java-1.8.0-openjdk-1.8.0.352.b08-2.el8

エラータID: AXSA:2022-3901:10

Release date: 
Thursday, October 20, 2022 - 03:27
Subject: 
java-1.8.0-openjdk-1.8.0.352.b08-2.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment
and the OpenJDK 8 Java Software Development Kit.

Security Fix(es):

* OpenJDK: excessive memory allocation in X.509 certificate parsing (Security,
8286533) (CVE-2022-21626)
* OpenJDK: HttpServer no connection count limit (Lightweight HTTP Server,
8286918) (CVE-2022-21628)
* OpenJDK: improper handling of long NTLM client hostnames (Security, 8286526)
(CVE-2022-21619)
* OpenJDK: insufficient randomization of JNDI DNS port numbers (JNDI, 8286910)
(CVE-2022-21624)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

CVE-2022-21619
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product
of Oracle Java SE (component: Security). Supported versions that are affected
are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM
Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit
vulnerability allows unauthenticated attacker with network access via multiple
protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.
Successful attacks of this vulnerability can result in unauthorized update,
insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise
Edition accessible data. Note: This vulnerability applies to Java deployments,
typically in clients running sandboxed Java Web Start applications or sandboxed
Java applets, that load and run untrusted code (e.g., code that comes from the
internet) and rely on the Java sandbox for security. This vulnerability can also
be exploited by using APIs in the specified Component, e.g., through a web
service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity
impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2022-21624
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product
of Oracle Java SE (component: JNDI). Supported versions that are affected are
Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM
Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit
vulnerability allows unauthenticated attacker with network access via multiple
protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.
Successful attacks of this vulnerability can result in unauthorized update,
insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise
Edition accessible data. Note: This vulnerability applies to Java deployments,
typically in clients running sandboxed Java Web Start applications or sandboxed
Java applets, that load and run untrusted code (e.g., code that comes from the
internet) and rely on the Java sandbox for security. This vulnerability can also
be exploited by using APIs in the specified Component, e.g., through a web
service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity
impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2022-21626
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product
of Oracle Java SE (component: Security). Supported versions that are affected
are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1; Oracle GraalVM Enterprise
Edition: 20.3.7, 21.3.3 and 22.2.0. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTPS to compromise Oracle Java
SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability
can result in unauthorized ability to cause a partial denial of service (partial
DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This
vulnerability applies to Java deployments, typically in clients running
sandboxed Java Web Start applications or sandboxed Java applets, that load and
run untrusted code (e.g., code that comes from the internet) and rely on the
Java sandbox for security. This vulnerability can also be exploited by using
APIs in the specified Component, e.g., through a web service which supplies data
to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21628
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product
of Oracle Java SE (component: Lightweight HTTP Server). Supported versions that
are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19;
Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily exploitable
vulnerability allows unauthenticated attacker with network access via HTTP to
compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks
of this vulnerability can result in unauthorized ability to cause a partial
denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise
Edition. Note: This vulnerability applies to Java deployments, typically in
clients running sandboxed Java Web Start applications or sandboxed Java applets,
that load and run untrusted code (e.g., code that comes from the internet) and
rely on the Java sandbox for security. This vulnerability does not apply to Java
deployments, typically in servers, that load and run only trusted code (e.g.,
code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability
impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Solution: 

Update packages.

CVEs: 
CVE-2022-21619
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2022-21624
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2022-21626
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21628
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Lightweight HTTP Server). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
Additional Info: 

N/A

Download: 

SRPMS
  1. java-1.8.0-openjdk-1.8.0.352.b08-2.el8.src.rpm
    MD5: c262639d466c67128a9b2beccc7b6eec
    SHA-256: c0a9d8897ce8d2efc0a5060cdafe974f12e481b27633db00a1e9ff9d5855e506
    Size: 55.77 MB

