java-1.8.0-openjdk-1.8.0.332.b09-1.el8

エラータID: AXSA:2022-3154:04

Release date: 
Tuesday, April 26, 2022 - 02:30
Subject: 
java-1.8.0-openjdk-1.8.0.332.b09-1.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment
and the OpenJDK 8 Java Software Development Kit.

Security Fix(es):

* OpenJDK: Defective secure validation in Apache Santuario (Libraries,
8278008) (CVE-2022-21476)
* OpenJDK: Unbounded memory allocation when compiling crafted XPath
expressions (JAXP, 8270504) (CVE-2022-21426)
* OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler
(Libraries, 8277672) (CVE-2022-21434)
* OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)
(CVE-2022-21443)
* OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

CVE-2022-21426
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product
of Oracle Java SE (component: JAXP). Supported versions that are affected are
Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise
Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows
unauthenticated attacker with network access via multiple protocols to
compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks
of this vulnerability can result in unauthorized ability to cause a partial
denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise
Edition. Note: This vulnerability applies to Java deployments, typically in
clients running sandboxed Java Web Start applications or sandboxed Java applets,
that load and run untrusted code (e.g., code that comes from the internet) and
rely on the Java sandbox for security. This vulnerability can also be exploited
by using APIs in the specified Component, e.g., through a web service which
supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS
Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21434
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product
of Oracle Java SE (component: Libraries). Supported versions that are affected
are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise
Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows
unauthenticated attacker with network access via multiple protocols to
compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks
of this vulnerability can result in unauthorized update, insert or delete access
to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.
Note: This vulnerability applies to Java deployments, typically in clients
running sandboxed Java Web Start applications or sandboxed Java applets, that
load and run untrusted code (e.g., code that comes from the internet) and rely
on the Java sandbox for security. This vulnerability can also be exploited by
using APIs in the specified Component, e.g., through a web service which
supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS
Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2022-21443
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product
of Oracle Java SE (component: Libraries). Supported versions that are affected
are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise
Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows
unauthenticated attacker with network access via multiple protocols to
compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks
of this vulnerability can result in unauthorized ability to cause a partial
denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise
Edition. Note: This vulnerability applies to Java deployments, typically in
clients running sandboxed Java Web Start applications or sandboxed Java applets,
that load and run untrusted code (e.g., code that comes from the internet) and
rely on the Java sandbox for security. This vulnerability can also be exploited
by using APIs in the specified Component, e.g., through a web service which
supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS
Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21476
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product
of Oracle Java SE (component: Libraries). Supported versions that are affected
are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise
Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows
unauthenticated attacker with network access via multiple protocols to
compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks
of this vulnerability can result in unauthorized access to critical data or
complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition
accessible data. Note: This vulnerability applies to Java deployments, typically
in clients running sandboxed Java Web Start applications or sandboxed Java
applets, that load and run untrusted code (e.g., code that comes from the
internet) and rely on the Java sandbox for security. This vulnerability can also
be exploited by using APIs in the specified Component, e.g., through a web
service which supplies data to the APIs. CVSS 3.1 Base Score 7.5
(Confidentiality impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVE-2022-21496
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product
of Oracle Java SE (component: JNDI). Supported versions that are affected are
Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise
Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows
unauthenticated attacker with network access via multiple protocols to
compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks
of this vulnerability can result in unauthorized update, insert or delete access
to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.
Note: This vulnerability applies to Java deployments, typically in clients
running sandboxed Java Web Start applications or sandboxed Java applets, that
load and run untrusted code (e.g., code that comes from the internet) and rely
on the Java sandbox for security. This vulnerability can also be exploited by
using APIs in the specified Component, e.g., through a web service which
supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS
Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

Solution: 

Update packages.

CVEs: 
CVE-2022-21426
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21434
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2022-21443
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21476
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVE-2022-21496
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
Additional Info: 

N/A

Download: 

SRPMS
  1. java-1.8.0-openjdk-1.8.0.332.b09-1.el8.src.rpm
    MD5: d4b581079387557ab0149468913497fd
    SHA-256: 39aea897598ebc19863fa95ac637c71c0fbf7a871cf112a92dcbebb1327291ef
    Size: 55.72 MB

