java-11-openjdk-11.0.22.0.7-2.el8

エラータID: AXSA:2024-7445:04

Release date: 
Tuesday, January 23, 2024 - 10:28
Subject: 
java-11-openjdk-11.0.22.0.7-2.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.

Security Fix(es):

* OpenJDK: array out-of-bounds access due to missing range check in C1 compiler (8314468) (CVE-2024-20918)
* OpenJDK: RSA padding issue and timing side-channel attack against TLS (8317547) (CVE-2024-20952)
* OpenJDK: JVM class file verifier flaw allows unverified bytecode execution (8314295) (CVE-2024-20919)
* OpenJDK: range check loop optimization issue (8314307) (CVE-2024-20921)
* OpenJDK: arbitrary Java code execution in Nashorn (8314284) (CVE-2024-20926)
* OpenJDK: logging of digital signature private keys (8316976) (CVE-2024-20945)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2024-20918
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
CVE-2024-20919
RESERVED
CVE-2024-20921
RESERVED
CVE-2024-20926
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Scripting). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21; Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVE-2024-20945
RESERVED
CVE-2024-20952
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

Solution: 

Update packages.

CVEs: 
CVE-2024-20918
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
CVE-2024-20919
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2024-20921
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2024-20926
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Scripting). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21; Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVE-2024-20945
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2024-20952
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
Additional Info: 

N/A

Download: 

SRPMS
  1. java-11-openjdk-11.0.22.0.7-2.el8.src.rpm
    MD5: dee5856931cffd73f2eb589ff229283d
    SHA-256: 74d85119021019ca6185708582e42532f38cfe6685d22e42dda544e647a942a9
    Size: 68.30 MB

