java-17-openjdk-17.0.3.0.6-2.el8

エラータID: AXSA:2022-3151:02

リリース日: 
2022/04/21 Thursday - 03:57
題名: 
java-17-openjdk-17.0.3.0.6-2.el8
影響のあるチャネル: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

以下項目について対処しました。

[Security Fix]
- java の Libraries コンポーネントには、クライアント上で信頼されていないコードを
実行した場合に、認証されていない攻撃者によって、java がアクセス可能な重大なデー
タに対して、作成、削除、変更が出来る脆弱性があります。(CVE-2022-21449)

- java の Libraries コンポーネントには、クライアント上で信頼されていないコードを
実行した場合に、認証されていない攻撃者によって、不正アクセス等が可能になる脆弱性
があります。(CVE-2022-21476)

- java の JAXP コンポーネントには、クライアント上で信頼されていないコードを実行
した場合に、認証されていない攻撃者によって、部分的にサービス拒否攻撃が可能になる
脆弱性があります。(CVE-2022-21426)

- java の Libraries コンポーネントには、クライアント上で信頼されていないコードを
実行した場合に、認証されていない攻撃者によって、java がアクセス可能なデータに対
して、update や insert、delete が出来る脆弱性があります。(CVE-2022-21434)

- java の Libraries コンポーネントには、クライアント上で信頼されていないコードを
実行した場合に、認証されていない攻撃者によって、部分的にサービス拒否攻撃が可能に
なる脆弱性があります。(CVE-2022-21443)

- java の JNDI コンポーネントには、クライアント上で信頼されていないコードを実行
した場合に、認証されていない攻撃者によって、java がアクセス可能なデータに対して、
update や insert、delete が出来る脆弱性があります。(CVE-2022-21496)

解決策: 

パッケージをアップデートしてください。

CVE: 
CVE-2022-21426
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21434
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2022-21443
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21449
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.2 and 18; Oracle GraalVM Enterprise Edition: 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
CVE-2022-21476
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVE-2022-21496
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. java-17-openjdk-17.0.3.0.6-2.el8.src.rpm
    MD5: 57ed88895eecb43b22b06992cab3119d
    SHA-256: 15360cb2ec993c2aefad888dd874419d5eb4aba66909cf3d789e82e18b79725b
    Size: 61.20 MB

