java-1.8.0-openjdk-1.8.0.432.b06-2.el8

エラータID: AXSA:2024-8930:18

Release date: 
Tuesday, October 22, 2024 - 16:03
Subject: 
java-1.8.0-openjdk-1.8.0.432.b06-2.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

Security Fix(es):

* giflib: Heap-Buffer Overflow during Image Saving in DumpScreen2RGB Function (CVE-2023-48161)
* JDK: Array indexing integer overflow (8328544) (CVE-2024-21210)
* JDK: HTTP client improper handling of maxHeaderSize (8328286) (CVE-2024-21208)
* JDK: Unbounded allocation leads to out-of-memory error (8331446) (CVE-2024-21217)
* JDK: Integer conversion error leads to incorrect range check (8332644) (CVE-2024-21235)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-48161
Buffer Overflow vulnerability in GifLib Project GifLib v.5.2.1 allows a local attacker to obtain sensitive information via the DumpSCreen2RGB function in gif2rgb.c
CVE-2024-21208
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2024-21210
Vulnerability in Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4 and 23. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2024-21217
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2024-21235
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

Solution: 

Update packages.

CVEs: 
CVE-2023-48161
Buffer Overflow vulnerability in GifLib Project GifLib v.5.2.1 allows a local attacker to obtain sensitive information via the DumpSCreen2RGB function in gif2rgb.c
CVE-2024-21208
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2024-21210
Vulnerability in Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4 and 23. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2024-21217
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2024-21235
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
Additional Info: 

N/A

Download: 

SRPMS
  1. java-1.8.0-openjdk-1.8.0.432.b06-2.el8.src.rpm
    MD5: e7ef7a269503b4805c440042cd8024b6
    SHA-256: 468c61cf56c4345c083c090d6e92a1ace9c8081903431fdfcf34b2fbe68a85b9
    Size: 57.96 MB

