java-1.8.0-openjdk-1.8.0.332.b09-1.el9

エラータID: AXSA:2022-3957:12

Release date: 
Tuesday, November 1, 2022 - 09:40
Subject: 
java-1.8.0-openjdk-1.8.0.332.b09-1.el9
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

Security Fix(es):

* OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)
* OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)
* OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)
* OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)
* OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2022-21426
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21434
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2022-21443
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21476
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVE-2022-21496
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

Solution: 

Update packages.

CVEs: 
CVE-2022-21426
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21434
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2022-21443
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21476
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVE-2022-21496
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
Additional Info: 

N/A

Download: 

SRPMS
  1. java-1.8.0-openjdk-1.8.0.332.b09-1.el9.src.rpm
    MD5: 008b86b31c91b367e9604fc66297cf36
    SHA-256: 16063b4b4dd734203affbca6414f62eeda315fdbc3f5a80e7d3854df969c05d4
    Size: 55.66 MB

Asianux Server 9 for x86_64
  1. java-1.8.0-openjdk-1.8.0.332.b09-1.el9.x86_64.rpm
    MD5: e112fc24143caebc04e5a41648a66a11
    SHA-256: 67f99504c1b50e9b80a06f4001589f3935d67152aa9bc8ab6dcca313ba00a077
    Size: 271.65 kB
  2. java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el9.x86_64.rpm
    MD5: b07448db9684acab6227f83935d4d754
    SHA-256: 7c482d920c0fb43a3548e298968004ffcb2f46b0f8d065c5aa2ff15836cdee22
    Size: 1.92 MB
  3. java-1.8.0-openjdk-demo-fastdebug-1.8.0.332.b09-1.el9.x86_64.rpm
    MD5: 87005ef1e91ebf9757438e0cac5dad33
    SHA-256: c4a0c50d9bbf514251b467794aab12323ed35063b89fc999cacdf7cdddd60716
    Size: 1.94 MB
  4. java-1.8.0-openjdk-demo-slowdebug-1.8.0.332.b09-1.el9.x86_64.rpm
    MD5: a9b697ae1aa0d094bf878e553ff6532b
    SHA-256: 008d7c4b7cc1390263fa44774f603779449b4b266a7afc6a07861f80a05dcade
    Size: 1.94 MB
  5. java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el9.x86_64.rpm
    MD5: c604e90ebcfd1dddd4c956573a8887eb
    SHA-256: 4c749dfe8b6161d15ed059db1ef9511a258296d0e88d1c0edca4c0bd4ba748c7
    Size: 9.28 MB
  6. java-1.8.0-openjdk-devel-fastdebug-1.8.0.332.b09-1.el9.x86_64.rpm
    MD5: e87223f13a26361c4e05400fe3996bc1
    SHA-256: ee13a6e5e4712a8e0cec381b0a069da567c4c6bf72162b39f7011ac4c1b6a0ff
    Size: 9.30 MB
  7. java-1.8.0-openjdk-devel-slowdebug-1.8.0.332.b09-1.el9.x86_64.rpm
    MD5: 010960ca0620d4740a861d6873a3d588
    SHA-256: 715b8942e66be7b21580f5bdb1384cd33606490407484e387ad9ba5c7b88e572
    Size: 9.30 MB
  8. java-1.8.0-openjdk-fastdebug-1.8.0.332.b09-1.el9.x86_64.rpm
    MD5: b582efead24fefe8d68a04170ebc6454
    SHA-256: 062452fb3530461d7e0388cb6b6ab8fd04740001ca744e56e0691aad55dc8f6b
    Size: 285.01 kB
  9. java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el9.x86_64.rpm
    MD5: ae1d9c2d9cbfd39c5d113b7fa1c672d4
    SHA-256: 31c5493d9d9c89e51917027dd6a331089c225eee1b5aba568520ab60b8e0555c
    Size: 32.84 MB
  10. java-1.8.0-openjdk-headless-fastdebug-1.8.0.332.b09-1.el9.x86_64.rpm
    MD5: ca31a57e5c6dbbd03dbee4c1a829c71a
    SHA-256: 7e7e1b9729609777fe78afbafb12f991458a7ff90197285cdc2058b802899114
    Size: 36.67 MB
  11. java-1.8.0-openjdk-headless-slowdebug-1.8.0.332.b09-1.el9.x86_64.rpm
    MD5: 3b1239898c43445eaa56f36e60a5b1c5
    SHA-256: 6f36a784b3f0599abc0aef8e95ff45f93e149aba9c2e6c48b54ed67ff9191ed7
    Size: 34.51 MB
  12. java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el9.noarch.rpm
    MD5: 9a1af283a3f2879dd99155e0abadd7e6
    SHA-256: 4509aaffdf706978e394eeaf17399653aa30fd9b3d077bfe5f3715af621a0ba1
    Size: 11.86 MB
  13. java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el9.noarch.rpm
    MD5: 74e5bc7519dfee3a71cfcd03ed168c53
    SHA-256: 0bf8cbbc3bec45ca05802fbc1bbd72d5dbfaf294153c8f7dfe0c2f2b9ceccbf2
    Size: 40.74 MB
  14. java-1.8.0-openjdk-slowdebug-1.8.0.332.b09-1.el9.x86_64.rpm
    MD5: 52a0de12f8dbbcc914aec95c0fdfeef3
    SHA-256: 0a57ba6399e22c496806f31d833ae2491a893949b32596c7213d5883f1be306a
    Size: 276.31 kB
  15. java-1.8.0-openjdk-src-1.8.0.332.b09-1.el9.x86_64.rpm
    MD5: 9b89db1f798febd208347404bcaf373d
    SHA-256: 9e6ad2c2298c7ad801ffb7209195dd477da183385bd03c124b5bbed5d54f7854
    Size: 44.61 MB
  16. java-1.8.0-openjdk-src-fastdebug-1.8.0.332.b09-1.el9.x86_64.rpm
    MD5: e4f15bc298f01f52d2431b4487bc0029
    SHA-256: 2b72c67d3c44c43a9be7283a353de15d3235af8e0b50a8cdc7231d6ab80b2438
    Size: 44.61 MB
  17. java-1.8.0-openjdk-src-slowdebug-1.8.0.332.b09-1.el9.x86_64.rpm
    MD5: b9f97f26185e43f0c2bac219c270b6a2
    SHA-256: 8c270b6eee7e1392575c9dbe6495dfe803ad7815d49eb91bbdffaf60e9eff158
    Size: 44.61 MB