java-21-openjdk-21.0.5.0.10-3.el9.ML.1

エラータID: AXSA:2024-8940:15

Release date: 
Thursday, October 24, 2024 - 15:40
Subject: 
java-21-openjdk-21.0.5.0.10-3.el9.ML.1
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

The OpenJDK 21 runtime environment.

Security Fix(es):

* giflib: Heap-Buffer Overflow during Image Saving in DumpScreen2RGB Function
(CVE-2023-48161)
* JDK: Array indexing integer overflow (8328544) (CVE-2024-21210)
* JDK: HTTP client improper handling of maxHeaderSize (8328286)
(CVE-2024-21208)
* JDK: Unbounded allocation leads to out-of-memory error (8331446)
(CVE-2024-21217)
* JDK: Integer conversion error leads to incorrect range check (8332644)
(CVE-2024-21235)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

CVE-2023-48161
Buffer Overflow vulnerability in GifLib Project GifLib v.5.2.1 allows a local attacker to obtain sensitive information via the DumpSCreen2RGB function in gif2rgb.c
CVE-2024-21208
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2024-21210
Vulnerability in Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4 and 23. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2024-21217
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2024-21235
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

Solution: 

Update packages.

CVEs: 
CVE-2023-48161
Buffer Overflow vulnerability in GifLib Project GifLib v.5.2.1 allows a local attacker to obtain sensitive information via the DumpSCreen2RGB function in gif2rgb.c
CVE-2024-21208
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2024-21210
Vulnerability in Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4 and 23. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2024-21217
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2024-21235
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
Additional Info: 

N/A

Download: 

SRPMS
  1. java-21-openjdk-21.0.5.0.10-3.el9.ML.1.src.rpm
    MD5: 2f23cbbc42ab360bdea8ffc7afdd42aa
    SHA-256: 2fc4d9772616c218fa986af7c9c524d566dbbf997548ca79c884e8d177b878b0
    Size: 66.79 MB

