java-17-openjdk-17.0.4.0.8-2.el8

The java-17-openjdk packages provide the OpenJDK 17 Java Runtime Environment and
the OpenJDK 17 Java Software Development Kit.

The following packages have been upgraded to a later upstream version:
java-17-openjdk (17.0.4.0.8).

Security Fix(es):

* OpenJDK: integer truncation issue in Xalan-J (JAXP, 8285407)
(CVE-2022-34169)
* OpenJDK: class compilation issue (Hotspot, 8281859) (CVE-2022-21540)
* OpenJDK: improper restriction of MethodHandle.invokeBasic() (Hotspot,
8281866) (CVE-2022-21541)
* OpenJDK: random exponentials issue (Libraries, 8283875) (CVE-2022-21549)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

Bug Fix(es):

* Previous MIRACLE LINUX builds of OpenJDK 17 altered the arguments passed to
sun.security.pkcs11.wrapper.PKCS11.getInstance() in order to facilitate FIPS
support. This build adds an additional form of the method, retaining the
original arguments, so that applications which depend on this internal method
continue to function with MIRACLE LINUX builds of OpenJDK.
* With previous MIRACLE LINUX builds of OpenJDK 17, Mac key generation and import
would fail due to the lack of the CKA_SIGN attribute on the key. This attribute
is now added as part of the NSS FIPS configuration.
* With the release of MIRACLE LINUX 8.6, a change was made so that
disabling OpenJDK FIPS mode required the use of both the
-Djava.security.disableSystemPropertiesFile=true and -Dcom.redhat.fips=false
options, with the intention that FIPS mode could be controlled independently of
system security properties. This change has now been reverted and only
-Djava.security.disableSystemPropertiesFile=true is required to disable FIPS
mode, as in MIRACKE LINUX 8.4.
* Previous MIRACLE LINUX builds of OpenJDK 17 running in FIPS mode with a
SecurityManager would fail due to a lack of module access permissions. This has
now been corrected.

CVE-2022-21540
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product
of Oracle Java SE (component: Hotspot). Supported versions that are affected are
Oracle Java SE: 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1; Oracle GraalVM
Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Easily exploitable vulnerability
allows unauthenticated attacker with network access via multiple protocols to
compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks
of this vulnerability can result in unauthorized read access to a subset of
Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This
vulnerability applies to Java deployments, typically in clients running
sandboxed Java Web Start applications or sandboxed Java applets, that load and
run untrusted code (e.g., code that comes from the internet) and rely on the
Java sandbox for security. This vulnerability can also be exploited by using
APIs in the specified Component, e.g., through a web service which supplies data
to the APIs. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
CVE-2022-21541
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product
of Oracle Java SE (component: Hotspot). Supported versions that are affected are
Oracle Java SE: 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1; Oracle GraalVM
Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Difficult to exploit
vulnerability allows unauthenticated attacker with network access via multiple
protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.
Successful attacks of this vulnerability can result in unauthorized creation,
deletion or modification access to critical data or all Oracle Java SE, Oracle
GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to
Java deployments, typically in clients running sandboxed Java Web Start
applications or sandboxed Java applets, that load and run untrusted code (e.g.,
code that comes from the internet) and rely on the Java sandbox for security.
This vulnerability can also be exploited by using APIs in the specified
Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1
Base Score 5.9 (Integrity impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).
CVE-2022-21549
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product
of Oracle Java SE (component: Libraries). Supported versions that are affected
are Oracle Java SE: 17.0.3.1; Oracle GraalVM Enterprise Edition: 21.3.2 and
22.1.0. Easily exploitable vulnerability allows unauthenticated attacker with
network access via multiple protocols to compromise Oracle Java SE, Oracle
GraalVM Enterprise Edition. Successful attacks of this vulnerability can result
in unauthorized update, insert or delete access to some of Oracle Java SE,
Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability
applies to Java deployments, typically in clients running sandboxed Java Web
Start applications or sandboxed Java applets, that load and run untrusted code
(e.g., code that comes from the internet) and rely on the Java sandbox for
security. This vulnerability can also be exploited by using APIs in the
specified Component, e.g., through a web service which supplies data to the
APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2022-34169
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue
when processing malicious XSLT stylesheets. This can be used to corrupt Java
class files generated by the internal XSLTC compiler and execute arbitrary Java
bytecode. The Apache Xalan Java project is dormant and in the process of being
retired. No future releases of Apache Xalan Java to address this issue are
expected. Note: Java runtimes (such as OpenJDK) include repackaged copies of
Xalan.