java-1.8.0-openjdk-1.8.0.342.b07-1.el7
エラータID: AXSA:2022-3599:06
リリース日:
2022/07/25 Monday - 18:02
題名:
java-1.8.0-openjdk-1.8.0.342.b07-1.el7
影響のあるチャネル:
Asianux Server 7 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- java の Hotspot コンポーネントには、クライアント上で
信頼されていないコードを実行した場合に、認証されていない
攻撃者によって、データの不正な読み取りが可能になる
脆弱性があります。(CVE-2022-21540)
- java の Hotspot コンポーネントには、クライアント上で
信頼されていないコードを実行した場合に、認証されていない
攻撃者によって、java がアクセス可能なすべてのデータに対し、
不正なアクセスや操作が可能性になる脆弱性があります。
(CVE-2022-21541)
- java の Apache Xalan Java XSLT ライブラリには、整数
トランケーションの問題があるため、悪意のある XSLT スタイル
シートを処理する際に、任意の java バイトコード実行が
可能になる脆弱性があります。(CVE-2022-34169)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2022-21540
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
CVE-2022-21541
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).
CVE-2022-34169
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan Java to address this issue are expected. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan Java to address this issue are expected. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
追加情報:
N/A
ダウンロード:
SRPMS
- java-1.8.0-openjdk-1.8.0.342.b07-1.el7.src.rpm
MD5: 4b489e265150f80f060f5185b70c59bf
SHA-256: f34daa33319bedc587ce7b992d7dca90e7d33d729828ebd2ec560af50f17c58e
Size: 55.72 MB
Asianux Server 7 for x86_64
- java-1.8.0-openjdk-1.8.0.342.b07-1.el7.x86_64.rpm
MD5: be499e5290787f313c09966670099b02
SHA-256: c42776bd11f284a1116da7be6a120e85bd474b41e7d7129a3592b1112d9ec235
Size: 313.93 kB - java-1.8.0-openjdk-devel-1.8.0.342.b07-1.el7.x86_64.rpm
MD5: d16c3c80e601da24dcb2852ae76846ea
SHA-256: 20c526c8d5c376e37a50d899fc193052dad932428c4414d31a087118392ab261
Size: 9.84 MB - java-1.8.0-openjdk-headless-1.8.0.342.b07-1.el7.x86_64.rpm
MD5: 15340dadf8a307f7e472ee8d48910590
SHA-256: 561c89ce33e7528ce2e31d0dd09c1d2ab605425725449825354fcf714b6fe598
Size: 33.08 MB - java-1.8.0-openjdk-1.8.0.342.b07-1.el7.i686.rpm
MD5: 173ba2d33f6e4e2e7019501f7c885ab7
SHA-256: 0d7dbedd04ea1781360e37e84c142d4d5feb683a7747b296547ed9cbfd13dcdd
Size: 313.47 kB - java-1.8.0-openjdk-devel-1.8.0.342.b07-1.el7.i686.rpm
MD5: 3e215cce025aea0a470d512d23da9638
SHA-256: 6d59fdc2dbdff1d11daacd49a21038f0c04e968961aee04f4c7cd9aa49960fbc
Size: 9.84 MB - java-1.8.0-openjdk-headless-1.8.0.342.b07-1.el7.i686.rpm
MD5: 7376309885da68274bd50552db9ddeb1
SHA-256: f6cb93345610dc5b14db3b40b5d495aab954f9bfd2373f50449fc3d9daee9b29
Size: 32.92 MB
English