Asianux Server 9 for x86_64
  1. java-21-openjdk-21.0.5.0.10-3.el9.ML.1.x86_64.rpm
    MD5: e1c4eaca11b01c63125f418c9e2917fe
    SHA-256: e765aa5ea09c50534532fd838c224fb801e0ca34bbe0345c56b55c48a5889f07
    Size: 427.99 kB
  2. java-21-openjdk-demo-21.0.5.0.10-3.el9.ML.1.x86_64.rpm
    MD5: fd8408f75a8a9a9d64680ea003572a0f
    SHA-256: ec77108af3f6424335211f963b050e0ae6c0ffbf36461ba34d5e62407c3a3417
    Size: 3.18 MB
  3. java-21-openjdk-demo-fastdebug-21.0.5.0.10-3.el9.ML.1.x86_64.rpm
    MD5: 94a91bfee11bf22bbfa87913ebf2832f
    SHA-256: ca4c27b6cca4de701c52279e062ecdc9133fd42a520c9cabaed7825252fd48ea
    Size: 3.18 MB
  4. java-21-openjdk-demo-slowdebug-21.0.5.0.10-3.el9.ML.1.x86_64.rpm
    MD5: df0c19fbdeb6e0b7672f016b6122bfe3
    SHA-256: 618be99d2dc52077d2273009a09a3e5733ac245602b6007011e7428804da657f
    Size: 3.18 MB
  5. java-21-openjdk-devel-21.0.5.0.10-3.el9.ML.1.x86_64.rpm
    MD5: dbc9bb43cebb12764cce175280050f22
    SHA-256: 2837b1f6a359e44a42fc05fd104b8ed8cbdbeddfe129dce4d79d71a6c8086d23
    Size: 5.01 MB
  6. java-21-openjdk-devel-fastdebug-21.0.5.0.10-3.el9.ML.1.x86_64.rpm
    MD5: fcb1d9dda7eff7c1b1b83987d7e3b700
    SHA-256: 6996f245f9793d0dac3e3192fe4ec7394306b94a2a244ae63b1013ed5f9423fe
    Size: 5.01 MB
  7. java-21-openjdk-devel-slowdebug-21.0.5.0.10-3.el9.ML.1.x86_64.rpm
    MD5: 3deb807dd2ee0da4d1448d9f9c95f77c
    SHA-256: 7a4895bb381eb84893dfd668e76fffedea76f4ef1730f43ad401a41342a5cb69
    Size: 5.01 MB
  8. java-21-openjdk-fastdebug-21.0.5.0.10-3.el9.ML.1.x86_64.rpm
    MD5: 88d75bb2c8be742b471db815016b8a54
    SHA-256: 9ad0560e123338d86598d15a8cb020557aa6a9ae2f0db726202eefdd5df83053
    Size: 436.49 kB
  9. java-21-openjdk-headless-21.0.5.0.10-3.el9.ML.1.x86_64.rpm
    MD5: 1563596b370d84624b1def163a626593
    SHA-256: 8b0dbda116c241d0e1c626e50969051b7d1f881f11046579543e629a638b81cc
    Size: 47.24 MB
  10. java-21-openjdk-headless-fastdebug-21.0.5.0.10-3.el9.ML.1.x86_64.rpm
    MD5: 3bf58b43c310236b60d63a9fc600321b
    SHA-256: 69b81d253a5e90da623c111d0b3f1cdcbc82554316dd70c0ed489034eb1fc21f
    Size: 51.71 MB
  11. java-21-openjdk-headless-slowdebug-21.0.5.0.10-3.el9.ML.1.x86_64.rpm
    MD5: 4fa534b93cff1e8430954dda1a2add02
    SHA-256: c41feb00597656b5d8030a5bd5ecd0e287f7fe2b801390e4cc73cdb695acf0c8
    Size: 49.76 MB
  12. java-21-openjdk-javadoc-21.0.5.0.10-3.el9.ML.1.x86_64.rpm
    MD5: 9b5f30ac04e5d5328a956aa12cd9f101
    SHA-256: e01fc52a8f860f49547f7e2936afb8bcd8707c45c77b895568830c511a1a33a8
    Size: 15.03 MB
  13. java-21-openjdk-javadoc-zip-21.0.5.0.10-3.el9.ML.1.x86_64.rpm
    MD5: 6c62bfbf84b97427540119a633ab1af2
    SHA-256: 2d0f263ad19e3b95d6f3a74f5090df4c971763b9375bb28e16a94faae7978dd1
    Size: 40.65 MB
  14. java-21-openjdk-jmods-21.0.5.0.10-3.el9.ML.1.x86_64.rpm
    MD5: 339e4c1cf4d4e9321f9d5ef48bccafd2
    SHA-256: d35ad709cd88ab3ed31252a9e7df4b897f3968f690c3fa5812055f265edfbb1e
    Size: 301.23 MB
  15. java-21-openjdk-jmods-fastdebug-21.0.5.0.10-3.el9.ML.1.x86_64.rpm
    MD5: 713564554e2c02ac4beaea12ca6ebdf1
    SHA-256: 1f328091c913b41b143c15bb3b20a476c7c08028ab40dc3071b374c43c37d25d
    Size: 352.44 MB
  16. java-21-openjdk-jmods-slowdebug-21.0.5.0.10-3.el9.ML.1.x86_64.rpm
    MD5: a7c1be1af61dfc8777e3f7f931e4c268
    SHA-256: d0bd3865d6d628482c5ce0787739f43644fec84fc3608ddd866969c81c3ca88f
    Size: 267.38 MB
  17. java-21-openjdk-slowdebug-21.0.5.0.10-3.el9.ML.1.x86_64.rpm
    MD5: d09a0b25a3728f4aef1021134f34c880
    SHA-256: 27694dc111b5361b87609c5a1d6a394b1730957a976f3fc019788fba679f2199
    Size: 407.06 kB
  18. java-21-openjdk-src-21.0.5.0.10-3.el9.ML.1.x86_64.rpm
    MD5: 03674bfb0e10cf9adbc463a17a7324d4
    SHA-256: 6eca8a921eed5f56027024be8f0ca3605f25626106c80dc02ce101ea1b522b4e
    Size: 46.69 MB
  19. java-21-openjdk-src-fastdebug-21.0.5.0.10-3.el9.ML.1.x86_64.rpm
    MD5: 6a2fb113e1c5270438171c8e1ee18e7d
    SHA-256: fe82a74e59342955c6177c1b7f6258031004a712d90bb6cfa3adac9292f89962
    Size: 46.70 MB
  20. java-21-openjdk-src-slowdebug-21.0.5.0.10-3.el9.ML.1.x86_64.rpm
    MD5: c7cd747a60adc4df6937778125caa2ed
    SHA-256: 0dcecc91821312548430b0e055543a53e7697ab2ee3d377f439ff413c93d65d4
    Size: 46.70 MB
  21. java-21-openjdk-static-libs-21.0.5.0.10-3.el9.ML.1.x86_64.rpm
    MD5: 15d370b06382c6e12a6682c895b4aec8
    SHA-256: 7582a6fc252733c914f8a012c1f5114109e02ea169e4634866342f6c425cf0c3
    Size: 28.48 MB
  22. java-21-openjdk-static-libs-fastdebug-21.0.5.0.10-3.el9.ML.1.x86_64.rpm
    MD5: 72b5ef1adb41e2f6bcc8ed77626b9c70
    SHA-256: a0483f9946608a66a6b1468d53c4104a3fb9bc88e7cdcfd84b8680befa3be58e
    Size: 28.54 MB
  23. java-21-openjdk-static-libs-slowdebug-21.0.5.0.10-3.el9.ML.1.x86_64.rpm
    MD5: 35204f930fd0fb79f90d7105ee1467a8
    SHA-256: 0bb6ac6b80b79836ca879ed1125ecb5fcc187a90658dac063a55050bec62ad3b
    Size: 20.04 MB