java-1.8.0-openjdk-1.8.0.342.b07-1.el7

エラータID: AXSA:2022-3599:06

Release date: 
Monday, July 25, 2022 - 18:02
Subject: 
java-1.8.0-openjdk-1.8.0.342.b07-1.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

The following packages have been upgraded to a later upstream version: java-1.8.0-openjdk (1.8.0.342.b07). (BZ#2083257)

Security Fix(es):

* OpenJDK: integer truncation issue in Xalan-J (JAXP, 8285407) (CVE-2022-34169)
* OpenJDK: class compilation issue (Hotspot, 8281859) (CVE-2022-21540)
* OpenJDK: improper restriction of MethodHandle.invokeBasic() (Hotspot, 8281866) (CVE-2022-21541)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2022-21540
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
CVE-2022-21541
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).
CVE-2022-34169
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan Java to address this issue are expected. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. java-1.8.0-openjdk-1.8.0.342.b07-1.el7.src.rpm
    MD5: 4b489e265150f80f060f5185b70c59bf
    SHA-256: f34daa33319bedc587ce7b992d7dca90e7d33d729828ebd2ec560af50f17c58e
    Size: 55.72 MB

Asianux Server 7 for x86_64
  1. java-1.8.0-openjdk-1.8.0.342.b07-1.el7.x86_64.rpm
    MD5: be499e5290787f313c09966670099b02
    SHA-256: c42776bd11f284a1116da7be6a120e85bd474b41e7d7129a3592b1112d9ec235
    Size: 313.93 kB
  2. java-1.8.0-openjdk-devel-1.8.0.342.b07-1.el7.x86_64.rpm
    MD5: d16c3c80e601da24dcb2852ae76846ea
    SHA-256: 20c526c8d5c376e37a50d899fc193052dad932428c4414d31a087118392ab261
    Size: 9.84 MB
  3. java-1.8.0-openjdk-headless-1.8.0.342.b07-1.el7.x86_64.rpm
    MD5: 15340dadf8a307f7e472ee8d48910590
    SHA-256: 561c89ce33e7528ce2e31d0dd09c1d2ab605425725449825354fcf714b6fe598
    Size: 33.08 MB
  4. java-1.8.0-openjdk-1.8.0.342.b07-1.el7.i686.rpm
    MD5: 173ba2d33f6e4e2e7019501f7c885ab7
    SHA-256: 0d7dbedd04ea1781360e37e84c142d4d5feb683a7747b296547ed9cbfd13dcdd
    Size: 313.47 kB
  5. java-1.8.0-openjdk-devel-1.8.0.342.b07-1.el7.i686.rpm
    MD5: 3e215cce025aea0a470d512d23da9638
    SHA-256: 6d59fdc2dbdff1d11daacd49a21038f0c04e968961aee04f4c7cd9aa49960fbc
    Size: 9.84 MB
  6. java-1.8.0-openjdk-headless-1.8.0.342.b07-1.el7.i686.rpm
    MD5: 7376309885da68274bd50552db9ddeb1
    SHA-256: f6cb93345610dc5b14db3b40b5d495aab954f9bfd2373f50449fc3d9daee9b29
    Size: 32.92 MB