java-11-openjdk-11.0.20.0.8-2.el9.ML.1

エラータID: AXSA:2023-6266:17

Release date: 
Thursday, July 27, 2023 - 02:09
Subject: 
java-11-openjdk-11.0.20.0.8-2.el9.ML.1
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.

Security Fix(es):

* OpenJDK: ZIP file parsing infinite loop (8302483) (CVE-2023-22036)
* OpenJDK: weakness in AES implementation (8308682) (CVE-2023-22041)
* OpenJDK: improper handling of slash characters in URI-to-path conversion (8305312) (CVE-2023-22049)
* harfbuzz: OpenJDK: O(n^2) growth via consecutive marks (CVE-2023-25193)
* OpenJDK: HTTP client insufficient file name validation (8302475) (CVE-2023-22006)
* OpenJDK: array indexing integer overflow issue (8304468) (CVE-2023-22045)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* Prepare for the next quarterly OpenJDK upstream release (2023-07, 11.0.20) [rhel-9] (BZ#2223100)

CVE-2023-22006
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).
CVE-2023-22036
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Utility). Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2023-22041
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVE-2023-22045
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
CVE-2023-22049
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2023-25193
hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. java-11-openjdk-11.0.20.0.8-2.el9.ML.1.src.rpm
    MD5: acc32d7d33aaa8fa59ffa14f6bbaa13a
    SHA-256: add9954e053b75edb65a88765d25165ac8622613203f85249fc6f6b004d1b1d2
    Size: 68.13 MB

