java-11-openjdk-11.0.24.0.8-3.el8

エラータID: AXSA:2024-8581:14

Release date: 
Friday, July 19, 2024 - 21:35
Subject: 
java-11-openjdk-11.0.24.0.8-3.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and
the OpenJDK 11 Java Software Development Kit.

Security Fix(es):

OpenJDK: RangeCheckElimination array index overflow (8323231)
(CVE-2024-21147)
OpenJDK: potential UTF8 size overflow (8314794) (CVE-2024-21131)
OpenJDK: Excessive symbol length can lead to infinite loop (8319859)
(CVE-2024-21138)
OpenJDK: Range Check Elimination (RCE) pre-loop limit overflow (8320548)
(CVE-2024-21140)
OpenJDK: Pack200 increase loading time due to improper header validation
(8322106) (CVE-2024-21144)
OpenJDK: Out-of-bounds access in 2D image handling (8324559)
(CVE-2024-21145)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

CVE(s):
CVE-2024-21131
CVE-2024-21138
CVE-2024-21140
CVE-2024-21144
CVE-2024-21145
CVE-2024-21147

Solution: 

Update packages.

CVEs: 
CVE-2024-21131
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2024-21138
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2024-21140
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
CVE-2024-21144
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2024-21145
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
CVE-2024-21147
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
Additional Info: 

N/A

Download: 

SRPMS
  1. java-11-openjdk-11.0.24.0.8-3.el8.src.rpm
    MD5: b547aa5b024ba7fb4e821bfd608d226d
    SHA-256: 387b4251a3b80b97b4deb6bccdc96ad6677048fb4eb2d8a5c2866b285d1c52f7
    Size: 68.34 MB

