

エラータID: AXSA:2022-3152:07

Release date: 
Thursday, April 21, 2022 - 04:36
Subject: 
java-11-openjdk-11.0.15.0.9-2.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and
the OpenJDK 11 Java Software Development Kit.

Security Fix(es):

* OpenJDK: Defective secure validation in Apache Santuario (Libraries,
8278008) (CVE-2022-21476)
* OpenJDK: Unbounded memory allocation when compiling crafted XPath
expressions (JAXP, 8270504) (CVE-2022-21426)
* OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler
(Libraries, 8277672) (CVE-2022-21434)
* OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)
(CVE-2022-21443)
* OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

CVE-2022-21426
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product
of Oracle Java SE (component: JAXP). Supported versions that are affected are
Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise
Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows
unauthenticated attacker with network access via multiple protocols to
compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks
of this vulnerability can result in unauthorized ability to cause a partial
denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise
Edition. Note: This vulnerability applies to Java deployments, typically in
clients running sandboxed Java Web Start applications or sandboxed Java applets,
that load and run untrusted code (e.g., code that comes from the internet) and
rely on the Java sandbox for security. This vulnerability can also be exploited
by using APIs in the specified Component, e.g., through a web service which
supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS
Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21434
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product
of Oracle Java SE (component: Libraries). Supported versions that are affected
are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise
Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows
unauthenticated attacker with network access via multiple protocols to
compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks
of this vulnerability can result in unauthorized update, insert or delete access
to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.
Note: This vulnerability applies to Java deployments, typically in clients
running sandboxed Java Web Start applications or sandboxed Java applets, that
load and run untrusted code (e.g., code that comes from the internet) and rely
on the Java sandbox for security. This vulnerability can also be exploited by
using APIs in the specified Component, e.g., through a web service which
supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS
Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2022-21443
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product
of Oracle Java SE (component: Libraries). Supported versions that are affected
are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise
Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows
unauthenticated attacker with network access via multiple protocols to
compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks
of this vulnerability can result in unauthorized ability to cause a partial
denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise
Edition. Note: This vulnerability applies to Java deployments, typically in
clients running sandboxed Java Web Start applications or sandboxed Java applets,
that load and run untrusted code (e.g., code that comes from the internet) and
rely on the Java sandbox for security. This vulnerability can also be exploited
by using APIs in the specified Component, e.g., through a web service which
supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS
Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21476
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product
of Oracle Java SE (component: Libraries). Supported versions that are affected
are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise
Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows
unauthenticated attacker with network access via multiple protocols to
compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks
of this vulnerability can result in unauthorized access to critical data or
complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition
accessible data. Note: This vulnerability applies to Java deployments, typically
in clients running sandboxed Java Web Start applications or sandboxed Java
applets, that load and run untrusted code (e.g., code that comes from the
internet) and rely on the Java sandbox for security. This vulnerability can also
be exploited by using APIs in the specified Component, e.g., through a web
service which supplies data to the APIs. CVSS 3.1 Base Score 7.5
(Confidentiality impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVE-2022-21496
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product
of Oracle Java SE (component: JNDI). Supported versions that are affected are
Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise
Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows
unauthenticated attacker with network access via multiple protocols to
compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks
of this vulnerability can result in unauthorized update, insert or delete access
to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.
Note: This vulnerability applies to Java deployments, typically in clients
running sandboxed Java Web Start applications or sandboxed Java applets, that
load and run untrusted code (e.g., code that comes from the internet) and rely
on the Java sandbox for security. This vulnerability can also be exploited by
using APIs in the specified Component, e.g., through a web service which
supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS
Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

Solution: 

Update packages.