Asianux Server 9 for x86_64
  1. java-11-openjdk-11.0.20.0.8-2.el9.ML.1.x86_64.rpm
    MD5: c3fe4ff47f98cb8591740370eb4e67c3
    SHA-256: 0066b23f7561b06c6da87a1237bd2126d9106c2a1502a6025c13ea6eb5e0fe72
    Size: 438.29 kB
  2. java-11-openjdk-demo-11.0.20.0.8-2.el9.ML.1.x86_64.rpm
    MD5: ae6f5601a6f7fb6f6852d67682dfd735
    SHA-256: 5c2dfcc986620d12484900e242699a45e562cd5b8c4400b899876974b952785e
    Size: 4.32 MB
  3. java-11-openjdk-demo-fastdebug-11.0.20.0.8-2.el9.ML.1.x86_64.rpm
    MD5: 7e120998a5603ccf72786a64db22c132
    SHA-256: bc8722555464b6768aea410cce70e0b3156e1efc7daa7fa56aae610824b6f242
    Size: 4.32 MB
  4. java-11-openjdk-demo-slowdebug-11.0.20.0.8-2.el9.ML.1.x86_64.rpm
    MD5: 80bccda437c1d8e92633633f88f93e9f
    SHA-256: e3737692dbbcae1269108fcb0ede60c96138578f8849fba9bfa85411f215ed0d
    Size: 4.32 MB
  5. java-11-openjdk-devel-11.0.20.0.8-2.el9.ML.1.x86_64.rpm
    MD5: fcdcf22d1cff3f9e8fa413968243cc57
    SHA-256: 1f7b3263befbfe75a3f1ba0244701f8da84ef31b5d1909393756a3e3cda7fe32
    Size: 3.29 MB
  6. java-11-openjdk-devel-fastdebug-11.0.20.0.8-2.el9.ML.1.x86_64.rpm
    MD5: 29d2ecba93070ca4d561440a58329bdc
    SHA-256: f65444e33d5e1148c500d8fc7ce9301ecffe11062654c5982bf9305b6010793d
    Size: 3.29 MB
  7. java-11-openjdk-devel-slowdebug-11.0.20.0.8-2.el9.ML.1.x86_64.rpm
    MD5: 8e88a0fbe5a26c759bd1dbe9781705f4
    SHA-256: a7810188d6bf1de0e551d3dee431646bc5de828ad62229d1122c3d92c6d71c87
    Size: 3.29 MB
  8. java-11-openjdk-fastdebug-11.0.20.0.8-2.el9.ML.1.x86_64.rpm
    MD5: 2fe0a4ca5e02e258cd10d9f843dc08b2
    SHA-256: 3afb5e2eed2d5f03b6077169c7d00eef301f36a45eade61b7708351955faba42
    Size: 452.45 kB
  9. java-11-openjdk-headless-11.0.20.0.8-2.el9.ML.1.x86_64.rpm
    MD5: e205b6129c13d3f3ca939b435f43871c
    SHA-256: 76796c437181db21482d996c2a9916c866ab4a6880f0d8b06896b461bd0b00d0
    Size: 39.66 MB
  10. java-11-openjdk-headless-fastdebug-11.0.20.0.8-2.el9.ML.1.x86_64.rpm
    MD5: 656019bcac69d1dcd07837cc9e78eb06
    SHA-256: d0fdd4c4838b85bafe8d46f8e9f36d62e232db9f1beaa183ffffd6d678fd8984
    Size: 45.22 MB
  11. java-11-openjdk-headless-slowdebug-11.0.20.0.8-2.el9.ML.1.x86_64.rpm
    MD5: 2254a0a2ad02d910b3158876ab7075fb
    SHA-256: 83a1f0263d754b24da2d58794255e9ff72923c4404c7758a285a5385bf893000
    Size: 44.18 MB
  12. java-11-openjdk-javadoc-11.0.20.0.8-2.el9.ML.1.x86_64.rpm
    MD5: eb42ea37521f4925bdd21f10e6661efd
    SHA-256: 2a0ef0420b9717a578fc5f443d4de1a40bca3520be5d0bf3d64490500cc1f0fc
    Size: 12.62 MB
  13. java-11-openjdk-javadoc-zip-11.0.20.0.8-2.el9.ML.1.x86_64.rpm
    MD5: 2d1ce316b131d46e1e639df226f2f15c
    SHA-256: 3084809d926ef004bdde11744a6d60627ee069f1bf23af94e13ce5379aa8c3e0
    Size: 41.10 MB
  14. java-11-openjdk-jmods-11.0.20.0.8-2.el9.ML.1.x86_64.rpm
    MD5: a64f11fddc4f2954aa42fc7bb7345a3f
    SHA-256: 03f18ce182f58e39450387c192049a385ca66c617d725c162b3b7ea2ad708632
    Size: 323.03 MB
  15. java-11-openjdk-jmods-fastdebug-11.0.20.0.8-2.el9.ML.1.x86_64.rpm
    MD5: 5d55c6c50d91243943d6e3ad7987ecd5
    SHA-256: 91e15a4cd73b608b858ae7f3c4e5813ab96b789f4126b5c78e4437ff6c34c289
    Size: 283.84 MB
  16. java-11-openjdk-jmods-slowdebug-11.0.20.0.8-2.el9.ML.1.x86_64.rpm
    MD5: d1acae23333d3cf73b38c961e08e11b9
    SHA-256: 0cdea9df8c3716d20df90e1d404c04f18598887a1a25f236cfd8bdd357d99a3f
    Size: 211.29 MB
  17. java-11-openjdk-slowdebug-11.0.20.0.8-2.el9.ML.1.x86_64.rpm
    MD5: 4542a926d99fec5a783e748e1e3ff3e4
    SHA-256: 4cf79ae4811c7444d247fdfdd0d1d3f5b72683c731d18e4a03f0d10e405c7ac3
    Size: 423.51 kB
  18. java-11-openjdk-src-11.0.20.0.8-2.el9.ML.1.x86_64.rpm
    MD5: 2558e84cc58975fac4d7343c9bf018b5
    SHA-256: 8aba7ffe80fbce7650257e7ba398da93797af5e691eb5d158d00cd537e1b9f39
    Size: 49.66 MB
  19. java-11-openjdk-src-fastdebug-11.0.20.0.8-2.el9.ML.1.x86_64.rpm
    MD5: 556077153e1878c261ae07d4d0d1dea8
    SHA-256: c5ef9c1e57fa18778ea2d1069f711df5a1cfd69fc81187349f8c8a5cfbc73f30
    Size: 49.66 MB
  20. java-11-openjdk-src-slowdebug-11.0.20.0.8-2.el9.ML.1.x86_64.rpm
    MD5: 1ac01cf95ca1cb5ddc654176871022f6
    SHA-256: 6eed6b8faf434dc4f3b4f57f917ca4da33e99d3ab612d75d3199a515cd097e42
    Size: 49.66 MB
  21. java-11-openjdk-static-libs-11.0.20.0.8-2.el9.ML.1.x86_64.rpm
    MD5: baebc7a3d4579bd9af7a94d8beaf78c1
    SHA-256: a74b626b89868d6d93bf1263424c8f875a3cfce920056567d084bb5fad66a334
    Size: 31.37 MB
  22. java-11-openjdk-static-libs-fastdebug-11.0.20.0.8-2.el9.ML.1.x86_64.rpm
    MD5: 130e3e0faf14ace9ff6604f3710b8121
    SHA-256: d8e488e48385504aed263c0d0b61916acc4325d367127a8f3b75f9d5e30db121
    Size: 31.26 MB
  23. java-11-openjdk-static-libs-slowdebug-11.0.20.0.8-2.el9.ML.1.x86_64.rpm
    MD5: 952638e29b89e9aa40a50b64c9798a79
    SHA-256: 8f360c7ef750d71268c87738b46a0c545994fe2ce247a01f436d9486239188a2
    Size: 28.33 MB