java-1.8.0-openjdk-1.8.0.372.b07-1.el8

エラータID: AXSA:2023-5313:07

リリース日: 
2023/04/25 Tuesday - 06:07
題名: 
java-1.8.0-openjdk-1.8.0.372.b07-1.el8
影響のあるチャネル: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

以下項目について対処しました。

[Security Fix]
- Java の JSSE コンポーネントには、認証されていないリモートの
攻撃者により、TLS 経由でのネットワークアクセスを介して、不正
なデータの挿入や削除、更新を可能とする脆弱性が存在します。
(CVE-2023-21930)

- Java の Networking コンポーネントには、認証されていないリモート
の攻撃者により、複数のプロトコルを用いたネットワークアクセスを
介して、不正なデータの更新や挿入、削除を可能とする脆弱性が存在
します。(CVE-2023-21937)

- Java の Libraries コンポーネントには、認証されていないリモート
の攻撃者により、複数のプロトコルを用いたネットワークアクセスを
介して、不正なデータの更新や挿入、削除を可能とする脆弱性が存在
します。(CVE-2023-21938)

- Java の Swing コンポーネントには、認証されていないリモートの
攻撃者により、HTTP 経由でのネットワークアクセスを介して、不正
なデータの更新や挿入、削除を可能とする脆弱性が存在します。
(CVE-2023-21939)

- Java の Hotspot コンポーネントには、認証されていないリモート
の攻撃者により、複数のプロトコルを用いたネットワークアクセスを
介して、重要なデータへの不正なアクセスを可能とする脆弱性が存在
します。(CVE-2023-21954)

- Java の JSSE コンポーネントには、認証されていないリモートの
攻撃者により、HTTPS プロトコル経由でのネットワークアクセス
を介して、プロセスのハングアップやクラッシュとこれに起因する
サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2023-21967)

- Java の Libraries コンポーネントには、認証されていないリモート
の攻撃者により、複数のプロトコルを用いたネットワークアクセスを
介して、不正なデータの更新や挿入、削除を可能とする脆弱性が存在
します。(CVE-2023-21968)

解決策: 

パッケージをアップデートしてください。

CVE: 
CVE-2023-21930
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
CVE-2023-21937
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2023-21938
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and 22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2023-21939
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2023-21954
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVE-2023-21967
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
CVE-2023-21968
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. java-1.8.0-openjdk-1.8.0.372.b07-1.el8.src.rpm
    MD5: 5340d74181e4d4b6095338ef92bfbc2e
    SHA-256: 03cf40c4c4763094325a608dc2425aae6647325badec815875680f7c7be2b0ea
    Size: 55.79 MB

