java-17-openjdk-17.0.8.0.7-2.el8

エラータID: AXSA:2023-6263:12

リリース日: 
2023/07/26 Wednesday - 03:08
題名: 
java-17-openjdk-17.0.8.0.7-2.el8
影響のあるチャネル: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

以下項目について対処しました。

[Security Fix]
- Java の Networking コンポーネントには、認証されていないリモート
の攻撃者により、複数のプロトコルを用いたネットワークアクセスを
介して、不正なデータの更新や挿入、削除を可能とする脆弱性が存在
します。(CVE-2023-22006)

- Java の Utility コンポーネントには、認証されていないリモートの
攻撃者により、複数のプロトコルを用いたネットワークアクセスを
介して、部分的なサービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2023-22036)

- Java の Hotspot コンポーネントには、認証されていないローカルの
攻撃者により、細工されたコードをロードすることを介して、情報の
漏洩を可能とする脆弱性が存在します。(CVE-2023-22041)

- Java の Hotspot コンポーネントには、認証されていないリモートの
攻撃者により、複数のプロトコルを用いたネットワークアクセスを
介して、不正なデータの読み取りを可能とする脆弱性が存在します。
(CVE-2023-22044)

- Java の Hotspot コンポーネントには、認証されていないリモートの
攻撃者により、複数のプロトコルを用いたネットワークアクセスを
介して、不正なデータの読み取りを可能とする脆弱性が存在します。
(CVE-2023-22045)

- Java の Libraries コンポーネントには、認証されていないリモート
の攻撃者により、複数のプロトコルを用いたネットワークアクセスを
介して、不正なデータの更新や挿入、削除を可能とする脆弱性が存在
します。(CVE-2023-22049)

- HarfBuzz には、マーキング処理内で元のグリフを探索する処理が
指数関数的に増加してしまう問題があるため、リモートの攻撃者に
より、連続するマーキング処理を介して、サービス拒否攻撃 (CPU
リソース枯渇) を可能とする脆弱性が存在します。(CVE-2023-25193)

解決策: 

パッケージをアップデートしてください。

CVE: 
CVE-2023-22006
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).
CVE-2023-22036
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Utility). Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2023-22041
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVE-2023-22044
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u371-perf, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
CVE-2023-22045
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
CVE-2023-22049
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2023-25193
hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. java-17-openjdk-17.0.8.0.7-2.el8.src.rpm
    MD5: ae3646d8084c683c14f7a54db589d08b
    SHA-256: 08e349fcdef82a4401b547de416ab3655028c77e4f36737a91e6c924c837a26f
    Size: 61.82 MB