CVEs: 
CVE-2022-21426
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21434
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2022-21443
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21476
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVE-2022-21496
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
Additional Info: 

N/A

Download: 

SRPMS
  1. java-11-openjdk-11.0.15.0.9-2.el8.src.rpm
    MD5: 1e000a83a8747c3a99bb7359a56aff2c
    SHA-256: f91a1906b215994558d1139d358546c2a35b26b8c7077350e4f4ceb4245de3dc
    Size: 75.04 MB

Asianux Server 8 for x86_64
  1. java-11-openjdk-11.0.15.0.9-2.el8.x86_64.rpm
    MD5: afb4a4476d689d83df1dafca0d6722ca
    SHA-256: d2b3e857f50ce71fb26bc2ccff443776bdd0f57ab644796c394da2c1492f0edf
    Size: 267.01 kB
  2. java-11-openjdk-demo-11.0.15.0.9-2.el8.x86_64.rpm
    MD5: 38f6267f1c877a275607d90fe686d97e
    SHA-256: 1132aa6f7f0984f373d32a9f393d8e5533bf28e0e8840b3aefe621f7425bda8e
    Size: 4.37 MB
  3. java-11-openjdk-demo-fastdebug-11.0.15.0.9-2.el8.x86_64.rpm
    MD5: 7bb3c71d510caad04525f441957eb3e9
    SHA-256: 0ceb41f337108b0d05ba37a959d5e3bc1b0fd361d31fcf72a40b40221c0fc003
    Size: 4.37 MB
  4. java-11-openjdk-demo-slowdebug-11.0.15.0.9-2.el8.x86_64.rpm
    MD5: b839ab1b25b8118c801326a98d792297
    SHA-256: 5b71421bd7eb6d6489c653c3532142f036136287653adaf800cde471307e994c
    Size: 4.37 MB
  5. java-11-openjdk-devel-11.0.15.0.9-2.el8.x86_64.rpm
    MD5: 06ed5685bca7ebb4803cab97925b4f27
    SHA-256: 7450dd030b1f4732c49bba4094ae7bf507feb4c5b94d1111180201479cc08077
    Size: 3.37 MB
  6. java-11-openjdk-devel-fastdebug-11.0.15.0.9-2.el8.x86_64.rpm
    MD5: 93921c2af532fe99c3f7b29547d4d296
    SHA-256: 5ab3798a95c0b62d60371c0fe64b3f502f643341b2d657adc53557343a8b9a06
    Size: 3.38 MB
  7. java-11-openjdk-devel-slowdebug-11.0.15.0.9-2.el8.x86_64.rpm
    MD5: 79d28fef9651dcc695b68409ef2c5dba
    SHA-256: a0eb8a18a41325fcd704c97710fdc502037598b6266ec82334761cddd9a2637c
    Size: 3.38 MB
  8. java-11-openjdk-fastdebug-11.0.15.0.9-2.el8.x86_64.rpm
    MD5: f89c5c46836e7fe78afbb563c3cc9682
    SHA-256: d00950f5ef65ccf279afc911cec4699b219edac375907678579e6c1e280cc24f
    Size: 280.48 kB
  9. java-11-openjdk-headless-11.0.15.0.9-2.el8.x86_64.rpm
    MD5: 1ebe0c60f3cb7c6d5ac6dcfb5831bcc3
    SHA-256: de438c810a034fd3df7dfd3f36aab56b692841d0553969f28ba2fe67fa8cc59b
    Size: 39.59 MB
  10. java-11-openjdk-headless-fastdebug-11.0.15.0.9-2.el8.x86_64.rpm
    MD5: 66785987b49533e8fb7f39deaf97267e
    SHA-256: be07dfd50b085a49cf242a04981ba894929723aaaa6708949015b9ff64f8cbd7
    Size: 44.55 MB
