java-17-openjdk-17.0.13.0.11-3.el8

エラータID: AXSA:2024-8948:16

Release date: 
Monday, October 28, 2024 - 16:05
Subject: 
java-17-openjdk-17.0.13.0.11-3.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

The java-17-openjdk packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit.

Security Fix(es):

* giflib: Heap-Buffer Overflow during Image Saving in DumpScreen2RGB Function (CVE-2023-48161)
* JDK: Array indexing integer overflow (8328544) (CVE-2024-21210)
* JDK: HTTP client improper handling of maxHeaderSize (8328286) (CVE-2024-21208)
* JDK: Unbounded allocation leads to out-of-memory error (8331446) (CVE-2024-21217)
* JDK: Integer conversion error leads to incorrect range check (8332644) (CVE-2024-21235)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-48161
Buffer Overflow vulnerability in GifLib Project GifLib v.5.2.1 allows a local attacker to obtain sensitive information via the DumpSCreen2RGB function in gif2rgb.c
CVE-2024-21208
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2024-21210
Vulnerability in Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4 and 23. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2024-21217
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2024-21235
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

Solution: 

Update packages.

CVEs: 
CVE-2023-48161
Buffer Overflow vulnerability in GifLib Project GifLib v.5.2.1 allows a local attacker to obtain sensitive information via the DumpSCreen2RGB function in gif2rgb.c
CVE-2024-21208
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2024-21210
Vulnerability in Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4 and 23. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2024-21217
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2024-21235
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
Additional Info: 

N/A

Download: 

SRPMS
  1. java-17-openjdk-17.0.13.0.11-3.el8.src.rpm
    MD5: 3e63486c86557b509e504694ddf1757c
    SHA-256: ee99450fc96b2f6414e30a6612bc122f23b8f0a1afc30955ff517f11e00f83ec
    Size: 63.56 MB

