java-17-openjdk-17.0.10.0.7-2.el9.ML.1

エラータID: AXSA:2024-7461:04

Release date: 
Wednesday, January 24, 2024 - 07:40
Subject: 
java-17-openjdk-17.0.10.0.7-2.el9.ML.1
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

The java-17-openjdk packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit.

Security Fix(es):

OpenJDK: array out-of-bounds access due to missing range check in C1 compiler (8314468) (CVE-2024-20918)
OpenJDK: incorrect handling of ZIP files with duplicate entries (8276123) (CVE-2024-20932)
OpenJDK: RSA padding issue and timing side-channel attack against TLS (8317547) (CVE-2024-20952)
OpenJDK: JVM class file verifier flaw allows unverified bytecode execution (8314295) (CVE-2024-20919)
OpenJDK: range check loop optimization issue (8314307) (CVE-2024-20921)
OpenJDK: logging of digital signature private keys (8316976) (CVE-2024-20945)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE(s):
CVE-2024-20918
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
CVE-2024-20919
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2024-20921
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2024-20932
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 17.0.9; Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 21.3.8 and 22.3.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
CVE-2024-20945
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2024-20952
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

Solution: 

Update packages.

CVEs: 
CVE-2024-20918
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
CVE-2024-20919
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2024-20921
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2024-20932
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 17.0.9; Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 21.3.8 and 22.3.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
CVE-2024-20945
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2024-20952
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
Additional Info: 

N/A

Download: 

SRPMS
  1. java-17-openjdk-17.0.10.0.7-2.el9.ML.1.src.rpm
    MD5: 874596151a0625eb46a98d71e5e7c4c1
    SHA-256: 00a881813148cbcdacb5c6318a40a56b631d4c1aa3c4b8b61e6eb910c0ad4848
    Size: 62.84 MB

