java-1.8.0-openjdk-1.8.0.392.b08-2.el7

エラータID: AXSA:2023-6510:18

Release date: 
Thursday, October 19, 2023 - 01:42
Subject: 
java-1.8.0-openjdk-1.8.0.392.b08-2.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

Security Fix(es):

* OpenJDK: IOR deserialization issue in CORBA (8303384) (CVE-2023-22067)
* OpenJDK: certificate path validation issue during client authentication (8309966) (CVE-2023-22081)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-22067
Vulnerability in Oracle Java SE (component: CORBA). Supported versions that are affected are Oracle Java SE: 8u381 and 8u381-perf. Easily exploitable vulnerability allows unauthenticated attacker with network access via CORBA to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2023-22081
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u381, 8u381-perf, 11.0.20, 17.0.8, 20.0.2; Oracle GraalVM for JDK: 17.0.8 and 20.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Solution: 

Update packages.

CVEs: 
CVE-2023-22067
Vulnerability in Oracle Java SE (component: CORBA). Supported versions that are affected are Oracle Java SE: 8u381 and 8u381-perf. Easily exploitable vulnerability allows unauthenticated attacker with network access via CORBA to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2023-22081
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u381, 8u381-perf, 11.0.20, 17.0.8, 20.0.2; Oracle GraalVM for JDK: 17.0.8 and 20.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
Additional Info: 

N/A

Download: 

SRPMS
  1. java-1.8.0-openjdk-1.8.0.392.b08-2.el7.src.rpm
    MD5: f63aaeb0d5bfcf566a9ab4b7313106d7
    SHA-256: 9d193ff9f449429a1afefb9079a232f4898bec4864587ec457a9f27721e4d6b0
    Size: 57.39 MB

Asianux Server 7 for x86_64
  1. java-1.8.0-openjdk-1.8.0.392.b08-2.el7.i686.rpm
    MD5: 559cd9f0081155d0bb2a775e667cb45e
    SHA-256: e4f4ae82d2b259d5577a872cd358d77239882e2cf4a4ecdfd075dee8e936e049
    Size: 317.65 kB
  2. java-1.8.0-openjdk-1.8.0.392.b08-2.el7.x86_64.rpm
    MD5: e2cdb5667bed15808d255609edd53530
    SHA-256: c6afc0319b3e3bb3fb57f5ed48f1fd9c424f3175408a26014f3fe1bc8b510894
    Size: 318.11 kB
  3. java-1.8.0-openjdk-devel-1.8.0.392.b08-2.el7.i686.rpm
    MD5: 9efe5e22abe0cbcc76bd2e3d4d17188a
    SHA-256: ad102c7a52af463a903617d401344a90fc5cf9cf171896e78ad8df9e8856c5c9
    Size: 9.85 MB
  4. java-1.8.0-openjdk-devel-1.8.0.392.b08-2.el7.x86_64.rpm
    MD5: 864405d06fe313040825935cec134ea6
    SHA-256: 11837cb1002f052e8603e73d6ae35c613cd0ac9570fdc3478686cb09e13fa75b
    Size: 9.85 MB
  5. java-1.8.0-openjdk-headless-1.8.0.392.b08-2.el7.i686.rpm
    MD5: 3ca2c460bae4011f80eec93fa60edaee
    SHA-256: 3758a3735201a6adcdac57e27d011e9eb24c8233bc42422b6c7e9d0c133c0feb
    Size: 33.00 MB
  6. java-1.8.0-openjdk-headless-1.8.0.392.b08-2.el7.x86_64.rpm
    MD5: 010f6c980a5d6867e4934c73eeb73a30
    SHA-256: 35c879fd64976349391970ece1ad69c6edeccc5e929ac143bde4d6e0509a78a4
    Size: 33.17 MB