Asianux Server 8 for x86_64
  1. java-1.8.0-openjdk-1.8.0.372.b07-1.el8.x86_64.rpm
    MD5: 4f01e019b70c1b440ce7d5232d38ff3e
    SHA-256: 145863fed0d420737d06ac29f685f940e65082eaec307e081005963e5171160a
    Size: 543.18 kB
  2. java-1.8.0-openjdk-accessibility-1.8.0.372.b07-1.el8.x86_64.rpm
    MD5: ca38269d96eb29a67ab96499c1fca4f8
    SHA-256: 11ce39454e17ffa45e0a5b0d53dd07d78baaf588574792aef2273cd21dabc6cf
    Size: 114.06 kB
  3. java-1.8.0-openjdk-accessibility-fastdebug-1.8.0.372.b07-1.el8.x86_64.rpm
    MD5: 10928ef3607f90f668ce26ed933a01c8
    SHA-256: 7af72758151d2124aa69f9668aaa3ec6ae692d1aeab814979f359449cc250b55
    Size: 113.91 kB
  4. java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.372.b07-1.el8.x86_64.rpm
    MD5: a1613eb7ffd7f98f11e502e3b4995cee
    SHA-256: 174c748486c80f99bf11574e279f1993eedb42fb6f3d89be3f00e56a126560e4
    Size: 113.91 kB
  5. java-1.8.0-openjdk-demo-1.8.0.372.b07-1.el8.x86_64.rpm
    MD5: 06961bafd3f0b29b8cbf241487e94be9
    SHA-256: 8cb67c2cbb459339750b62ba2302c93c98ccc8a0d545b394575eee8b9332c7d3
    Size: 2.06 MB
  6. java-1.8.0-openjdk-demo-fastdebug-1.8.0.372.b07-1.el8.x86_64.rpm
    MD5: 31c2bd341d6a02da69e7f55c79813416
    SHA-256: ba7ff9921474dd40f3b0222a9064209d6ef563c39157ca4d68e97aa4ea2050b1
    Size: 2.08 MB
  7. java-1.8.0-openjdk-demo-slowdebug-1.8.0.372.b07-1.el8.x86_64.rpm
    MD5: 07d9158129c9e7738cc7a93a04c10e24
    SHA-256: cf374f110c07c315e8a37b9aa6276382279fe2e1be07e3c408de72c0b786041f
    Size: 2.08 MB
  8. java-1.8.0-openjdk-devel-1.8.0.372.b07-1.el8.x86_64.rpm
    MD5: 6ab1d8fd7c93416cab9905d04da52b76
    SHA-256: e1d99bdbd4a3843dc155e1297bebe70dd06346da68d626d9a9a2cc151f78b07e
    Size: 9.93 MB
  9. java-1.8.0-openjdk-devel-fastdebug-1.8.0.372.b07-1.el8.x86_64.rpm
    MD5: 0b9005359f2c0d5e3902bc53940c82e7
    SHA-256: 54842045fb54ab2224ba0068b94787dc4b9c00184606be1a25f99fdf67fb1df0
    Size: 9.94 MB
  10. java-1.8.0-openjdk-devel-slowdebug-1.8.0.372.b07-1.el8.x86_64.rpm
    MD5: 3695f42f41a0c3573e86b8214d9acceb
    SHA-256: 26881358cc0f398b141bad1157097a8e3eec42cc94a9cd068dfc2ce1db16f225
    Size: 9.94 MB
  11. java-1.8.0-openjdk-fastdebug-1.8.0.372.b07-1.el8.x86_64.rpm
    MD5: 4005546966f613e7cc2f205b6fc3e144
    SHA-256: fe2af017384abad00fe34c76b320679ea9dcf21b2e53e930917bc9704ab22420
    Size: 556.73 kB
  12. java-1.8.0-openjdk-headless-1.8.0.372.b07-1.el8.x86_64.rpm
    MD5: 7412c1b7241c15578736239de48b985a
    SHA-256: 606ca0e6ddd15f602172688bcfd0d5b6480570e0adb3d91e0ba676383d1211bd
    Size: 34.37 MB
  13. java-1.8.0-openjdk-headless-fastdebug-1.8.0.372.b07-1.el8.x86_64.rpm
    MD5: cc27f221249d62461d01e07f1eb218bb
    SHA-256: 4f2a243e61a0bd3231b4734e02a5b6b990eacecf97f3b4040d724185675c720d
    Size: 38.02 MB
  14. java-1.8.0-openjdk-headless-slowdebug-1.8.0.372.b07-1.el8.x86_64.rpm
    MD5: 54ae45e70248fbb65ef3d411d01a971e
    SHA-256: 92201253b7b0e566b218c632453599bbf0146bb70ed69336bd70459ed19bd03e
    Size: 36.18 MB
  15. java-1.8.0-openjdk-javadoc-1.8.0.372.b07-1.el8.noarch.rpm
    MD5: 6d2b7e065350d907aa7842f8fbfaef05
    SHA-256: dd3947b501edfc2aa526de1512df438db1f1b49c74eddd34ccf956b3ef9370ce
    Size: 15.19 MB
  16. java-1.8.0-openjdk-javadoc-zip-1.8.0.372.b07-1.el8.noarch.rpm
    MD5: 09bb9d88c100f321801c89a377e70b19
    SHA-256: 474035f0b1e4b10d6d4ed7429ad0f649a9402bddd1e12d3d10f2d81aece68880
    Size: 41.65 MB
  17. java-1.8.0-openjdk-slowdebug-1.8.0.372.b07-1.el8.x86_64.rpm
    MD5: de0eab4b5f0c819a1a8f7e59ff08034f
    SHA-256: e26d005f7db7f3077911c98f68ee201aaee2440bf6171cc4cc004300f4fc9a20
    Size: 523.61 kB
  18. java-1.8.0-openjdk-src-1.8.0.372.b07-1.el8.x86_64.rpm
    MD5: 17a26c895b972c171591d9a63d33e377
    SHA-256: 59f8d498431f31aa4159cd6637266301356b814c4ccc4a72bb4732a8fb60074d
    Size: 45.47 MB
  19. java-1.8.0-openjdk-src-fastdebug-1.8.0.372.b07-1.el8.x86_64.rpm
    MD5: 785049c482cbeb93d924d565fef6ea06
    SHA-256: 2bea1f1624cc210c33e6d0e9c45c382093ec20c3a1895d7e2f46419b2ef4e4ee
    Size: 45.47 MB
  20. java-1.8.0-openjdk-src-slowdebug-1.8.0.372.b07-1.el8.x86_64.rpm
    MD5: 111fabf6509e7b1a7f131439467e7c23
    SHA-256: 03e1135d1aa2613c799ff5071966abe064b2dfb50566df53f6970e0d12bb8a2a
    Size: 45.47 MB