java-17-openjdk-17.0.4.0.8-2.el8
エラータID: AXSA:2022-3706:04
リリース日:
2022/08/16 Tuesday - 12:00
題名:
java-17-openjdk-17.0.4.0.8-2.el8
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- java の Hotspot コンポーネントには、クライアント上で
信頼されていないコードを実行した場合に、認証されていない
攻撃者によって、データの不正な読み取りが可能になる
脆弱性があります。(CVE-2022-21540)
- java の Hotspot コンポーネントには、クライアント上で
信頼されていないコードを実行した場合に、認証されていない
攻撃者によって、java がアクセス可能なすべてのデータに対し、
不正なアクセスや操作が可能性になる脆弱性があります。
(CVE-2022-21541)
- java の Libraries コンポーネントには、認証されていない
攻撃者によって、java がアクセス可能なデータに対して、
update や insert、delete が出来る脆弱性があります。
(CVE-2022-21549)
- java の Apache Xalan Java XSLT ライブラリには、整数
トランケーションの問題があるため、悪意のある XSLT スタイル
シートを処理する際に、任意の java バイトコード実行が
可能になる脆弱性があります。(CVE-2022-34169)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2022-21540
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
CVE-2022-21541
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).
CVE-2022-21549
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.3.1; Oracle GraalVM Enterprise Edition: 21.3.2 and 22.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.3.1; Oracle GraalVM Enterprise Edition: 21.3.2 and 22.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2022-34169
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan Java to address this issue are expected. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan Java to address this issue are expected. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
追加情報:
N/A
ダウンロード:
SRPMS
- java-17-openjdk-17.0.4.0.8-2.el8.src.rpm
MD5: 0f1ef6576e72bf1f1436c6a4fc42f849
SHA-256: 97f1c44bcd7e705f869b6355dbc5ea428526c67866a8c0299122c8cfadac6319
Size: 61.25 MB
Asianux Server 8 for x86_64
- java-17-openjdk-17.0.4.0.8-2.el8.x86_64.rpm
MD5: 0993f18ac2618bb4e715bbf1d5ef346d
SHA-256: 7018afac5f6fcc9b2354f0e1ace7f83edb3f7a2961d9e64b74b26d0e1fb3c97e
Size: 251.87 kB - java-17-openjdk-demo-17.0.4.0.8-2.el8.x86_64.rpm
MD5: 1b86e903b21411dad0e6b777a2a24547
SHA-256: f2f399321018df67178cd7b6247b8c2a3b4b9a08bdf3eaa517e165c128a85f21
Size: 3.41 MB - java-17-openjdk-devel-17.0.4.0.8-2.el8.x86_64.rpm
MD5: d579fd976827b676152efb05c37438f5
SHA-256: 47eceed36156de3ddc10cb771df4d3467760c18e733fe65e9495c3388b754cc1
Size: 5.11 MB - java-17-openjdk-headless-17.0.4.0.8-2.el8.x86_64.rpm
MD5: 53682631cbcd4526a44a114eb1e4ed5f
SHA-256: c98b005686261a642ec25efb04204324ba5a51eef5d2a0e9e405b489dfda2433
Size: 41.18 MB - java-17-openjdk-javadoc-17.0.4.0.8-2.el8.x86_64.rpm
MD5: 3a74c0fa64ff25cf47a91f38694fb3ff
SHA-256: 55dba942b95ecd30dc366bafd4364d5f19a1c096d7e67895b672388b851c2e61
Size: 15.99 MB - java-17-openjdk-javadoc-zip-17.0.4.0.8-2.el8.x86_64.rpm
MD5: ca7dc2a467f506f426b200f3933617a6
SHA-256: a3ed3a0515d93bf062bbd86ce0c31dce9b7ae9f63bfc27a79ddeebc00280801b
Size: 40.21 MB - java-17-openjdk-jmods-17.0.4.0.8-2.el8.x86_64.rpm
MD5: 38ebcb4c9f46bfe5dd07acfc33275482
SHA-256: 5f0ffbf5efc92143da62a784c6782def8df0fc4a133cd069dcd05d60de8d594c
Size: 238.84 MB - java-17-openjdk-src-17.0.4.0.8-2.el8.x86_64.rpm