Asianux Server 8 for x86_64
  1. java-17-openjdk-17.0.13.0.11-3.el8.x86_64.rpm
    MD5: 3e996c0dd6d21ff2ebc252603b7b23ae
    SHA-256: 9d198c827831a6b1fa8421141da28ca4e08e74b8c132de3c7231797df5362c59
    Size: 492.72 kB
  2. java-17-openjdk-debugsource-17.0.13.0.11-3.el8.x86_64.rpm
    MD5: ae95313efeb4f8509a13d9de79811774
    SHA-256: 9acadc2e5c72865a3d3aa9972f86ca9db9160eaa1bd53ef6c13cccd51bb87175
    Size: 10.66 MB
  3. java-17-openjdk-demo-17.0.13.0.11-3.el8.x86_64.rpm
    MD5: cb63fc8a61fd3ae7c326a5b5c44fde61
    SHA-256: a750a9c448af5f245824a6e0ceeff2204b96879fbf2b62fc87eb423f72793fb0
    Size: 3.44 MB
  4. java-17-openjdk-demo-fastdebug-17.0.13.0.11-3.el8.x86_64.rpm
    MD5: 0feff0cb0a03494c69abb731d54a60df
    SHA-256: 678405908ca16b1e64b9bcaf9f7f07bd5590642fd19fe639d7444be249e3d62b
    Size: 3.44 MB
  5. java-17-openjdk-demo-slowdebug-17.0.13.0.11-3.el8.x86_64.rpm
    MD5: b5ade9a7cceeab0f7b6779550cca932c
    SHA-256: 258e9bd5442134f6a253742d1f8dc68cdcfae29ca6ba8f17229589d9d9280a75
    Size: 3.44 MB
  6. java-17-openjdk-devel-17.0.13.0.11-3.el8.x86_64.rpm
    MD5: 8dbe6a23a68c3c1fb84cf8589bd2ca09
    SHA-256: 5996327f773f10305d304890af537de6862a12fb6698d27bb0688182037d439c
    Size: 5.12 MB
  7. java-17-openjdk-devel-fastdebug-17.0.13.0.11-3.el8.x86_64.rpm
    MD5: 0bfea471ad90846331825c6d77c80651
    SHA-256: fe7262ee1cc1e06fde4eef6b241aff006e6204ffbee92f1c06dfccb2ba91a173
    Size: 5.12 MB
  8. java-17-openjdk-devel-slowdebug-17.0.13.0.11-3.el8.x86_64.rpm
    MD5: ecfe7fd59f2ebea1415d61346179f7a3
    SHA-256: 88b808e7645c80fb90d190783fa3b52906d7688b503a0abceb5f25366815f939
    Size: 5.12 MB
  9. java-17-openjdk-fastdebug-17.0.13.0.11-3.el8.x86_64.rpm
    MD5: a0a5bded48c5dad882e999c5240a047a
    SHA-256: 687843a2e6c95571b5682846210ed7122f22ca6c84c55ae77f50b03410e70fb9
    Size: 501.61 kB
  10. java-17-openjdk-headless-17.0.13.0.11-3.el8.x86_64.rpm
    MD5: 5002bbf04432fcba4d109b4243e5726d
    SHA-256: d19f021a042ee8c398de5cade465fde7a872b76a067ec5e4cec9103ae9fa9ed7
    Size: 46.17 MB
  11. java-17-openjdk-headless-fastdebug-17.0.13.0.11-3.el8.x86_64.rpm
    MD5: 9a87e7746ec8b9e701f68b8974a5d72c
    SHA-256: c52cf4892473cd9cf5cecb595adff508937f3ebb7e4520eba9466770c62a3580
    Size: 50.75 MB
  12. java-17-openjdk-headless-slowdebug-17.0.13.0.11-3.el8.x86_64.rpm
    MD5: 2fe9c9d1cf64b43cff1482e16f49a9c5
    SHA-256: 23dccf3698099ecf349de62746646267b81f063aedd3fb03172abec04b989216
    Size: 49.22 MB
  13. java-17-openjdk-javadoc-17.0.13.0.11-3.el8.x86_64.rpm
    MD5: 7fa391d240f5f458fe58cd124163a2de
    SHA-256: 2820415f7805c37695071c7c1bff35d9b2c0e108f971f200cd36e61767560441
    Size: 16.04 MB
  14. java-17-openjdk-javadoc-zip-17.0.13.0.11-3.el8.x86_64.rpm
    MD5: 62fce966584418f00ac7a4597994675e
    SHA-256: f562f6930d280765bf83e5f0fd96843096431bc40950f1df84454bc41c084879
    Size: 40.38 MB
  15. java-17-openjdk-jmods-17.0.13.0.11-3.el8.x86_64.rpm
    MD5: 213923013f51572069bbca432e401a34
    SHA-256: a14fce386dae8a649dfc58f7a474b77230cc0a73dbf0a4a95e839e82fc5f5f7e
    Size: 255.15 MB
  16. java-17-openjdk-jmods-fastdebug-17.0.13.0.11-3.el8.x86_64.rpm
    MD5: dd60ac82f0c0d3381b632f4e8dd3f789
    SHA-256: 3da21176e9026a4d20f97545adbc838e17b1b758aa0d7d871e0dd7396b45a308
    Size: 248.25 MB
  17. java-17-openjdk-jmods-slowdebug-17.0.13.0.11-3.el8.x86_64.rpm
    MD5: f6577b6ecd68878c8803b55741e4bd7f
    SHA-256: 787046acef31da94161a0ee45af647f739fd0b3fa8cd10219be55158d79e4e6a
    Size: 187.11 MB
  18. java-17-openjdk-slowdebug-17.0.13.0.11-3.el8.x86_64.rpm
    MD5: bde0072c70592e07cf4fb6001d42a958
    SHA-256: 2cf70d916f95d2775281eb290275adc4367c73a9a2859304ee43e9656a619d5b
    Size: 478.41 kB
  19. java-17-openjdk-src-17.0.13.0.11-3.el8.x86_64.rpm
    MD5: f562c6bf60f66d87fffdca9b19f93fc8
    SHA-256: 1d9758c6804b887d4fc87024a6ef24649299ff8f35fa86942a7a7ddbcd7918e0
    Size: 45.48 MB
  20. java-17-openjdk-src-fastdebug-17.0.13.0.11-3.el8.x86_64.rpm
    MD5: b4b335a1e9b12aedac9ada5cb1d99c2e
    SHA-256: 11f4ecb26f10865152a1291ce599053a89280dd2b9700a12a1d3db0f728eae9f
    Size: 45.48 MB
  21. java-17-openjdk-src-slowdebug-17.0.13.0.11-3.el8.x86_64.rpm
    MD5: 5d88e58d62a91e4f701d6ce0ae66bd41
    SHA-256: 9a2a0c540704ed84d12b11ff28a7591b6600b213662e2378a5745cf86325482f
    Size: 45.48 MB
  22. java-17-openjdk-static-libs-17.0.13.0.11-3.el8.x86_64.rpm
    MD5: 5f556f713fa30e5b4684cf3d4bd651c7
    SHA-256: b857d0d12b64b75e8bbbaebf2cefb95632959156490d43e5f2a8a97a22e09b6b
    Size: 30.94 MB
  23. java-17-openjdk-static-libs-fastdebug-17.0.13.0.11-3.el8.x86_64.rpm
    MD5: 63014f69b1e574256641bbed88a914b5
    SHA-256: b85f1cc1bdec35d62bf01d5dbbe0ff86d30fea8cfaa170fe81f62affc0d7d706
    Size: 31.08 MB
  24. java-17-openjdk-static-libs-slowdebug-17.0.13.0.11-3.el8.x86_64.rpm
    MD5: bd6d86695ccd83f068a085cc01fd6f18
    SHA-256: f6628e2873d0d80d0d1ff6f824e5bdf95f4880363ab128a24a7b5aae4bae7384
    Size: 24.46 MB