Asianux Server 8 for x86_64
  1. java-17-openjdk-17.0.8.0.7-2.el8.x86_64.rpm
    MD5: 3a5a612676e270dc7be5cf4d2793b168
    SHA-256: 1d4dcefe87c80f0e1f687aec60dceee8e7f9c579670fb3b63860895436860a5e
    Size: 455.74 kB
  2. java-17-openjdk-demo-17.0.8.0.7-2.el8.x86_64.rpm
    MD5: 785d10c9aee9287cfa2d296c6c81ac2e
    SHA-256: 66e5762f5ee7f69f4ccf370bedf95e0d3d4b6986889a2ff1379cfff5455822bd
    Size: 3.43 MB
  3. java-17-openjdk-demo-fastdebug-17.0.8.0.7-2.el8.x86_64.rpm
    MD5: f0451ecb992bbb31181226d2470aadc7
    SHA-256: 6618e25498ad2bdf7f66ce8a7cb70f9f208ea209680cc751bd3adeb4cee3b3d5
    Size: 3.43 MB
  4. java-17-openjdk-demo-slowdebug-17.0.8.0.7-2.el8.x86_64.rpm
    MD5: 4b634142d5698a394bdb4706431698b9
    SHA-256: b5de63c3207b76f56f3af4447c3e8da8620867149e663ab154d2550d9b5ae36e
    Size: 3.43 MB
  5. java-17-openjdk-devel-17.0.8.0.7-2.el8.x86_64.rpm
    MD5: 00f09bb794f9e54c5f1ee8ae3816993a
    SHA-256: 82fc6269a892576379b473ecca33267832e7bf798392e6efe34953390158faa9
    Size: 5.12 MB
  6. java-17-openjdk-devel-fastdebug-17.0.8.0.7-2.el8.x86_64.rpm
    MD5: 5ebecb04a579f5945bf0add002f27118
    SHA-256: f903868ca0d68cb8a8d4665d24b5a7e5934cfa20e4c48f529e62e5ce2729bf24
    Size: 5.12 MB
  7. java-17-openjdk-devel-slowdebug-17.0.8.0.7-2.el8.x86_64.rpm
    MD5: 9dc90dd4a7fa4b9131fe673fa2c74c0f
    SHA-256: 2fb70b084a1ab23d37f3fde55831f564dbd0bfb6466e6d6412401090664800b0
    Size: 5.12 MB
  8. java-17-openjdk-fastdebug-17.0.8.0.7-2.el8.x86_64.rpm
    MD5: 07672dd6187161b351266c85ab4bd5ed
    SHA-256: fdb8b923e44bd3c20a6abb2fc763494507e8d8ff7d2799c50b770ba244408f5b
    Size: 464.77 kB
  9. java-17-openjdk-headless-17.0.8.0.7-2.el8.x86_64.rpm
    MD5: a7865ae43536f2823c96699abe3fd534
    SHA-256: 8c8bc4f23f38bfb0bfd9b0ca74c847759084c347f4b812a44fb308de504bd9dc
    Size: 46.55 MB
  10. java-17-openjdk-headless-fastdebug-17.0.8.0.7-2.el8.x86_64.rpm
    MD5: 25bec176b1ef0c60277c039fa97b493b
    SHA-256: ff4cd7bebaa4b7f83539305407f6b27623b5e95e27600d19bb93db360de09d77
    Size: 51.04 MB
  11. java-17-openjdk-headless-slowdebug-17.0.8.0.7-2.el8.x86_64.rpm
    MD5: 5f49c2fc6ca4e6d0fb4758cca709e71c
    SHA-256: 8c05b066faa0506829fb5b5a7a3b6b9be4b05490b1311711aa40c9aeea5684bf
    Size: 50.25 MB
  12. java-17-openjdk-javadoc-17.0.8.0.7-2.el8.x86_64.rpm
    MD5: 5e058b996286bbfda8004d8fb1957c27
    SHA-256: e889292e6520c5af3d5c5a8ea5dc757af6da43e598dd992d4979ad567049fa40
    Size: 16.02 MB
  13. java-17-openjdk-javadoc-zip-17.0.8.0.7-2.el8.x86_64.rpm
    MD5: c683af0d29b956a277547ddf1b136d32
    SHA-256: b6f55d595bc2f651fc46fe3dd41acbc7a9f292437c914e3614db2f6d5a53c5bb
    Size: 40.28 MB
  14. java-17-openjdk-jmods-17.0.8.0.7-2.el8.x86_64.rpm
    MD5: 9dadf99bc733dbf661d773e6db36f57c
    SHA-256: 2f8c75e7137816fa7060d24b6b57a8a9342ae485c2d734ddd51f58b1d9c7df35
    Size: 261.84 MB
  15. java-17-openjdk-jmods-fastdebug-17.0.8.0.7-2.el8.x86_64.rpm
    MD5: 975830ee0e2a084c7dd0108894eabe5a
    SHA-256: 4206356841ec9b68cf82f2f487896ae2879b27a3e68fcba2bbfb68b2705675a5
    Size: 253.81 MB
  16. java-17-openjdk-jmods-slowdebug-17.0.8.0.7-2.el8.x86_64.rpm
    MD5: b0e4d526bd9448c8d03df6967eed2146
    SHA-256: 59036c237ce95ab65a1599bc4d6943d542ea21f2ab690c2ae088d945e9404361
    Size: 190.73 MB
  17. java-17-openjdk-slowdebug-17.0.8.0.7-2.el8.x86_64.rpm
    MD5: 4dff17f2f1473ddab0fef08885ac4ffe
    SHA-256: 67e88c17cd2876cea048787c6a72a2ec5ec56d67143bdd40bd41ea513007e8f1
    Size: 438.09 kB
  18. java-17-openjdk-src-17.0.8.0.7-2.el8.x86_64.rpm
    MD5: 64365b220c8845f56527f74e3cfae927
    SHA-256: 3ae47e2996c4d5d0c50e256e1be9ab9152473a499828399e1369625a3582eb2e
    Size: 45.35 MB
  19. java-17-openjdk-src-fastdebug-17.0.8.0.7-2.el8.x86_64.rpm
    MD5: 9487356b4183b7f7ce49c1943af9f77a
    SHA-256: bc4125fa054ae40989ce325ae8dc45bd357d8941ffe1e3756914b24c7dae5549
    Size: 45.35 MB
  20. java-17-openjdk-src-slowdebug-17.0.8.0.7-2.el8.x86_64.rpm
    MD5: b048ccb1d49054908200242115609170
    SHA-256: 48351d3d6e904e4ea8a8bd94c1af80984f0166baf3e9bc278e15e3500fa6c387
    Size: 45.35 MB
  21. java-17-openjdk-static-libs-17.0.8.0.7-2.el8.x86_64.rpm
    MD5: a3fe469e76b845f2b1a788ee5c96a693
    SHA-256: dba9a84b01391a7998c8c3c8b2f2371bdf9c14ea172d1f34f1fe0be911a9ad90
    Size: 36.37 MB
  22. java-17-openjdk-static-libs-fastdebug-17.0.8.0.7-2.el8.x86_64.rpm
    MD5: 3b413233dbba072ee73d81e0e774e186
    SHA-256: b61c371cccb70b2aca38b687c93409bcf6cdfd5ccaa51098109c9a6289a38739
    Size: 36.56 MB
  23. java-17-openjdk-static-libs-slowdebug-17.0.8.0.7-2.el8.x86_64.rpm
    MD5: fbadfe50db9364d95b28018468744fd8
    SHA-256: 97ed13fc1c6d07f41997358a7c84e75e4c04f8248c015ae61a63a56717bf6498
    Size: 31.57 MB