java-17-openjdk-17.0.10.0.7-2.el8

エラータID: AXSA:2024-7459:03

Release date: 
Wednesday, January 24, 2024 - 06:56
Subject: 
java-17-openjdk-17.0.10.0.7-2.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

The java-17-openjdk packages provide the OpenJDK 17 Java Runtime Environment and
the OpenJDK 17 Java Software Development Kit.

Security Fix(es):

OpenJDK: array out-of-bounds access due to missing range check in C1
compiler (8314468) (CVE-2024-20918)
OpenJDK: incorrect handling of ZIP files with duplicate entries (8276123)
(CVE-2024-20932)
OpenJDK: RSA padding issue and timing side-channel attack against TLS
(8317547) (CVE-2024-20952)
OpenJDK: JVM class file verifier flaw allows unverified bytecode execution
(8314295) (CVE-2024-20919)
OpenJDK: range check loop optimization issue (8314307) (CVE-2024-20921)
OpenJDK: logging of digital signature private keys (8316976)
(CVE-2024-20945)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

CVE(s):
CVE-2024-20918
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
CVE-2024-20919
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2024-20921
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2024-20932
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 17.0.9; Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 21.3.8 and 22.3.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
CVE-2024-20945
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2024-20952
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

Solution: 

Update packages.

CVEs: 
CVE-2024-20918
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
CVE-2024-20919
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2024-20921
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2024-20932
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 17.0.9; Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 21.3.8 and 22.3.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
CVE-2024-20945
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2024-20952
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
Additional Info: 

N/A

Download: 

SRPMS
  1. java-17-openjdk-17.0.10.0.7-2.el8.src.rpm
    MD5: 05c0358f5183b60caf8203250af02683
    SHA-256: f912c565d0a84baf6fa4061fb6ebda414559c7a4ff6a58d981de587c5e95ea52
    Size: 62.87 MB