Asianux Server 8 for x86_64
  1. java-11-openjdk-11.0.22.0.7-2.el8.x86_64.rpm
    MD5: 537c5a61d2ee3a8fbc69b7500ee6610d
    SHA-256: 6a9c822a4d1e10caae81bf4f19f2c9bb47bd1249233a2747265380457d4fb207
    Size: 473.89 kB
  2. java-11-openjdk-demo-11.0.22.0.7-2.el8.x86_64.rpm
    MD5: 101ec9ad428f26e63ec27cfb39a883f3
    SHA-256: 95f2f9a2decce4d7566c68b934a8356d956293775cf54b9fa3664b3010524b24
    Size: 4.39 MB
  3. java-11-openjdk-demo-fastdebug-11.0.22.0.7-2.el8.x86_64.rpm
    MD5: 6e5cb9f38530a3079b4519a965bb4048
    SHA-256: 6069515f8275065c6d4f53cbc84dd59e65873f2dd987cf0d3e48871115563c8b
    Size: 4.39 MB
  4. java-11-openjdk-demo-slowdebug-11.0.22.0.7-2.el8.x86_64.rpm
    MD5: 8b8f647fadcd6de838036c358f33d512
    SHA-256: 6895f86a2506a7a75616e23c74df7748c28f4fbf9fb25620a724599ec3e72cfa
    Size: 4.39 MB
  5. java-11-openjdk-devel-11.0.22.0.7-2.el8.x86_64.rpm
    MD5: a52f0dea2456cb1b95654708ce7cdda9
    SHA-256: 75aed5bb86ee94a0e4088fd1f643a92e80ea1930c5b37f0cdba5a04dc365aab0
    Size: 3.39 MB
  6. java-11-openjdk-devel-fastdebug-11.0.22.0.7-2.el8.x86_64.rpm
    MD5: 1883e67c3374418dcc05b58d3b561259
    SHA-256: 0e4509765acf3fee768ba8ff293cadff8b13ecb53c5c12e216133afee938bc9e
    Size: 3.39 MB
  7. java-11-openjdk-devel-slowdebug-11.0.22.0.7-2.el8.x86_64.rpm
    MD5: 31ee0a0c2aa3ca72d6fd3d46ebdb3fd1
    SHA-256: d419da2c2e2b69563fc369b2667526d27d236bdcbc69601cd91559e4ca6b4408
    Size: 3.39 MB
  8. java-11-openjdk-fastdebug-11.0.22.0.7-2.el8.x86_64.rpm
    MD5: eb1beae7371f8b11cfca0b0be51a76c1
    SHA-256: 50f273e4f39f1e138ea3cdbed521efdeafaa3f7343ac7948ba68ffb8f36581fc
    Size: 487.18 kB
  9. java-11-openjdk-headless-11.0.22.0.7-2.el8.x86_64.rpm
    MD5: 038925893a1dd5c701418ca0725b6a36
    SHA-256: 38b08314432a6e9f9aeedf7c676db5a6e616944a1563d0daf39075abd7633033
    Size: 41.52 MB
  10. java-11-openjdk-headless-fastdebug-11.0.22.0.7-2.el8.x86_64.rpm
    MD5: 88cbb01de16a9082c768a70994ec4559
    SHA-256: e2bdfb8e06b1f3d68c8558de43908e14d76731c9cdd9efbd96a9a7b953b819e5
    Size: 46.52 MB
  11. java-11-openjdk-headless-slowdebug-11.0.22.0.7-2.el8.x86_64.rpm
    MD5: a3927c109121d737e223297524c3beec
    SHA-256: f80385e828dd8cee8654226fcf7d4c501363cb6a576afcec48f0e7705fae7da2
    Size: 45.99 MB
  12. java-11-openjdk-javadoc-11.0.22.0.7-2.el8.x86_64.rpm
    MD5: 5203fc14040d9cebfa2672e59b9fcc99
    SHA-256: 76ca52f6b738796013d69710a7f61198466527f20f18d6de43f5189d35508809
    Size: 16.00 MB
  13. java-11-openjdk-javadoc-zip-11.0.22.0.7-2.el8.x86_64.rpm
    MD5: 0467595d925f8d2232492f8219f6290f
    SHA-256: e336f6872b975b4074ca2ddae8c235d166ec76f134b989876b56184a99cd5730
    Size: 42.15 MB
  14. java-11-openjdk-jmods-11.0.22.0.7-2.el8.x86_64.rpm
    MD5: 555fe277cdce867c2ef3e0344c4cc91f
    SHA-256: 9afb763e60b754a5550f4cf87e30b99385e06ed3aa7186647ea6ab0f25fd2e5c
    Size: 342.20 MB
  15. java-11-openjdk-jmods-fastdebug-11.0.22.0.7-2.el8.x86_64.rpm
    MD5: b78bc293be12c71bbf6746ce4612b7b7
    SHA-256: 50ccbb97ffb7c71c7b4f3163e91d2eb17db40a88cb2e06916a5d7a8eed909c0b
    Size: 297.11 MB
  16. java-11-openjdk-jmods-slowdebug-11.0.22.0.7-2.el8.x86_64.rpm
    MD5: 89ae05d3ceb9b7f0db0ecfff9ac4c28c
    SHA-256: 27861a58ada771c4e8035f5cf2fa456d0dba30b137d5fb9a0f55e7d0c375c83c
    Size: 229.46 MB
  17. java-11-openjdk-slowdebug-11.0.22.0.7-2.el8.x86_64.rpm
    MD5: ca647e28787c5dd22776f581c482c131
    SHA-256: 5b2cb4671131bea385ba13b78937e2d576302ad366eb0f41ee1692a6883b42d9
    Size: 461.31 kB
  18. java-11-openjdk-src-11.0.22.0.7-2.el8.x86_64.rpm
    MD5: 229f4b10b59009974b330ad1f150b174
    SHA-256: dee42a60eae19168d539e7859302cf36c8e6e43048c2f280af1df9afc109c04f
    Size: 50.53 MB
  19. java-11-openjdk-src-fastdebug-11.0.22.0.7-2.el8.x86_64.rpm
    MD5: 2d6134708284a9540084959b514b8c0b
    SHA-256: 647aee0b00ca478d31e0000170b6d546c82bf42c752b7d910d741d7ea34f0e9b
    Size: 50.53 MB
  20. java-11-openjdk-src-slowdebug-11.0.22.0.7-2.el8.x86_64.rpm
    MD5: 164c234f51792788d6e07d6bd537d32b
    SHA-256: 7c1f5319848b696f1f0b6eda91ecddd01c5f5da77edb39660bcadfd8c7bb5ec5
    Size: 50.53 MB
  21. java-11-openjdk-static-libs-11.0.22.0.7-2.el8.x86_64.rpm
    MD5: b4386641465888466d2cb3a4141649e0
    SHA-256: 9a5b7760ac440a56ec197cab9c080abcbbd9da62a68569fab39e4aee1c3dea68
    Size: 35.47 MB
  22. java-11-openjdk-static-libs-fastdebug-11.0.22.0.7-2.el8.x86_64.rpm
    MD5: 01aaeb484191319c39c9ab58988875f1
    SHA-256: a78309c6818d7d838153dbaa6564818667dea8882675475218bfc2266fac0a76
    Size: 35.72 MB
  23. java-11-openjdk-static-libs-slowdebug-11.0.22.0.7-2.el8.x86_64.rpm
    MD5: fc40e059bf164fad718cee3ce9ef76b0
    SHA-256: 740f0cd74407d96f5500be0787b9434ee94aa0ba0420591c6d6a3c02847b88cd
    Size: 31.07 MB