Asianux Server 8 for x86_64
  1. java-1.8.0-openjdk-1.8.0.332.b09-1.el8.x86_64.rpm
    MD5: 9e61f1d721cb103bb08d1db66dda806a
    SHA-256: 947ed55669eceb231bd1fe37309e283ec20aed64d75c588c37da03e45b4894f2
    Size: 341.28 kB
  2. java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8.x86_64.rpm
    MD5: 5b2b19dfb05b49a4f5e0065b50a66e87
    SHA-256: 3bf7a2b78eb13d2ee11845643fe1005e2f25a95f4ee09bec215136ec746906e9
    Size: 103.91 kB
  3. java-1.8.0-openjdk-accessibility-fastdebug-1.8.0.332.b09-1.el8.x86_64.rpm
    MD5: 47a96a6323e36c6e9b51b6c90f9d7972
    SHA-256: 6f90d38da30b3d7274fae29ad7a29b744271851613e68674ffd062042483cff4
    Size: 103.76 kB
  4. java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.332.b09-1.el8.x86_64.rpm
    MD5: bcf8b91a160f7df279c17012824e44c2
    SHA-256: 4ab0c298e712bfb5d859d7b84d0011534d51ca80dbaca80dbd7e48166a1804d7
    Size: 103.76 kB
  5. java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8.x86_64.rpm
    MD5: ea99f17aab32e99aba12ef8084f46055
    SHA-256: d5d25f5e88596da64842165de1f09828b9c6eb4e7cc18cf33a166b893eacf3fe
    Size: 2.01 MB
  6. java-1.8.0-openjdk-demo-fastdebug-1.8.0.332.b09-1.el8.x86_64.rpm
    MD5: 8a8456ceed18cf80f304b098bf029c6d
    SHA-256: 2bd228a7eabe6356401219ee99c416a954a6ee9777e830316cb72c8c86a72623
    Size: 2.03 MB
  7. java-1.8.0-openjdk-demo-slowdebug-1.8.0.332.b09-1.el8.x86_64.rpm
    MD5: 6f81e47730cca0133b81a9e8d965eb63
    SHA-256: 10cc4db8f3517cddd2f48d00859798d2465ae65b4df8ad5aaedf33396094d8f4
    Size: 2.03 MB
  8. java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8.x86_64.rpm
    MD5: 91d387f8eaa4b554f1fff195ed3b0fc8
    SHA-256: b0d84ec85ef57e6f07517d3d3eb3401bc97b664d34bf698f687ab2a39b1b7c35
    Size: 9.87 MB
  9. java-1.8.0-openjdk-devel-fastdebug-1.8.0.332.b09-1.el8.x86_64.rpm
    MD5: b1b097fb07eebf3508f0c9066aa198ca
    SHA-256: 60226485ef969346c708de2fa14ce196a29192118f84e3eecb92521d850987c7
    Size: 9.89 MB
  10. java-1.8.0-openjdk-devel-slowdebug-1.8.0.332.b09-1.el8.x86_64.rpm
    MD5: 1144ffeca0270442f5d8c81984bbaf0c
    SHA-256: cf787d7398cda2915f8c4a6b629524f98686565abf60e677827ff7b2b534d69a
    Size: 9.89 MB
  11. java-1.8.0-openjdk-fastdebug-1.8.0.332.b09-1.el8.x86_64.rpm
    MD5: 722cd898b5e1042a1e0077b3192ba92d
    SHA-256: 13a694bbd04230c6df966f1e33817f31fdad02d817cfbf53a068a778b0087dbb
    Size: 354.59 kB
  12. java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8.x86_64.rpm
    MD5: 4c6e42fe8e178dd3157b82e94290e36c
    SHA-256: d64419a7086800b1b178a3623f22c5df37c622be5d37c1ca5c4ca15bef70beab
    Size: 33.94 MB
  13. java-1.8.0-openjdk-headless-fastdebug-1.8.0.332.b09-1.el8.x86_64.rpm
    MD5: ac28d10c5848ba4e63e653ab565194c1
    SHA-256: 99f2d220f8c2ebc91ff77d3b3c83571962850129a416340535e9bcefdcfd73ed
    Size: 37.59 MB
  14. java-1.8.0-openjdk-headless-slowdebug-1.8.0.332.b09-1.el8.x86_64.rpm
    MD5: f3f0ccb20982887778605255cd974892
    SHA-256: 9f00a80c4482eb40727d38b3facc574769091c389ed33ebccf589e482e914701
    Size: 35.77 MB
  15. java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el8.noarch.rpm
    MD5: 5f89fe469d80a78d10b1a68672375e8b
    SHA-256: 0fc60be3777bffddffe8722a443ff6035f7c92ef381d6c1234e6cb87a1e56b13
    Size: 15.18 MB
  16. java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el8.noarch.rpm
    MD5: b07b8be130f42799e988d95373d673b0
    SHA-256: 5b9cfb949a9919e3f3cb3d286bcc429a54c9f399a25fbf757d4480fdcb2fd6b1
    Size: 41.59 MB
  17. java-1.8.0-openjdk-slowdebug-1.8.0.332.b09-1.el8.x86_64.rpm
    MD5: a63b1c8eb1526d25a54f6236295384a8
    SHA-256: 1945efe5ac5dd5237c1293997221e5a252e25c390291b1a2849cda79892591cd
    Size: 345.67 kB
  18. java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8.x86_64.rpm
    MD5: 2a9bce4b75182b569bb98863d78aad71
    SHA-256: e1043772f77f14d7baededcb536225f8c8097dada9003b20b520e37c381a10f2
    Size: 45.45 MB
  19. java-1.8.0-openjdk-src-fastdebug-1.8.0.332.b09-1.el8.x86_64.rpm
    MD5: 4f3692ae391a5b2c41317e2afc846749
    SHA-256: 18c0c08ce1abc44ef4b2904692bc42a3cfad2c58a01402bea35cbb7e86c59f34
    Size: 45.45 MB
  20. java-1.8.0-openjdk-src-slowdebug-1.8.0.332.b09-1.el8.x86_64.rpm
    MD5: fb4e57ab29c8ccc18039ef91c651d5f4
    SHA-256: f91f7a582d492f0ba36717ed1103aa49628ac33eda4419f7b67babec762a79af
    Size: 45.45 MB