java-1.8.0-openjdk-1.8.0.352.b08-2.el9

エラータID: AXSA:2022-4205:15

Release date: 
Tuesday, November 29, 2022 - 03:44
Subject: 
java-1.8.0-openjdk-1.8.0.352.b08-2.el9
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

Security Fix(es):

* OpenJDK: excessive memory allocation in X.509 certificate parsing (Security, 8286533) (CVE-2022-21626)
* OpenJDK: HttpServer no connection count limit (Lightweight HTTP Server, 8286918) (CVE-2022-21628)
* OpenJDK: improper handling of long NTLM client hostnames (Security, 8286526) (CVE-2022-21619)
* OpenJDK: insufficient randomization of JNDI DNS port numbers (JNDI, 8286910) (CVE-2022-21624)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2022-21619
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2022-21624
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2022-21626
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21628
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Lightweight HTTP Server). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Solution: 

Update packages.

CVEs: 
CVE-2022-21619
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2022-21624
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2022-21626
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21628
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Lightweight HTTP Server). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
Additional Info: 

N/A

Download: 

SRPMS
  1. java-1.8.0-openjdk-1.8.0.352.b08-2.el9.src.rpm
    MD5: de932be2ce4e05a58f4679eb3ddac69c
    SHA-256: b20e53d0b4c40839ae5eb2ea2d925f4cde8e09c05fcba713063ce52351917301
    Size: 55.69 MB

Asianux Server 9 for x86_64
  1. java-1.8.0-openjdk-1.8.0.352.b08-2.el9.x86_64.rpm
    MD5: 200ef98777ab0872dd6224c96c19e045
    SHA-256: 124d25713d3ff38b595725bd32be9e6fdb720a6b9d788c128be766dcf8e07ec1
    Size: 265.19 kB
  2. java-1.8.0-openjdk-demo-1.8.0.352.b08-2.el9.x86_64.rpm
    MD5: 3b0671d04dce24207c41a453c2cb66af
    SHA-256: 7c065eee09baa8c1e1e255cf4dd49676361f67383cc25cb2c281ec76a035389b
    Size: 1.92 MB
  3. java-1.8.0-openjdk-demo-fastdebug-1.8.0.352.b08-2.el9.x86_64.rpm
    MD5: b2818615c013945f5cb3e80b838dbe52
    SHA-256: 3d5a0c4a66283bd0a99f22596155d4469dda809c424445bd11d267b42d82f627
    Size: 1.94 MB
  4. java-1.8.0-openjdk-demo-slowdebug-1.8.0.352.b08-2.el9.x86_64.rpm
    MD5: 1f2ddd79f49fabc66497e747e974a9f4
    SHA-256: 2af6873e4420e220177c0cd1b93879596d75da6f5ecb1025ceeeec4f11cc7b8b
    Size: 1.93 MB
  5. java-1.8.0-openjdk-devel-1.8.0.352.b08-2.el9.x86_64.rpm
    MD5: 31319cc9ca46a19076f935cfdbbe368e
    SHA-256: f30811f022485bd83a975b8af9eec4f9e4f55189d196623cb2695f33cb72a1cd
    Size: 9.28 MB
  6. java-1.8.0-openjdk-devel-fastdebug-1.8.0.352.b08-2.el9.x86_64.rpm
    MD5: f5b8db09ad3eaa7a27c035ea3889ce84
    SHA-256: 2732018fa05414f197c449d0a51de50fd845b78f783e22de279a848dc9f2e6a7
    Size: 9.29 MB
  7. java-1.8.0-openjdk-devel-slowdebug-1.8.0.352.b08-2.el9.x86_64.rpm
    MD5: 8a716adcef5ab85e64dc6bd53adf6051
    SHA-256: 2d1384e4065354a6a24e765712209ccb317a93129ba6b169132c7da99b3b928c
    Size: 9.30 MB
  8. java-1.8.0-openjdk-fastdebug-1.8.0.352.b08-2.el9.x86_64.rpm
    MD5: 4e654fbb6d92baa2cf25e65ee63476ac
    SHA-256: 542c1542dd8825c9b9bdf2434a3b9a1dd29970ec7c425408f0622bcf06156cf8
    Size: 278.45 kB
  9. java-1.8.0-openjdk-headless-1.8.0.352.b08-2.el9.x86_64.rpm
    MD5: 49ca22aa84fa9bef3a6e38e44903b9c5
    SHA-256: eda9f98d26b20ec9f647a9c4c7065f89f5ead9c4376a1fe773342c43f308dbce
    Size: 32.83 MB
  10. java-1.8.0-openjdk-headless-fastdebug-1.8.0.352.b08-2.el9.x86_64.rpm
    MD5: dffe64cbecd7e9b2e1c258d5b21c5e97
    SHA-256: 26053a60d86855d5a93b4dc9ea9631c85033fa84c9ea3a6e39d825cc4efb5237
    Size: 36.65 MB
  11. java-1.8.0-openjdk-headless-slowdebug-1.8.0.352.b08-2.el9.x86_64.rpm
    MD5: efd370d50d709fb11413bfc558546f07
    SHA-256: 53cdf9243c5b17fb5c667e870db95156e52297e647f1c37738fcecf1686b641a
    Size: 34.55 MB
  12. java-1.8.0-openjdk-javadoc-1.8.0.352.b08-2.el9.noarch.rpm
    MD5: 954da90af9f8c87aa91a359099334edf
    SHA-256: d9c3ce0ddaf68dcc5f1cbce89d3c0f101d3d3368cfc096caad977ff6133ce662
    Size: 11.85 MB
  13. java-1.8.0-openjdk-javadoc-zip-1.8.0.352.b08-2.el9.noarch.rpm
    MD5: eddee37fc54c1963a83b3a76ebbb47d1
    SHA-256: 2fedc107c860a33524c1fa3149e134cf768e9b161f870364156771f075f15f9e
    Size: 40.69 MB
  14. java-1.8.0-openjdk-slowdebug-1.8.0.352.b08-2.el9.x86_64.rpm
    MD5: 5f7a1e69a4c512b89296204d436b5eb8
    SHA-256: 9e82c02d2f323e277cc5bb654ef16794a03d21697a25a0a3a5fc2b7952c7aa9e
    Size: 269.97 kB
  15. java-1.8.0-openjdk-src-1.8.0.352.b08-2.el9.x86_64.rpm
    MD5: 4b7bc35d63ade4df6818ee2ec3b34bb5
    SHA-256: 731b865f605f5f480a30b63b7b2d8535112bb855c8af2b2251a48716d196dd60
    Size: 44.61 MB
  16. java-1.8.0-openjdk-src-fastdebug-1.8.0.352.b08-2.el9.x86_64.rpm
    MD5: 3b37467a9dd3de8065e791b3b048d848
    SHA-256: 5e278090cd3433c2efb52eb878ae453f3276a0eed35d5ead43847c70ba48ec79
    Size: 44.61 MB
  17. java-1.8.0-openjdk-src-slowdebug-1.8.0.352.b08-2.el9.x86_64.rpm
    MD5: 9b3289357803299243bdd80f3e7e3ec9
    SHA-256: 5b390db909df9accd423e67d9068e9bea7539f41d2124164669689b9f778dcc6
    Size: 44.61 MB