Asianux Server 8 for x86_64
  1. java-17-openjdk-17.0.3.0.6-2.el8.x86_64.rpm
    MD5: 6b18538a07d7d15ce0e02bdf7c51d33a
    SHA-256: cc5a12c96b6b16b81f8e82bfd8275d1058d95d164039beeaa3a29ac5504164cd
    Size: 245.92 kB
  2. java-17-openjdk-demo-17.0.3.0.6-2.el8.x86_64.rpm
    MD5: 02c22c516f1021fc658a7dce9a5ef564
    SHA-256: f69a674b1060a85d818191a938d3ed3fd3a6f4aa1173b05ca59f9de936cf9dea
    Size: 3.80 MB
  3. java-17-openjdk-devel-17.0.3.0.6-2.el8.x86_64.rpm
    MD5: 79ac2fc5bfe40ed5a9472eab18274a3a
    SHA-256: 5e02e1757c489b4b4ea996a21cc6b040efac449262f2593d5776c064e57e4ecc
    Size: 5.10 MB
  4. java-17-openjdk-headless-17.0.3.0.6-2.el8.x86_64.rpm
    MD5: c16eb8822c49e2ef21de2476aae3de19
    SHA-256: 0da4d4c865ca76fec0d05dbba74402c0a125c6923317fbeea8fc55047cdb44be
    Size: 41.15 MB
  5. java-17-openjdk-javadoc-17.0.3.0.6-2.el8.x86_64.rpm
    MD5: e20bc231394fec146d4eb39a9ec39f85
    SHA-256: 5e056a07ef8e179646d214ecd8f7226b6a91cb5ff58712ec39eec7cf56109ec0
    Size: 15.99 MB
  6. java-17-openjdk-javadoc-zip-17.0.3.0.6-2.el8.x86_64.rpm
    MD5: 6d4f7012d03da43d06929f7dd83df1f2
    SHA-256: 066773bb45fa1061a72e6b79b8828bad9498dc928e516081b97ed84bda98359e
    Size: 40.21 MB
  7. java-17-openjdk-jmods-17.0.3.0.6-2.el8.x86_64.rpm
    MD5: 753112cd6440c69f3f5d65384a89cc9f
    SHA-256: a8c5de859838c406639345cb3863ec9dd1f0815fb389a34b1883a716fad5c5ed
    Size: 238.57 MB
  8. java-17-openjdk-src-17.0.3.0.6-2.el8.x86_64.rpm
    MD5: 2aa224332a26a074f9ede8119c32cb4d
    SHA-256: 5348abb9cd6feaa61ce9babe8159fc59b3609cc0e3596175f69487ef870162c2
    Size: 45.27 MB
  9. java-17-openjdk-static-libs-17.0.3.0.6-2.el8.x86_64.rpm
    MD5: 4adc222a8996d5a907d92e7e475a9e15
    SHA-256: 0b61cdb1e6f99c0c9b679b074e89c4bd8af020b96e0b084d653d30a8b6d66977
    Size: 26.17 MB
  10. java-17-openjdk-demo-fastdebug-17.0.3.0.6-2.el8.x86_64.rpm
    MD5: 282f5f000fa07adb22b06a4620492f5c
    SHA-256: 1abf8533ea13daaeb354b214272e2b4b34cfb15f35f509b4f1c082ea6d4035e4
    Size: 3.81 MB
  11. java-17-openjdk-demo-slowdebug-17.0.3.0.6-2.el8.x86_64.rpm
    MD5: 8f50f6ea0f38b2942ac9633a0b43c3e6
    SHA-256: 55fc611f50b38fec76516d03189497c25c3cc421ed8e0c74e501f031b2fa15bf
    Size: 3.81 MB
  12. java-17-openjdk-devel-fastdebug-17.0.3.0.6-2.el8.x86_64.rpm
    MD5: f23750b679bf32107d863c5d1ba8efe1
    SHA-256: 98177ffcd6219e14e2b80d4ee340e9607b36478d3462f08741b2369d6b9b295c
    Size: 5.10 MB
  13. java-17-openjdk-devel-slowdebug-17.0.3.0.6-2.el8.x86_64.rpm
    MD5: d0cbfc1851253fe3483cb9c468d43604
    SHA-256: ffd4875976a7be009db84ef5d46b3b751277065f9619229b455b3ebbd0c9f0d2
    Size: 5.10 MB
  14. java-17-openjdk-fastdebug-17.0.3.0.6-2.el8.x86_64.rpm
    MD5: 99dee4fc1b74b8cfe2fa32a7e32dfb0d
    SHA-256: ac352bbb776947c7a104c8f6e4632f969e4d449a0ca0fb645c140d488608c227
    Size: 254.97 kB
  15. java-17-openjdk-headless-fastdebug-17.0.3.0.6-2.el8.x86_64.rpm
    MD5: befdb25d1f04c9ddf0d1353f670fda52
    SHA-256: 82cac0de9f4d31a0c6a278469e04c8b98c7e5328e20abe952adbccd351dc0034
    Size: 45.64 MB
  16. java-17-openjdk-headless-slowdebug-17.0.3.0.6-2.el8.x86_64.rpm
    MD5: de26cafe4468a350e5e0be1dc1ee1c62
    SHA-256: aaf9c30006acf22fa954d24a616298a8ddef49b4606dc5e87fcda6a32b0dd742
    Size: 43.69 MB
  17. java-17-openjdk-jmods-fastdebug-17.0.3.0.6-2.el8.x86_64.rpm
    MD5: e8bcd0382c31aa0d0e8476f6212256ee
    SHA-256: 2c6f36eb7467ed116132f251f6e46f593bee31d7d423918592b82196d8d6d65b
    Size: 231.47 MB
  18. java-17-openjdk-jmods-slowdebug-17.0.3.0.6-2.el8.x86_64.rpm
    MD5: 8b74f8d7017fd29a38a02ef2546ae230
    SHA-256: 355f53e623c068fbb166018ef6c1b8c537f89212fe15fcd0a78fb9e07cdb1008
    Size: 171.80 MB
  19. java-17-openjdk-slowdebug-17.0.3.0.6-2.el8.x86_64.rpm
    MD5: f96637f0eca964bca44dc5bc102ca39a
    SHA-256: 360fa37d28d04317bc620517fdc001d5e47e6f2a1279a38ca37c30a3a81694e3
    Size: 243.79 kB
  20. java-17-openjdk-src-fastdebug-17.0.3.0.6-2.el8.x86_64.rpm
    MD5: 5586faf0d4fc3b79f75a7b819b0cf8bc
    SHA-256: 335e5563d5a385bd1411e13c0e272adf84655fcbb4f65da34e607908f859ea06
    Size: 45.28 MB
  21. java-17-openjdk-src-slowdebug-17.0.3.0.6-2.el8.x86_64.rpm
    MD5: ba398f103c69bd4465f53d667ac53684
    SHA-256: 1b39a929ec935032a015ef6c62833765a90f7124d8c3bc5ef0ae7a0d0b29ba60
    Size: 45.28 MB
  22. java-17-openjdk-static-libs-fastdebug-17.0.3.0.6-2.el8.x86_64.rpm
    MD5: 8675046aef1fbadb88f6fea9d8f66f6d
    SHA-256: 3fd9740719fe6a8732dd95b9fe3a20703e56af8a1730e744dafe1b1519bea6bf
    Size: 26.36 MB
  23. java-17-openjdk-static-libs-slowdebug-17.0.3.0.6-2.el8.x86_64.rpm
    MD5: 81f306627cf0cb891b3d01b1f2a992ac
    SHA-256: 3ce7c308fb04cd8fc58728f46d62bd573f4cb6709db82a5f09e7cef8ac84d927
    Size: 21.48 MB