java-21-openjdk-21.0.4.0.7-1.el8.ML.1

エラータID: AXSA:2024-8578:11

Release date: 
Friday, July 19, 2024 - 19:39
Subject: 
java-21-openjdk-21.0.4.0.7-1.el8.ML.1
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

The java-21-openjdk packages provide the OpenJDK 21 Java Runtime Environment and the OpenJDK 21 Java Software Development Kit.

Security Fix(es):

* OpenJDK: RangeCheckElimination array index overflow (8323231) (CVE-2024-21147)
* OpenJDK: potential UTF8 size overflow (8314794) (CVE-2024-21131)
* OpenJDK: Excessive symbol length can lead to infinite loop (8319859) (CVE-2024-21138)
* OpenJDK: Range Check Elimination (RCE) pre-loop limit overflow (8320548) (CVE-2024-21140)
* OpenJDK: Out-of-bounds access in 2D image handling (8324559) (CVE-2024-21145)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2024-21131
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2024-21138
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2024-21140
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
CVE-2024-21145
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
CVE-2024-21147
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

Solution: 

Update packages.

CVEs: 
CVE-2024-21131
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2024-21138
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2024-21140
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
CVE-2024-21145
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
CVE-2024-21147
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
Additional Info: 

N/A

Download: 

SRPMS
  1. java-21-openjdk-21.0.4.0.7-1.el8.ML.1.src.rpm
    MD5: 2ab9b1c0df48bede6c7c33faff57953a
    SHA-256: 19e6caef7f8efee7086183c6d80d1156c13dcdbea30dfaef3f1d3421c1375132
    Size: 66.61 MB