Asianux Server 8 for x86_64
  1. java-11-openjdk-11.0.24.0.8-3.el8.x86_64.rpm
    MD5: 54496325b80f5a17cad21f253371dd19
    SHA-256: f958ae31e20bc5adda4b2c0c6c7b4903812010a2ee2d3a4af0a19ceac3e11500
    Size: 475.02 kB
  2. java-11-openjdk-demo-11.0.24.0.8-3.el8.x86_64.rpm
    MD5: b6181c95c58b29b22c7ffd0ca7518d98
    SHA-256: 41186374ab6993be51782021107aba0547291beecc0f0ebe1ea8f19f1291c747
    Size: 4.40 MB
  3. java-11-openjdk-demo-fastdebug-11.0.24.0.8-3.el8.x86_64.rpm
    MD5: bf44273afb3cf34a132a2d13c9f59020
    SHA-256: d24e56bb56767c429930d1a584d1fbaf70d6e86e767b3a6d56fc2704956437f2
    Size: 4.40 MB
  4. java-11-openjdk-demo-slowdebug-11.0.24.0.8-3.el8.x86_64.rpm
    MD5: a5b0a4ce80ebb4558a4c0e41c85c0875
    SHA-256: 5600268a7ec4eb93bcb356d9944095d1ce20c0e7922668b79cb5013bed1ec59f
    Size: 4.40 MB
  5. java-11-openjdk-devel-11.0.24.0.8-3.el8.x86_64.rpm
    MD5: 3cf4c46bbc84d3d67403e28ce3fdef62
    SHA-256: b6811b57ca9acf965f9be8ca0fffcb429e7e6d4a89f3af2ed9d7ff264ab5cee7
    Size: 3.39 MB
  6. java-11-openjdk-devel-fastdebug-11.0.24.0.8-3.el8.x86_64.rpm
    MD5: 0471e9217b80de68d32bfbdde9be365f
    SHA-256: 5995164d39860928d54a32bcadc3cb92e138c145d75515aad0ba34b146a50e84
    Size: 3.39 MB
  7. java-11-openjdk-devel-slowdebug-11.0.24.0.8-3.el8.x86_64.rpm
    MD5: 3beb804198f094f10a69612e9489af8d
    SHA-256: 4261643d52b3bac2a0fadc0daae181bb342ceb4e307adf6d5b17416cbb5eb307
    Size: 3.39 MB
  8. java-11-openjdk-fastdebug-11.0.24.0.8-3.el8.x86_64.rpm
    MD5: 2c5358531c02871db58f1357126065f9
    SHA-256: b1049bb6dcbc75dde521b0a10c501f7e4d50c854e182eca3f7c3be9cd9c83587
    Size: 488.46 kB
  9. java-11-openjdk-headless-11.0.24.0.8-3.el8.x86_64.rpm
    MD5: 146a10aff8a07f9caf76a4ed59e4b79d
    SHA-256: 843166e52c86800ce7ed2361bcb73295d6009b5fa876ca86ef17d2af87134a8a
    Size: 41.61 MB
  10. java-11-openjdk-headless-fastdebug-11.0.24.0.8-3.el8.x86_64.rpm
    MD5: 4c953c73a2da0f38ee4d7e8c63062076
    SHA-256: 04c90191d0a445460c5b40253e7593e5cebdfcc9c2f02dd21fac0c2a68177cdb
    Size: 46.63 MB
  11. java-11-openjdk-headless-slowdebug-11.0.24.0.8-3.el8.x86_64.rpm
    MD5: 0eb37a51bf0c46ec7abd3423439ffbdc
    SHA-256: a4c14df97fb58f8dc0a4996da465fa3a7750439119349b7c326985989229babd
    Size: 46.16 MB
  12. java-11-openjdk-javadoc-11.0.24.0.8-3.el8.x86_64.rpm
    MD5: 0de6770ecf749970110715c70b44f908
    SHA-256: b3f14644f6c2a1638735c5113665faceb27cad51bc8ef18d1a660b6bfc8dd296
    Size: 16.01 MB
  13. java-11-openjdk-javadoc-zip-11.0.24.0.8-3.el8.x86_64.rpm
    MD5: bd446ee47a16fd74cf562e80d2dd9d98
    SHA-256: ecb9c92faaf6087a741386e1150aa5d39b1c1a693a7086defcff1f4e77a7d396
    Size: 42.17 MB
  14. java-11-openjdk-jmods-11.0.24.0.8-3.el8.x86_64.rpm
    MD5: 270eee08e1bf894bd9da22eff0c2fcd3
    SHA-256: 8933a44e7432a3f0b71e40a0bafe26e7ab2786574d355ee49996f3e2e4f0b0a8
    Size: 344.45 MB
  15. java-11-openjdk-jmods-fastdebug-11.0.24.0.8-3.el8.x86_64.rpm
    MD5: 3b77eef4d9fa515e9b55789ed329138f
    SHA-256: d02d1e3bb090c7510ca1b8a41baa4e4d51908c9958e3dfe4f6947278adb8c866
    Size: 299.49 MB
  16. java-11-openjdk-jmods-slowdebug-11.0.24.0.8-3.el8.x86_64.rpm
    MD5: 63767ecf065227ab67576c94b48d3500
    SHA-256: 269b751c444c1571624fc0aeebdfc86d85841b211601733d889f997e849a323a
    Size: 231.38 MB
  17. java-11-openjdk-slowdebug-11.0.24.0.8-3.el8.x86_64.rpm
    MD5: f4e3ca7104cdddebdbec6034536682f5
    SHA-256: cbb3ca4fabb6fa18b7a5d139c66b1e68f7c46d60c86d05edf67441d57d59db2d
    Size: 462.57 kB
  18. java-11-openjdk-src-11.0.24.0.8-3.el8.x86_64.rpm
    MD5: 7f93ad96303282f8875edb6ec49ed2d0
    SHA-256: fd839b1cdbb24750b0e55236e115a658bb949b2c62829329cc72866cc7c19138
    Size: 50.54 MB
  19. java-11-openjdk-src-fastdebug-11.0.24.0.8-3.el8.x86_64.rpm
    MD5: 347c96e74eea6f0ce9eeca44712de99c
    SHA-256: ff13e145f7fc32dc2e84ed660e11c8d7a297a64db5afc2d6ed64292471c0a5ad
    Size: 50.54 MB
  20. java-11-openjdk-src-slowdebug-11.0.24.0.8-3.el8.x86_64.rpm
    MD5: b4eb2d03613cfe1ecb3710fbdd101615
    SHA-256: f6720cea5fbb0e9f3a475ec9fbee1afe75c5f9718bb16412146c643b9f23f736
    Size: 50.54 MB
  21. java-11-openjdk-static-libs-11.0.24.0.8-3.el8.x86_64.rpm
    MD5: dfa98b126ee2044305aa1a46ca51b967
    SHA-256: b56d80659c9ba27c2ed72d452568bf878a979a65c1c7ce89e085a37e46f9e5dd
    Size: 38.41 MB
  22. java-11-openjdk-static-libs-fastdebug-11.0.24.0.8-3.el8.x86_64.rpm
    MD5: 1e17d8c3460577e04a9c905e74c61f26
    SHA-256: 433e0b90f247595b0ea2fabdce8be5d307c7fb514fe8029dc9e2d47a604ce25d
    Size: 38.75 MB
  23. java-11-openjdk-static-libs-slowdebug-11.0.24.0.8-3.el8.x86_64.rpm
    MD5: a0900fb17eadf476f85fba1c1bc45f0c
    SHA-256: 080d038991a2bcd1fc09e95bf06030fb207a7f78b3ab595bdbf4ce6980d1fa1f
    Size: 33.56 MB