MD5: 1096880df19b6c4f7b096f9ef8fd833e
SHA-256: e34467a486b445cd31c15909154e0dc72714de3e7a4a7ef87d2b9be18da256f8
Size: 45.28 MB - java-17-openjdk-static-libs-17.0.4.0.8-2.el8.x86_64.rpm
MD5: 724e8a39cba0b6a2093c6b62c9d97e88
SHA-256: 77f9beae75661584eee94c6f362fadf8cf22a8d9cf4cfa2eab4c1b88f9c988d1
Size: 25.39 MB - java-17-openjdk-demo-fastdebug-17.0.4.0.8-2.el8.x86_64.rpm
MD5: 54ada053b45d07ddca7305278288954f
SHA-256: 8d68f268e60ef5b553f87c22160d1d72e2c77cd128941d0de602cb4237169438
Size: 3.41 MB - java-17-openjdk-demo-slowdebug-17.0.4.0.8-2.el8.x86_64.rpm
MD5: 2292a0db9a5e0f8230c848ab0f202e52
SHA-256: 8ad2e380933b53dc00111a6a1d073c27e81bad117c24ae471044eb114e5cf348
Size: 3.41 MB - java-17-openjdk-devel-fastdebug-17.0.4.0.8-2.el8.x86_64.rpm
MD5: 20b775701fc01fe3c3d9f61dd3907211
SHA-256: b429cd025147b8fff60a2f465d79f7c2f00e9af13daa7ebcd8edac893c1c40bd
Size: 5.11 MB - java-17-openjdk-devel-slowdebug-17.0.4.0.8-2.el8.x86_64.rpm
MD5: 229e257ebe08fe0e9a379f51cfc97717
SHA-256: daea135df4c86256ad066d0136257e7b50430b1328fe560c6438be7bd952cf44
Size: 5.11 MB - java-17-openjdk-fastdebug-17.0.4.0.8-2.el8.x86_64.rpm
MD5: 3ef369cc0a3f33a518bcf1192efc9a27
SHA-256: 8eb771b1632ca06c7312d360acedc87643f14a705ed2cd69dc1517e888101a07
Size: 260.94 kB - java-17-openjdk-headless-fastdebug-17.0.4.0.8-2.el8.x86_64.rpm
MD5: e5e85d29dbddd1a86f50750fe73ae6b1
SHA-256: 7314349732a14e8f6f72597e14eb455218aaddaf540a628c3d6fc41940da9f69
Size: 45.67 MB - java-17-openjdk-headless-slowdebug-17.0.4.0.8-2.el8.x86_64.rpm
MD5: a71f496009030e6cca5b8984dce85629
SHA-256: b87408929251feb400542c3e6acde470c14fb1646acb11aed9203d20d03d64f9
Size: 43.72 MB - java-17-openjdk-jmods-fastdebug-17.0.4.0.8-2.el8.x86_64.rpm
MD5: 39fa89b1870d48ceb0a55e0632caab79
SHA-256: 5099b4965558576459391b8e31521ac4359bf77def7b7f17575fc5006ea7c5fc
Size: 231.71 MB - java-17-openjdk-jmods-slowdebug-17.0.4.0.8-2.el8.x86_64.rpm
MD5: b697e6fa84aa751239123fb1a3524b9e
SHA-256: 667fd52b55f1946c941ebc9cd280ade27c76f727153eef2e27299e4cae0bda9a
Size: 171.96 MB - java-17-openjdk-slowdebug-17.0.4.0.8-2.el8.x86_64.rpm
MD5: f4d80068ce477ca98567e3abb926e632
SHA-256: 4487185f622890cc8a8b2a49b9ab55865ed05d54a3c83d890f0c4d5c218396f5
Size: 249.98 kB - java-17-openjdk-src-fastdebug-17.0.4.0.8-2.el8.x86_64.rpm
MD5: 91cdc477a800ce698ae51e6c4a5d11d3
SHA-256: 2d01e90685c2d1646996613608e762404b6ad7d5b6300921fbb15e3ad3878541
Size: 45.28 MB - java-17-openjdk-src-slowdebug-17.0.4.0.8-2.el8.x86_64.rpm
MD5: a562afa67e961bfe8347347c3e06bf81
SHA-256: b2f4945ce48cc9d296b93a1477feb9a6793f553e2b899d6c6adcc9a05fd77991
Size: 45.28 MB - java-17-openjdk-static-libs-fastdebug-17.0.4.0.8-2.el8.x86_64.rpm
MD5: e69e90f0f3fca7bfebd172f09453a19d
SHA-256: bdd27af43687ce7c444295b4b049a1e5f936ac88ff415a1651d931dc19df9e35
Size: 25.55 MB - java-17-openjdk-static-libs-slowdebug-17.0.4.0.8-2.el8.x86_64.rpm
MD5: a6ddf85c453946c7381d1f44ec12b242
SHA-256: def105d2e448f613ac06ee85d99996888ad9c823fa29908106a878bf283c7ec3
Size: 21.53 MB