Asianux Server 8 for x86_64
  1. java-1.8.0-openjdk-1.8.0.432.b06-2.el8.x86_64.rpm
    MD5: d42e404d58ec28c1aa1d52e027a1a2a1
    SHA-256: f8aff6f6c31ba60b685cf80016e5b6fb77ac5bd88add38e052239d970f553cec
    Size: 556.41 kB
  2. java-1.8.0-openjdk-accessibility-1.8.0.432.b06-2.el8.x86_64.rpm
    MD5: e11ee1c537c7d6a2aa68efefa8f0abad
    SHA-256: 7dc30d26693cea9fd96978c744d9fcb72eba419709f283c21e61b20e3a341ecd
    Size: 125.11 kB
  3. java-1.8.0-openjdk-accessibility-fastdebug-1.8.0.432.b06-2.el8.x86_64.rpm
    MD5: 31df7cb97800ffdd3baf280f70f49df1
    SHA-256: 44dc29ef6b3c72ef2aa833dfb8abf5c423eff78ee337d1097fd1049ee7960a20
    Size: 124.96 kB
  4. java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.432.b06-2.el8.x86_64.rpm
    MD5: 0959fdb3ceaa826960da1049ce042714
    SHA-256: c9e75905a901896206a6c2f54622e531f664574ab573765873b1dc7f901c2dbb
    Size: 124.96 kB
  5. java-1.8.0-openjdk-demo-1.8.0.432.b06-2.el8.x86_64.rpm
    MD5: 9f97df1a3122309dd973ed8b076c4a34
    SHA-256: 4f80288556212632c738b0bcfc7fc8c90aab6b2f05426f5d4f427ee2d1b6b148
    Size: 2.09 MB
  6. java-1.8.0-openjdk-demo-fastdebug-1.8.0.432.b06-2.el8.x86_64.rpm
    MD5: 3f3ea1f8da34f613c61c25cd013d77c7
    SHA-256: b8741c461bd5e22c07151c4dad6c5320714e51ede6561c5d64d2f56c7882bb13
    Size: 2.11 MB
  7. java-1.8.0-openjdk-demo-slowdebug-1.8.0.432.b06-2.el8.x86_64.rpm
    MD5: 919538d3b33397d239f9489f552c1de3
    SHA-256: 460075c28ef5eb149dbc40834a16d6d6d5505540cd0b8982dc29fc30a01092a2
    Size: 2.11 MB
  8. java-1.8.0-openjdk-devel-1.8.0.432.b06-2.el8.x86_64.rpm
    MD5: 4a91955c2a6d5c3d82a1161500b7cb45
    SHA-256: 0191dc7c104caeb793597007e58e960910918b77fd1498f13c2080d4916e33cb
    Size: 9.96 MB
  9. java-1.8.0-openjdk-devel-fastdebug-1.8.0.432.b06-2.el8.x86_64.rpm
    MD5: 582d65e56b028a73ecb9ff8aa5aa5f45
    SHA-256: 0eff458a8a7145f2adfa1f65f5209d4ae85ad198fa54b4580289548851370bf6
    Size: 9.95 MB
  10. java-1.8.0-openjdk-devel-slowdebug-1.8.0.432.b06-2.el8.x86_64.rpm
    MD5: 9e2819da66a86cfc61de77cf41da3562
    SHA-256: 885daf91fe85dae8598fb07ef0b10de82713a64aa4412a69ece955a6dbf4132c
    Size: 9.96 MB
  11. java-1.8.0-openjdk-fastdebug-1.8.0.432.b06-2.el8.x86_64.rpm
    MD5: db5542ea05cc5896850dcf8239066062
    SHA-256: df36a337dd5f14492a7ffb9a896d58123ae4c9552ccf02b6c18b0ca2f4f44057
    Size: 569.71 kB
  12. java-1.8.0-openjdk-headless-1.8.0.432.b06-2.el8.x86_64.rpm
    MD5: b098d1b362cf259b22cf663dd4c41f26
    SHA-256: 2011d1866afd8f3383e7a0c7d3d7e0a6f3fd5b909a0f1312ed4d21e8d42a3830
    Size: 34.52 MB
  13. java-1.8.0-openjdk-headless-fastdebug-1.8.0.432.b06-2.el8.x86_64.rpm
    MD5: ec4210ca0f83f76ca81e159826d80f10
    SHA-256: a4b28fb5da8a28793bb3cbc169b62c95d8bb827ac4b881bc00a2ee1e9afbac7a
    Size: 38.17 MB
  14. java-1.8.0-openjdk-headless-slowdebug-1.8.0.432.b06-2.el8.x86_64.rpm
    MD5: bf9a710450cca7a090909467fdedaee5
    SHA-256: 2028cd4db4d51916ff9b78809b18d0dd45a165586b488590583a165cd8fe3c4b
    Size: 36.35 MB
  15. java-1.8.0-openjdk-javadoc-1.8.0.432.b06-2.el8.noarch.rpm
    MD5: 5a8f6809646ff96992a6c2ca9117cced
    SHA-256: 89bc5a81c42126a97610a6706e871fabe042003ebebbf28eada61c9ef391ced0
    Size: 15.20 MB
  16. java-1.8.0-openjdk-javadoc-zip-1.8.0.432.b06-2.el8.noarch.rpm
    MD5: 4b22120da2200b1023e64333aa494428
    SHA-256: 0552a80a664f1bc7c7a73182b954025157d99d185461f27c0a4ff7c99f961dcd
    Size: 41.64 MB
  17. java-1.8.0-openjdk-slowdebug-1.8.0.432.b06-2.el8.x86_64.rpm
    MD5: ecf31209fb069f834e2c949c58e61bfe
    SHA-256: b26a03fa5e8e1954076eb0f1b2a70d392cae2eb767ba7eef21909c743ae2f08a
    Size: 546.05 kB
  18. java-1.8.0-openjdk-src-1.8.0.432.b06-2.el8.x86_64.rpm
    MD5: b3383e8212d0d198555115336fa56326
    SHA-256: c19e5c11f7b930811b30be6d6579c7b0e303873ff3424f4a034b8a8fe8170288
    Size: 45.52 MB
  19. java-1.8.0-openjdk-src-fastdebug-1.8.0.432.b06-2.el8.x86_64.rpm
    MD5: 4bfde6d01f5896796c67e8a2f0ed7fe5
    SHA-256: b0f5ba752944d3c8cecc3709c91e9164a156d07b670e9562386ea5eb3becdb9d
    Size: 45.52 MB
  20. java-1.8.0-openjdk-src-slowdebug-1.8.0.432.b06-2.el8.x86_64.rpm
    MD5: 4b728a91d81b415e54be704be39b7935
    SHA-256: b8763d05b38105cb96b644b30bf1e132a727d99797b1be941888878c7c44470f
    Size: 45.52 MB