Asianux Server 9 for x86_64
  1. java-17-openjdk-17.0.10.0.7-2.el9.ML.1.x86_64.rpm
    MD5: 5eeb49f9e22d3994faab9406395cd2d0
    SHA-256: de48795a7ae3844254497e613349f5957478a8b6a8c46eea103a176f58316837
    Size: 433.12 kB
  2. java-17-openjdk-demo-17.0.10.0.7-2.el9.ML.1.x86_64.rpm
    MD5: d5acde35611259902dd64e8b2c0abdce
    SHA-256: 65171fec9bad7b9189a243edc4ba68fe3d2bf5a04a29295a5608f063f2388f58
    Size: 3.38 MB
  3. java-17-openjdk-demo-fastdebug-17.0.10.0.7-2.el9.ML.1.x86_64.rpm
    MD5: 9f0eadabad5268f6f6e2fb036f1db66b
    SHA-256: 39e17960b32e209b399a754fbb0b3d05ee7655910e9e4defccb37772c94f5688
    Size: 3.38 MB
  4. java-17-openjdk-demo-slowdebug-17.0.10.0.7-2.el9.ML.1.x86_64.rpm
    MD5: aaec364592b8a3943455c7f774b8c5b9
    SHA-256: e20f329c2ff9527ce6f01b08a47813c3c2a18b9f59334a4b1f4b84b838431a67
    Size: 3.38 MB
  5. java-17-openjdk-devel-17.0.10.0.7-2.el9.ML.1.x86_64.rpm
    MD5: 4943ee6e19b89291989d63ee3402601d
    SHA-256: b5fc02f926d972019908c28ece41f193032668943a326bca45ae9461fdd5720e
    Size: 4.71 MB
  6. java-17-openjdk-devel-fastdebug-17.0.10.0.7-2.el9.ML.1.x86_64.rpm
    MD5: e53ae204dc8fbf06a9ac466d91219524
    SHA-256: 25dc1afaba8ee2aebcfa7c60208cda6095205658795c58f3ba6c03d4335d898a
    Size: 4.71 MB
  7. java-17-openjdk-devel-slowdebug-17.0.10.0.7-2.el9.ML.1.x86_64.rpm
    MD5: c35d9d93fd82c034616381cd2defa5c2
    SHA-256: 66729f40787f991e4b37d3f76703ed5805f916ad09ec7bde4314545f5b281a66
    Size: 4.71 MB
  8. java-17-openjdk-fastdebug-17.0.10.0.7-2.el9.ML.1.x86_64.rpm
    MD5: 728813f21aff02e77d8ea7ab771356bb
    SHA-256: a05642f97b0bfffeec80ff0c03ce6910980150e2db72b2f3d3eae00a4a9fa30b
    Size: 442.23 kB
  9. java-17-openjdk-headless-17.0.10.0.7-2.el9.ML.1.x86_64.rpm
    MD5: 27ee41d3d82afaf009656b22d5f1320e
    SHA-256: 7dc388722354be7be512d76fb93eab28cb257ebc9f9c387eedf0def70bf936b8
    Size: 44.90 MB
  10. java-17-openjdk-headless-fastdebug-17.0.10.0.7-2.el9.ML.1.x86_64.rpm
    MD5: ef91960ad2d2a23eb927644fcd654e46
    SHA-256: f7982bc87ee6fdef2915311e2b2374c1e0a022978a8c8ae41304aa4ee02d571c
    Size: 50.04 MB
  11. java-17-openjdk-headless-slowdebug-17.0.10.0.7-2.el9.ML.1.x86_64.rpm
    MD5: 7a7cfef4c82cfb75a871c51a1c63e225
    SHA-256: 2ab2adf00882dd819e036539da661d5e9c2b1ec7a716789101564ccb4a2edbce
    Size: 48.56 MB
  12. java-17-openjdk-javadoc-17.0.10.0.7-2.el9.ML.1.x86_64.rpm
    MD5: 9246acf5ad1208f8b1642e81068facaf
    SHA-256: 654bc906d4fbae876fd6cf0a97e9b96169b5fb3f7e9df08489e36b6606b70f5b
    Size: 12.49 MB
  13. java-17-openjdk-javadoc-zip-17.0.10.0.7-2.el9.ML.1.x86_64.rpm
    MD5: f340896ae01c0899c611ce8382c5d8d6
    SHA-256: 879086c4b6ec391d8f6bb37f42a4699a06ef2fe162452eb7c5a2d2be7cac4966
    Size: 39.44 MB
  14. java-17-openjdk-jmods-17.0.10.0.7-2.el9.ML.1.x86_64.rpm
    MD5: b2c2199544f589863d3d263be00f5469
    SHA-256: 9242b13adfbc64f26a525c7bc563fced7e388a3b3c315f0a27e3870a81b121f6
    Size: 248.90 MB
  15. java-17-openjdk-jmods-fastdebug-17.0.10.0.7-2.el9.ML.1.x86_64.rpm
    MD5: fb459a16edaf38bad44b4ba2e6c7db6d
    SHA-256: e4c25a60e8b4cfd468a884904ca48a66386edb0ead58f2a462aadbf371666a6f
    Size: 247.94 MB
  16. java-17-openjdk-jmods-slowdebug-17.0.10.0.7-2.el9.ML.1.x86_64.rpm
    MD5: b4c11ee6371bfe843197b79d3ba4c005
    SHA-256: c881211ed1fe31afd4269b9574f54ec8a1f7bfa062417dff70d9a7bb74d97fe8
    Size: 178.58 MB
  17. java-17-openjdk-slowdebug-17.0.10.0.7-2.el9.ML.1.x86_64.rpm
    MD5: 5ef8203c8c6148e9b193617dc70ad702
    SHA-256: 6fe8a102f4806e63969536be2d24ece64681fcfc3d8271acb595fe6a8e821faa
    Size: 411.98 kB
  18. java-17-openjdk-src-17.0.10.0.7-2.el9.ML.1.x86_64.rpm
    MD5: 761535c89a39ad19fd777c21e9605b44
    SHA-256: 376d78351d4679ebf78497e8d02cf0055d17cb049af0e4ef59b87b5c64e046dd
    Size: 44.76 MB
  19. java-17-openjdk-src-fastdebug-17.0.10.0.7-2.el9.ML.1.x86_64.rpm
    MD5: 09cf69f4a0122fd2721e1c1c9e1a2821
    SHA-256: fc47f398ecda986384542bf321f48257737a33d84b50e3d029cd1b2df8d248d0
    Size: 44.76 MB
  20. java-17-openjdk-src-slowdebug-17.0.10.0.7-2.el9.ML.1.x86_64.rpm
    MD5: ad1c24e31bff60bfc67f981769c69c2b
    SHA-256: 0532c6a46d12ce0dc86103d8071d668e7685a1a248f837f5ebeb11dea60581f5
    Size: 44.76 MB
  21. java-17-openjdk-static-libs-17.0.10.0.7-2.el9.ML.1.x86_64.rpm
    MD5: c53156323ea0dbfe0222da2b16402010
    SHA-256: 1269960e7559017a777456c17e19c1dd657e7c19ff788ac6ace106197fe0c88f
    Size: 32.58 MB
  22. java-17-openjdk-static-libs-fastdebug-17.0.10.0.7-2.el9.ML.1.x86_64.rpm
    MD5: 5e8d3929554335b54b6276da67024c9a
    SHA-256: e319fb0cc3a744540a2ae66eea3bd68fb3ada1055dd668382ea29f227865e713
    Size: 32.66 MB
  23. java-17-openjdk-static-libs-slowdebug-17.0.10.0.7-2.el9.ML.1.x86_64.rpm
    MD5: 3f4db982417a4b85846201ecb70f6c0a
    SHA-256: f23caf14c3850acf7a0a06a4e0ea1d7d60625441306dccaf6566e7f24585dff1
    Size: 29.30 MB