  11. java-11-openjdk-headless-slowdebug-11.0.15.0.9-2.el8.x86_64.rpm
    MD5: 1e59fb684c2ec3f5340c75b588db61dd
    SHA-256: 9dced4e1bc2d42c1302a9987c9c6e0ab84ac79dc9a460d7ed1abda76c977a561
    Size: 42.97 MB
  12. java-11-openjdk-javadoc-11.0.15.0.9-2.el8.x86_64.rpm
    MD5: 3d6600128a196a8a934b3603c005abf7
    SHA-256: 1a68361f46a7e99fa78c3d120ef9a6bb7fde72848b2f9fc2ee103639deeaeed4
    Size: 15.99 MB
  13. java-11-openjdk-javadoc-zip-11.0.15.0.9-2.el8.x86_64.rpm
    MD5: 7e2eb93f7dc5ced20cd4f8ce693e7ce0
    SHA-256: 80f6040a37d48b7eb99d448aaadae12cc3196c05a1abc7c4eb95f92c6c6d1753
    Size: 42.00 MB
  14. java-11-openjdk-jmods-11.0.15.0.9-2.el8.x86_64.rpm
    MD5: 5b53297219b3f25ffc5b557d3e7fce36
    SHA-256: 0937b0b36571c74a6f87e617e3b74c1a4a798fd663c441fc1501aca1e621fb0c
    Size: 318.42 MB
  15. java-11-openjdk-jmods-fastdebug-11.0.15.0.9-2.el8.x86_64.rpm
    MD5: bbd41e6a0c76fd59d59851fb2591ae4a
    SHA-256: 1babb617f364027a47a756fd74330cba7e32515f1d7dec7cb8a14091ac0b304c
    Size: 273.55 MB
  16. java-11-openjdk-jmods-slowdebug-11.0.15.0.9-2.el8.x86_64.rpm
    MD5: 0894a035eee5f9e95e328a205abb0071
    SHA-256: 91daa1314c0c0d6224bd6d5ee34d5742e64ef9d0a8533244b9fc89550463707b
    Size: 209.91 MB
  17. java-11-openjdk-slowdebug-11.0.15.0.9-2.el8.x86_64.rpm
    MD5: 10ecb8fd512f0daa20f3ba6f2df77417
    SHA-256: 6d4f9afa883af38a7e5bc6cf3ed90356f3a35a85340d42f106618922a5266cfc
    Size: 270.00 kB
  18. java-11-openjdk-src-11.0.15.0.9-2.el8.x86_64.rpm
    MD5: 8a065f66cfe4a7906964f4d67afac013
    SHA-256: 1db0848d04e048bb01fc20f95c55d00dea628142d4b6d82bf3e92a6afae3166e
    Size: 50.40 MB
  19. java-11-openjdk-src-fastdebug-11.0.15.0.9-2.el8.x86_64.rpm
    MD5: 38ede7e979200f88154534acc842c599
    SHA-256: b7f1af7fd341ea0e0146dbeb8b5dcbb0fd4bd64003a9607782c5d9171acd9c0f
    Size: 50.41 MB
  20. java-11-openjdk-src-slowdebug-11.0.15.0.9-2.el8.x86_64.rpm
    MD5: ff3b4591d926544bc9a8378eac19146c
    SHA-256: 9631e50b109579d1c41d684ef75d6b24801b60cedf064c510926dd5815005083
    Size: 50.40 MB
  21. java-11-openjdk-static-libs-11.0.15.0.9-2.el8.x86_64.rpm
    MD5: 80f3fd184a3c1dd8628109f7b68e8dae
    SHA-256: 365cd4a3d8bf309a0b90c36dc1a9c851ece803ea711ab2ee2311df4449e9fb97
    Size: 18.86 MB
  22. java-11-openjdk-static-libs-fastdebug-11.0.15.0.9-2.el8.x86_64.rpm
    MD5: 068e3c72ba8959d78113a2993e8b2e45
    SHA-256: af52dceaf4e1f7a8527c8f827e997d7beeeef0af939fe5c0bb78c0ae98775487
    Size: 19.07 MB
  23. java-11-openjdk-static-libs-slowdebug-11.0.15.0.9-2.el8.x86_64.rpm
    MD5: e75d90563eb68b87a343a800e08e88a8
    SHA-256: 2a2b6ea9bb6bd015a2fdcafebb431f0f20ed606313d685576fe3a8fe2a235161
    Size: 12.23 MB