java-11-openjdk-11.0.15.0.10-1.el9

エラータID: AXSA:2022-3958:15

Release date: 
Tuesday, November 1, 2022 - 11:19
Subject: 
java-11-openjdk-11.0.15.0.10-1.el9
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.

Security Fix(es):

* OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)
* OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)
* OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)
* OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)
* OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2022-21426
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21434
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2022-21443
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21476
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVE-2022-21496
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

Solution: 

Update packages.

CVEs: 
CVE-2022-21426
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21434
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2022-21443
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21476
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVE-2022-21496
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
Additional Info: 

N/A

Download: 

SRPMS
  1. java-11-openjdk-11.0.15.0.10-1.el9.src.rpm
    MD5: fe97c2d67168a2d762f86a13314e93e4
    SHA-256: 19afe21161ef318ddb24ce843298edddf422d9272f1a109cf5dad63987a66b94
    Size: 75.01 MB

Asianux Server 9 for x86_64
  1. java-11-openjdk-11.0.15.0.10-1.el9.x86_64.rpm
    MD5: b4e5942ff65bd2954e9b259b684de940
    SHA-256: 7d1059d6635b5f9c6e22539f9790cc88fb40f7bc3c15f557a5e24f91641e88c6
    Size: 247.17 kB
  2. java-11-openjdk-demo-11.0.15.0.10-1.el9.x86_64.rpm
    MD5: bded6d85f9b92240c11f90367acab8a7
    SHA-256: 899059efda22f472a09b042c151892b3acfadfbb88607b6247dc169863727d7f
    Size: 4.31 MB
  3. java-11-openjdk-demo-fastdebug-11.0.15.0.10-1.el9.x86_64.rpm
    MD5: 8720e6873e26d4493e8493ec6e2da075
    SHA-256: 84703b0d9661cd46af5c76518d67a9300e26e16efc7be48734fb56a007b2911f
    Size: 4.31 MB
  4. java-11-openjdk-demo-slowdebug-11.0.15.0.10-1.el9.x86_64.rpm
    MD5: 67f3713bdb14c9322e65e8853efb949f
    SHA-256: 12b947a5b3e0dc0951d37388027da80ba78e2bce107c02659831082bd540c84f
    Size: 4.31 MB
  5. java-11-openjdk-devel-11.0.15.0.10-1.el9.x86_64.rpm
    MD5: 25d2521af35a5ed399f460501503da43
    SHA-256: 5901fbbd2c1c7a0ba5f339513fce36b262319228083ec3ff911d27ab4efd6d81
    Size: 3.29 MB
  6. java-11-openjdk-devel-fastdebug-11.0.15.0.10-1.el9.x86_64.rpm
    MD5: 57c37954a6da4e41e255f73f4decea89
    SHA-256: da299100acda74d0bbf1ff60288993ecfaab33937f818fc91ba8b55fb5173d3c
    Size: 3.29 MB
  7. java-11-openjdk-devel-slowdebug-11.0.15.0.10-1.el9.x86_64.rpm
    MD5: c1b33995a615f30c58b286df72fd2b94
    SHA-256: 2b8231d93a55876c2a8b032c7b73836bc69524acaf521e136694b06b8f47dbc0
    Size: 3.29 MB
  8. java-11-openjdk-fastdebug-11.0.15.0.10-1.el9.x86_64.rpm
    MD5: 0526e68072b64a86680578162b045a3a
    SHA-256: 32ebaf5a6019258c3c45de117517a106457e596681b3f5f86fcb9174a6fc430b
    Size: 259.84 kB