Asianux Server 8 for x86_64
  1. java-21-openjdk-21.0.4.0.7-1.el8.ML.1.x86_64.rpm
    MD5: 685175bdd1fc453db96a99a3ed137624
    SHA-256: abb0bb9229686bd90a3f5ab9c1c834ccca3d6a28d2df6bb637cae7e070898d5d
    Size: 444.83 kB
  2. java-21-openjdk-demo-21.0.4.0.7-1.el8.ML.1.x86_64.rpm
    MD5: b62a23071a4b7fd96119cec2e22f9089
    SHA-256: cbb74286578cffd15a829685ee7716cb4e8aaace24b8785f5db8459181683355
    Size: 3.17 MB
  3. java-21-openjdk-demo-fastdebug-21.0.4.0.7-1.el8.ML.1.x86_64.rpm
    MD5: 94c94e85c47cb967f43559b6bb2546af
    SHA-256: 4eed174e0921d6e5600d50667874b8bd31e2dfa373f7e085287856018959ef32
    Size: 3.17 MB
  4. java-21-openjdk-demo-slowdebug-21.0.4.0.7-1.el8.ML.1.x86_64.rpm
    MD5: a528c9a762d78139db213219ff281cb7
    SHA-256: 9975738e6ad57316e177b1ecee30f28bde0f96d300ee1c115ee0bd9b30b26c54
    Size: 3.17 MB
  5. java-21-openjdk-devel-21.0.4.0.7-1.el8.ML.1.x86_64.rpm
    MD5: 588bd003b227987ab36a45acfd0d905d
    SHA-256: 8b724e67e0c583994f887803a1cac0f3b81e390c95c5a4004d89e26fb426cbc7
    Size: 5.16 MB
  6. java-21-openjdk-devel-fastdebug-21.0.4.0.7-1.el8.ML.1.x86_64.rpm
    MD5: 26da43717bc0d075c48cc3e5fe8ab982
    SHA-256: 920e5bdc9939f9b820c60c846254f34b6d2c65894e43e1e57b98941c669d4b01
    Size: 5.16 MB
  7. java-21-openjdk-devel-slowdebug-21.0.4.0.7-1.el8.ML.1.x86_64.rpm
    MD5: fe074fa51f0934c373b32005baf853a5
    SHA-256: 000456c7b203566191f8683be74075b32a7aebb2cd92ed5fe1d73af61e852716
    Size: 5.16 MB
  8. java-21-openjdk-fastdebug-21.0.4.0.7-1.el8.ML.1.x86_64.rpm
    MD5: 17e6f607a60fc0b47ae8750e619f3b30
    SHA-256: a36f826940e87ec40be5db0baf4b7b934ac7d40edcb10495a71e749d012c090b
    Size: 454.20 kB
  9. java-21-openjdk-headless-21.0.4.0.7-1.el8.ML.1.x86_64.rpm
    MD5: 6f8da0893903205ab61d93c59651274b
    SHA-256: 57183e3bfd239336bbfa62dda8623c3addbba8cd7110e6b01a869eca92c57d71
    Size: 49.84 MB
  10. java-21-openjdk-headless-fastdebug-21.0.4.0.7-1.el8.ML.1.x86_64.rpm
    MD5: a9f7e7e7a11a24e9d4f595e34bfc741d
    SHA-256: a091d567a8400a31f754077c085dda80cc1fce4dc90fd8323d146e776e16a660
    Size: 54.68 MB
  11. java-21-openjdk-headless-slowdebug-21.0.4.0.7-1.el8.ML.1.x86_64.rpm
    MD5: b37304fa147d0a33986f29ba7543eecf
    SHA-256: c20c98ff870440c0af3fdaad17bdfced9f51e475fd488ea89e2c9c0b6ac19717
    Size: 54.48 MB
  12. java-21-openjdk-javadoc-21.0.4.0.7-1.el8.ML.1.x86_64.rpm
    MD5: 669a5a13d42e90a5acdc99f78920c0a9
    SHA-256: 855b24717d531d4b99f01671c969c316905f67ded2bf4bd699180dc19ee58527
    Size: 16.40 MB
  13. java-21-openjdk-javadoc-zip-21.0.4.0.7-1.el8.ML.1.x86_64.rpm
    MD5: 3ce6863329d27b54bccb603aa38ef436
    SHA-256: 0614776c1a4d60cda210d6813693928cca5cc5417250e4ce5ebe5c8a58bcdf5a
    Size: 41.50 MB
  14. java-21-openjdk-jmods-21.0.4.0.7-1.el8.ML.1.x86_64.rpm
    MD5: ab448d1d89b3f73b8c6e3e3639bba77b
    SHA-256: 4d236c2ef67565ad5d16795a246c8918847eeebc08530b5a3d453812612787c9
    Size: 312.45 MB
  15. java-21-openjdk-jmods-fastdebug-21.0.4.0.7-1.el8.ML.1.x86_64.rpm
    MD5: 4504a59cd3b14afd12b36ecfb87e46a7
    SHA-256: d5104e6e4dc308a97e27c82d68de8b4388bf9480597bd32361f3e7418e9e2a2f
    Size: 368.88 MB
  16. java-21-openjdk-jmods-slowdebug-21.0.4.0.7-1.el8.ML.1.x86_64.rpm
    MD5: 2e55eae6d24b395f7a19617e924905cb
    SHA-256: 512ca2d99e584f2dfc147016203fa20b0f49214aca41454eea202c43087f8dac
    Size: 289.68 MB
  17. java-21-openjdk-slowdebug-21.0.4.0.7-1.el8.ML.1.x86_64.rpm
    MD5: d75148537396a4f6340a46aead189624
    SHA-256: 3ab1300c137400350f0f285f72fad83a873ec8c5cc4e4bc15214b1eaf6fa09ef
    Size: 431.07 kB
  18. java-21-openjdk-src-21.0.4.0.7-1.el8.ML.1.x86_64.rpm
    MD5: 21fb7bb64e757ca1a368fcbf1972dbbd
    SHA-256: 14584dfd9121ba1e786aef27f0c06129ec19244fa635a69214096ee970eb3661
    Size: 47.32 MB
  19. java-21-openjdk-src-fastdebug-21.0.4.0.7-1.el8.ML.1.x86_64.rpm
    MD5: 13c7da1c83657647e8ee9b45886a4a66
    SHA-256: 1e31b5975d284b362e31a692100b8728122a4678085bbd9e75041fa99ed62480
    Size: 47.32 MB
  20. java-21-openjdk-src-slowdebug-21.0.4.0.7-1.el8.ML.1.x86_64.rpm
    MD5: 652cfb8c953e288eff08749816feca2f
    SHA-256: 2bdc9689e597f1b22f10c5d17ffca2bc47bef7a344ec58583e85cd18894f49bb
    Size: 47.32 MB
  21. java-21-openjdk-static-libs-21.0.4.0.7-1.el8.ML.1.x86_64.rpm
    MD5: 2ad0baa6abde44cde9784b8441d39d98
    SHA-256: 838b31a65edcf37b05e3b1fa01a50d1ed5814b46096d652a6cf0333e9fafd497
    Size: 39.82 MB
  22. java-21-openjdk-static-libs-fastdebug-21.0.4.0.7-1.el8.ML.1.x86_64.rpm
    MD5: 220ba9a0aade6643156fd379d5fca68c
    SHA-256: 5a0d3d035863e3c9b2c4bfd75ac771b92a88a1f6c7698d48630d06db0339435b
    Size: 40.07 MB
  23. java-21-openjdk-static-libs-slowdebug-21.0.4.0.7-1.el8.ML.1.x86_64.rpm
    MD5: 59aa7c41966d7963c02153ffa1f398b0
    SHA-256: 8e09ee6dcde665dc3b54fb4037ce8017d8e3476ffb195b35bc0246d1be2e7ea8
    Size: 34.31 MB