Asianux Server 8 for x86_64
  1. java-1.8.0-openjdk-1.8.0.352.b08-2.el8.x86_64.rpm
    MD5: 9df964cb09b5daba9b80a91b80125227
    SHA-256: 17f7197c25a5614a8720b4b02a1b98138c5d3c66236afcdb10c9d562d2f71e46
    Size: 347.68 kB
  2. java-1.8.0-openjdk-accessibility-1.8.0.352.b08-2.el8.x86_64.rpm
    MD5: 087c0f8c45bc2ac827572c526fae3f09
    SHA-256: 10262b14dcaad1be8f7d31be3c2f75439dffbbe2898a3d7bcd96f1da950ffeae
    Size: 110.26 kB
  3. java-1.8.0-openjdk-accessibility-fastdebug-1.8.0.352.b08-2.el8.x86_64.rpm
    MD5: c1da96e2e71439feeff13fc6c31c3684
    SHA-256: 59e6f8d988869020c19ca1bdfab459535fdadb9fce6d3dc055bc4b55890fd1e5
    Size: 110.11 kB
  4. java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.352.b08-2.el8.x86_64.rpm
    MD5: c045e1a75f9259f5fcbde3c7d7f06d33
    SHA-256: 075ef25ea26b6f541b3c04847b3a45d82fb175938a486c1c14b902aae3f2ac43
    Size: 110.11 kB
  5. java-1.8.0-openjdk-demo-1.8.0.352.b08-2.el8.x86_64.rpm
    MD5: c514d4e43aa184094ddb0b25acfee609
    SHA-256: bc8d6afc91e13757aef233136166040959ebfe05244256ce215e3b0b6d25b130
    Size: 2.02 MB
  6. java-1.8.0-openjdk-demo-fastdebug-1.8.0.352.b08-2.el8.x86_64.rpm
    MD5: 0557f712e242c88c756593eeb8f7ab5f
    SHA-256: 47a0ff2b758de9ef6b686e0d9591dc36e4361a1efc5d612f0712a4ab63c7cb98
    Size: 2.04 MB
  7. java-1.8.0-openjdk-demo-slowdebug-1.8.0.352.b08-2.el8.x86_64.rpm
    MD5: 19807d9133e7822e5507678736da475c
    SHA-256: 7b8cde6cd55d4d1b1e63ad47a68c297307c15d343feca305b79d5be70752b6d3
    Size: 2.04 MB
  8. java-1.8.0-openjdk-devel-1.8.0.352.b08-2.el8.x86_64.rpm
    MD5: a268ffbed23293bea0fdf83037d4efcf
    SHA-256: 1a6b588d82ca756500d7cc0b9819d98aa5ae8ebdd6256de99a09d803a72ef7b4
    Size: 9.88 MB
  9. java-1.8.0-openjdk-devel-fastdebug-1.8.0.352.b08-2.el8.x86_64.rpm
    MD5: 626755d18e540436fdebdecb87f8bb52
    SHA-256: 0b1336f7b5dccfe0fe6f33ee895ebafd0978d7f8ce3e949fb076241bec59f995
    Size: 9.90 MB
  10. java-1.8.0-openjdk-devel-slowdebug-1.8.0.352.b08-2.el8.x86_64.rpm
    MD5: c24764d52f773c21eaa1aeefc94a2b39
    SHA-256: 4b11f2ab5aa7025d8d3371621627c3999c2a2ad2d6842378644230fbb7b7b709
    Size: 9.90 MB
  11. java-1.8.0-openjdk-fastdebug-1.8.0.352.b08-2.el8.x86_64.rpm
    MD5: 5eacc0e8a8af15f8f6964f0ed2902b8c
    SHA-256: af09965ce8edebf92f071611841a737102db12eafbdcda1cd96533446dd26f61
    Size: 361.11 kB
  12. java-1.8.0-openjdk-headless-1.8.0.352.b08-2.el8.x86_64.rpm
    MD5: da1019dd68c06465fac54dc9782b1ff5
    SHA-256: eb7ba6752e728cfe031da77bb00332036ce801be53eb6b3d570975e7c3607319
    Size: 33.96 MB
  13. java-1.8.0-openjdk-headless-fastdebug-1.8.0.352.b08-2.el8.x86_64.rpm
    MD5: 20b43df4ff324293d950559d16e2cb1d
    SHA-256: 201a29a97f7b14f58f587206cde45015bc3431981476efcf00253ebf084ad2ed
    Size: 37.62 MB
  14. java-1.8.0-openjdk-headless-slowdebug-1.8.0.352.b08-2.el8.x86_64.rpm
    MD5: 74f609f4854d2d04552307172634281c
    SHA-256: cf297f20e0d13986c7162643e3a535410ae58adc4070f49fd65788a8419a3d8b
    Size: 35.79 MB
  15. java-1.8.0-openjdk-javadoc-1.8.0.352.b08-2.el8.noarch.rpm
    MD5: 5cce4dc52a098855e8c77da1b2cf3b90
    SHA-256: 13f8cc72652c81d5ea0c81a8e5506b15e645d81e4b0310d0903f52e364bdf5a1
    Size: 15.19 MB
  16. java-1.8.0-openjdk-javadoc-zip-1.8.0.352.b08-2.el8.noarch.rpm
    MD5: 25210d49494f12bc51d935cbd2ab3aef
    SHA-256: 339701a635b4ce4b30d629d4ae31782bba2010f8fbae6d7be41174aa4f185897
    Size: 41.64 MB
  17. java-1.8.0-openjdk-slowdebug-1.8.0.352.b08-2.el8.x86_64.rpm
    MD5: 472058b690e5c64b31f85f8d8a124ed6
    SHA-256: 2463cea333d924fc710b14a72baf239107f0fd9982ddb46ea83d69bb4a88bc84
    Size: 352.18 kB
  18. java-1.8.0-openjdk-src-1.8.0.352.b08-2.el8.x86_64.rpm
    MD5: c45950f4e1093829a2a16e6cb0e5a4d8
    SHA-256: e093e32d57032c261e29fc9800526a8385f67a8a66a99f22f257c011f9bf45c3
    Size: 45.47 MB
  19. java-1.8.0-openjdk-src-fastdebug-1.8.0.352.b08-2.el8.x86_64.rpm
    MD5: 1bb7c22c49c4bedd0ca59f956ef4819b
    SHA-256: c80f45bae6cdc8b82a491d7f64698706dc28f053d912606fb8759f2e91a283e2
    Size: 45.47 MB
  20. java-1.8.0-openjdk-src-slowdebug-1.8.0.352.b08-2.el8.x86_64.rpm
    MD5: 08ffafa131bdf10d5027fff6a8245018
    SHA-256: c6bc6380d7a2fa9dc44f3704156fadc2dc0de6221bb72e5200e8d82b09342424
    Size: 45.47 MB