  9. java-11-openjdk-headless-11.0.15.0.10-1.el9.x86_64.rpm
    MD5: b0bb170d594864080176d94f2a5aac19
    SHA-256: 8a5aa849fa7636da4ed244c2929e4e82767119344be04c03361d4d6ab2137932
    Size: 37.81 MB
  10. java-11-openjdk-headless-fastdebug-11.0.15.0.10-1.el9.x86_64.rpm
    MD5: 14cef6b5fe865ad6e8402ddeab200024
    SHA-256: 76797fc857892eac8c6ce083bc8d13e20582a019ab4822d86cd735a9a5fb95da
    Size: 43.34 MB
  11. java-11-openjdk-headless-slowdebug-11.0.15.0.10-1.el9.x86_64.rpm
    MD5: 368ce27029b4cea3deedb65ffa0d1a1b
    SHA-256: 73e5fbec2b267d9c6e4a1a4b58fb814a12a9df71a7c38d01b8c940c9803042f0
    Size: 41.32 MB
  12. java-11-openjdk-javadoc-11.0.15.0.10-1.el9.x86_64.rpm
    MD5: 85717f1f8621331e62ed110f9d93a829
    SHA-256: eb19dccf5da21e0675b4de7ae243bc1d81ab2b148782f7063a7c37385cd222b7
    Size: 12.62 MB
  13. java-11-openjdk-javadoc-zip-11.0.15.0.10-1.el9.x86_64.rpm
    MD5: 593acaf9a205d2c85d37703f5bcb4230
    SHA-256: df83a65c2d76670c229572ff639cca52f730db604e77690ae9f262530098f9a0
    Size: 41.04 MB
  14. java-11-openjdk-jmods-11.0.15.0.10-1.el9.x86_64.rpm
    MD5: 9b0ddd0a874574a88eb16c29597ce88c
    SHA-256: 80b2b35c9d76d82d56583a1e8b9acdba446f28a3436a4b69855b4bf7a59db4a7
    Size: 300.75 MB
  15. java-11-openjdk-jmods-fastdebug-11.0.15.0.10-1.el9.x86_64.rpm
    MD5: 1b42ed37845a633fc30abb80318f4c7a
    SHA-256: 9690bffdee655ba5a572cef7f400d644b7319b1707e0d46f7b281aedde12c058
    Size: 261.68 MB
  16. java-11-openjdk-jmods-slowdebug-11.0.15.0.10-1.el9.x86_64.rpm
    MD5: cce90e4a6f3a6375a79c3e76e59412ff
    SHA-256: 31025cdcc12b610e57eeb79a0f210790e0ed8d72c73bc2b39b9fe4f3f05f6f11
    Size: 192.85 MB
  17. java-11-openjdk-slowdebug-11.0.15.0.10-1.el9.x86_64.rpm
    MD5: ad14ada2b81e8553037896750114a1dd
    SHA-256: 2fb8f29bb43fc608be74af5dfeafee8b0258294ce3dee359bd82ab187fe1a27a
    Size: 250.51 kB
  18. java-11-openjdk-src-11.0.15.0.10-1.el9.x86_64.rpm
    MD5: 244b174425b3751da92f057616b6028d
    SHA-256: d7607ff6eda7f488263e6265def1f1cdb3d71d4cfc7ee33e9150141c00c2589e
    Size: 49.59 MB
  19. java-11-openjdk-src-fastdebug-11.0.15.0.10-1.el9.x86_64.rpm
    MD5: 36bd1b389e8934776d1ac13e5d0f662e
    SHA-256: 699e12363443c3d302bed7a7b1cdcb0cbe78880eaacc2e9f8eb9ffa862adaae0
    Size: 49.59 MB
  20. java-11-openjdk-src-slowdebug-11.0.15.0.10-1.el9.x86_64.rpm
    MD5: fe86f782053a67cc1c43469bf83518e7
    SHA-256: 615e88c9d5d9334236a3bfd39ad0c236860db34406bd1fd4b19bcd5b6dfa404f
    Size: 49.59 MB
  21. java-11-openjdk-static-libs-11.0.15.0.10-1.el9.x86_64.rpm
    MD5: c02ed2243a3c697e943e099dfda0bd5d
    SHA-256: 1e3d6efcbfb3ea9951bbba09cff8b57c4b01fcdbcf6665a257c3edbc1dfc987f
    Size: 17.05 MB
  22. java-11-openjdk-static-libs-fastdebug-11.0.15.0.10-1.el9.x86_64.rpm
    MD5: f0e16ffcb0c5072574920dc7dbc5d8a0
    SHA-256: de76a276f3059d23291f1429da7427c4d3234e20b954dadce3a24caffb88faa8
    Size: 17.14 MB
  23. java-11-openjdk-static-libs-slowdebug-11.0.15.0.10-1.el9.x86_64.rpm
    MD5: cd8be3ba72ddaceacc19b7670fdbe8ca
    SHA-256: 3c6188765e64fd8a37cce01006fd2bbaf3970f30cb6928a45ada26ab2948f012
    Size: 11.57 MB