Asianux Server 8 for x86_64
  1. java-17-openjdk-17.0.10.0.7-2.el8.x86_64.rpm
    MD5: bf80f8c514846be813e6dc575e1242f1
    SHA-256: 5547ebaf7b60ead328238451ccdd65a1b25147ff424a3a3f07e78b6270698d69
    Size: 459.37 kB
  2. java-17-openjdk-demo-17.0.10.0.7-2.el8.x86_64.rpm
    MD5: 89f6eb86ef5e4a13f389382162c2d41b
    SHA-256: cdcf7f6e264ac06dd48196ee3bcf7a6eed79b66d7948dde6e0228135f8247d80
    Size: 3.43 MB
  3. java-17-openjdk-demo-fastdebug-17.0.10.0.7-2.el8.x86_64.rpm
    MD5: 2e14ddd671bd46b100e8dfbb22d6d64d
    SHA-256: a119f15cc61ed38aa466c9f35f18b9242811980f587c019f6135c75737203a3c
    Size: 3.43 MB
  4. java-17-openjdk-demo-slowdebug-17.0.10.0.7-2.el8.x86_64.rpm
    MD5: 3d85f570730d0e66a5562b81680780b4
    SHA-256: 7a929a4b877fbf860eb4873e19e0f164eecebf6596cedf22e68a23c5df733698
    Size: 3.43 MB
  5. java-17-openjdk-devel-17.0.10.0.7-2.el8.x86_64.rpm
    MD5: 6db769fb3897c5448894f8666c9c66e1
    SHA-256: b4bf272632ae0b0c9c748e47f4eb0dc3374627f5c2f608c68c4125571386229c
    Size: 5.11 MB
  6. java-17-openjdk-devel-fastdebug-17.0.10.0.7-2.el8.x86_64.rpm
    MD5: 4320c9000839b957b3479854208c3ea2
    SHA-256: 8b90ffb1e2b0bd042e52351fe2884568a8ae22fe6b22eba1a4644960c360fe4a
    Size: 5.11 MB
  7. java-17-openjdk-devel-slowdebug-17.0.10.0.7-2.el8.x86_64.rpm
    MD5: 0db6a111a1138f9c5fb952e100f7da63
    SHA-256: 3892bd7874b6106d2fbb48f3c92986fcbcc0a52c49498aabdb98e8909c4a74ca
    Size: 5.11 MB
  8. java-17-openjdk-fastdebug-17.0.10.0.7-2.el8.x86_64.rpm
    MD5: 980f08ffb6f252c17fa520c1f3c21540
    SHA-256: ac759db3056c3dce695c7045a2f76a4bec86c48330ca4f8747421ad02417354b
    Size: 468.43 kB
  9. java-17-openjdk-headless-17.0.10.0.7-2.el8.x86_64.rpm
    MD5: a349c87d45a18ccb77317d47ee43065e
    SHA-256: d88e17e54c6a0e09b72ac02bbdfbb940f650f03c8963b7d16f0e20ebb4b4d72c
    Size: 46.37 MB
  10. java-17-openjdk-headless-fastdebug-17.0.10.0.7-2.el8.x86_64.rpm
    MD5: f40c3cd538251fedc4c919f1ade93555
    SHA-256: 0870350d2c84a721c6b4a5e3d0c2a407fa1086cfefae9813f9c0be85aeebb4a2
    Size: 50.93 MB
  11. java-17-openjdk-headless-slowdebug-17.0.10.0.7-2.el8.x86_64.rpm
    MD5: a9b78c9bdb0482c24162cb1639f562f6
    SHA-256: 39b3dab28633b689be89fb4461abd0a250a405bbd06b5eaf828adddd753db74a
    Size: 50.07 MB
  12. java-17-openjdk-javadoc-17.0.10.0.7-2.el8.x86_64.rpm
    MD5: c8d51a545d81a1afa3071896ad393c1a
    SHA-256: 7bbbc15f8cedb8b08e2365f96db3c2d1f6dedd7bcf95b29f6f0b6df485be04b6
    Size: 16.02 MB
  13. java-17-openjdk-javadoc-zip-17.0.10.0.7-2.el8.x86_64.rpm
    MD5: 6b900f69d88d62d91a93d4acdf9cf243
    SHA-256: 3b3bb78fc390e7e40df8cc67e0bd074451fe9442091f67bcef8e4b79c9f742ea
    Size: 40.26 MB
  14. java-17-openjdk-jmods-17.0.10.0.7-2.el8.x86_64.rpm
    MD5: 102c27d0ff03644a5fbaf303581a4300
    SHA-256: d9fe2718110c29fc87ea0cd8132824c3c2c38c214a00241c5a469245f3f36217
    Size: 259.26 MB
  15. java-17-openjdk-jmods-fastdebug-17.0.10.0.7-2.el8.x86_64.rpm
    MD5: 91f866aece88049026f89fba9d6d3a39
    SHA-256: 770a8c37a22d33b95109d1dc6101253c7b7d87beda1505c33b468a885b719bcd
    Size: 252.26 MB
  16. java-17-openjdk-jmods-slowdebug-17.0.10.0.7-2.el8.x86_64.rpm
    MD5: b66f594ca94b8ab1c1f6c0cfe21d6e6b
    SHA-256: 99d34f9868683851050a42d829db2d26040d3ceeaf8a1fc3acb9d4b76108a5c5
    Size: 190.02 MB
  17. java-17-openjdk-slowdebug-17.0.10.0.7-2.el8.x86_64.rpm
    MD5: 4c2e953296e5929b2a7bf67d27c1ee1c
    SHA-256: 312b4224a22f89036eb12ab2d1a71d698aa5a2878f54c0a137b4fed623bb4c8b
    Size: 441.72 kB
  18. java-17-openjdk-src-17.0.10.0.7-2.el8.x86_64.rpm
    MD5: 4e8e3a522e67c9ad2d7913d9594069ce
    SHA-256: 48fa2f551a73239ee7372ca6ea9943a93388f3db790190de5cf25ee13396c609
    Size: 45.41 MB
  19. java-17-openjdk-src-fastdebug-17.0.10.0.7-2.el8.x86_64.rpm
    MD5: 0710ddea46ef9e8418fe8efddcb86504
    SHA-256: 8580c4bbe91f0f6cdca6c9db3715d8a6cce21379972b2a3cc100ea018143da8d
    Size: 45.41 MB
  20. java-17-openjdk-src-slowdebug-17.0.10.0.7-2.el8.x86_64.rpm
    MD5: 0182c6f8af638abc9b135d1a9d947209
    SHA-256: f114522622b3cf3cd08820ca4b2822fca4a45e2753f1220eff0d8fc2b5c042e2
    Size: 45.41 MB
  21. java-17-openjdk-static-libs-17.0.10.0.7-2.el8.x86_64.rpm
    MD5: fa157ae691d5b0843c5b17bf68b0e5b3
    SHA-256: 827cf1886b649168957f4ed9fbcbc55310c4cfb5d4392791e5dd5b70401db011
    Size: 36.78 MB
  22. java-17-openjdk-static-libs-fastdebug-17.0.10.0.7-2.el8.x86_64.rpm
    MD5: f6758ae97e05ccfb3bc97efbe75b71d5
    SHA-256: 793d780223e2bf60281116c6288056a5a2413c632ddda127ff86dfad13db36db
    Size: 36.95 MB
  23. java-17-openjdk-static-libs-slowdebug-17.0.10.0.7-2.el8.x86_64.rpm
    MD5: de2d594f382c634f845f52bacc2951b9
    SHA-256: 9945a2fac97b1895c8492cd944235b216d0bb8d1f49d986291784fe1b8ad02a7
    Size: 31.81 MB