java-17-openjdk-17.0.8.0.7-2.el9.ML.1

エラータID: AXSA:2023-6268:14

リリース日: 
2023/07/28 Friday - 06:39
題名: 
java-17-openjdk-17.0.8.0.7-2.el9.ML.1
影響のあるチャネル: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

以下項目について対処しました。

[Security Fix]
- Java の Networking コンポーネントには、認証されていないリモート
の攻撃者により、複数のプロトコルを用いたネットワークアクセスを
介して、不正なデータの更新や挿入、削除を可能とする脆弱性が存在
します。(CVE-2023-22006)

- Java の Utility コンポーネントには、認証されていないリモートの
攻撃者により、複数のプロトコルを用いたネットワークアクセスを介して、
部分的なサービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2023-22036)

- Java の Hotspot コンポーネントには、認証されていないローカルの
攻撃者により、細工されたコードをロードすることを介して、情報の漏洩
を可能とする脆弱性が存在します。(CVE-2023-22041)

- Java の Hotspot コンポーネントには、認証されていないリモートの
攻撃者により、複数のプロトコルを用いたネットワークアクセスを介して、
不正なデータの読み取りを可能とする脆弱性が存在します。
(CVE-2023-22044)

- Java の Hotspot コンポーネントには、認証されていないリモートの
攻撃者により、複数のプロトコルを用いたネットワークアクセスを介して、
不正なデータの読み取りを可能とする脆弱性が存在します。
(CVE-2023-22045)

- Java の Libraries コンポーネントには、認証されていないリモートの
攻撃者により、複数のプロトコルを用いたネットワークアクセスを介して、
不正なデータの更新や挿入、削除を可能とする脆弱性が存在します。
(CVE-2023-22049)

- HarfBuzz には、マーキング処理内で元のグリフを探索する処理が
指数関数的に増加してしまう問題があるため、リモートの攻撃者により、
連続するマーキング処理を介して、サービス拒否攻撃 (CPU リソース枯渇)
を可能とする脆弱性が存在します。(CVE-2023-25193)

解決策: 

パッケージをアップデートしてください。

CVE: 
CVE-2023-22006
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).
CVE-2023-22036
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Utility). Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2023-22041
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVE-2023-22044
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u371-perf, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
CVE-2023-22045
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
CVE-2023-22049
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2023-25193
hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. java-17-openjdk-17.0.8.0.7-2.el9.ML.1.src.rpm
    MD5: 4e5459324e1a19661cb05e6d9899a50b
    SHA-256: c12fa3eef1408912da1d0ab2f419f962fa09a3ec72853805b39f16e3ec622d07
    Size: 61.80 MB

Asianux Server 9 for x86_64
  1. java-17-openjdk-17.0.8.0.7-2.el9.ML.1.x86_64.rpm
    MD5: 3d8253b8c40e9a6c4d6ce79e8ef7e581
    SHA-256: 6bb4f6d38fd2555f74514dc88bc2ebd92200ff41281bc69b172e653e3353f418
    Size: 433.93 kB
  2. java-17-openjdk-demo-17.0.8.0.7-2.el9.ML.1.x86_64.rpm
    MD5: fecfa081eed664cc93e050e7ea4776a9
    SHA-256: 76c2527ec87371e30b4714818eed6cc2d3975bc304a3e5d38bd246089674258a
    Size: 3.38 MB
  3. java-17-openjdk-demo-fastdebug-17.0.8.0.7-2.el9.ML.1.x86_64.rpm
    MD5: f56899b37a6e18e0982da04b1d29c3f1
    SHA-256: d9b0fbcd909ccc5aa1c58e35f9f0de91a4fd73b4a9378bf2f5ee3e9c86e57afa
    Size: 3.38 MB
  4. java-17-openjdk-demo-slowdebug-17.0.8.0.7-2.el9.ML.1.x86_64.rpm
    MD5: d627f3c4bd09581ca086a363807c343c
    SHA-256: 3c7529300fb22244c9f3f47915310638875ef2d438d917ad7333c8b8b989d603
    Size: 3.38 MB
  5. java-17-openjdk-devel-17.0.8.0.7-2.el9.ML.1.x86_64.rpm
    MD5: 513c78154f71f841a4ba1f80a2d8a5ba
    SHA-256: 347684f44247a932fa11c62ce550dfc7096fae7a0cff78f600a72fd240ac5b73
    Size: 4.72 MB
  6. java-17-openjdk-devel-fastdebug-17.0.8.0.7-2.el9.ML.1.x86_64.rpm
    MD5: c290b466481a6c9a1026da8a7c06159a
    SHA-256: 33bf5d619005247379e3bb5f95febc7035f2c8e77e5d60bfdb4c83d73006219f
    Size: 4.72 MB
  7. java-17-openjdk-devel-slowdebug-17.0.8.0.7-2.el9.ML.1.x86_64.rpm
    MD5: 4e645233f472fb74d803f4849d9a1746
    SHA-256: 1857ead82953a93ea4241680c6e40a67430a863172e351bc190fb3ef03e8ef5a
    Size: 4.72 MB
  8. java-17-openjdk-fastdebug-17.0.8.0.7-2.el9.ML.1.x86_64.rpm
    MD5: 7717c806bbdd41e9d803aa8fb3ead77d
    SHA-256: 0fb47b0354ba73ffc49542f0ff43c4f41fed5c973309d143eed07dae557c3e02
    Size: 443.00 kB
  9. java-17-openjdk-headless-17.0.8.0.7-2.el9.ML.1.x86_64.rpm
    MD5: 769274a9c021e5df63a2372556aa5921
    SHA-256: ef7472a5feba28c40983a76c9922f63b63bf400b537f4f04cf396b543f86210b
    Size: 45.04 MB
  10. java-17-openjdk-headless-fastdebug-17.0.8.0.7-2.el9.ML.1.x86_64.rpm
    MD5: b07af3f27ca7ceb36b350f3339080ba5
    SHA-256: 1ce924167f6f95292450894a775deafb9c2f068dba28a8aafd4b7f27713ba6a3
    Size: 50.22 MB
  11. java-17-openjdk-headless-slowdebug-17.0.8.0.7-2.el9.ML.1.x86_64.rpm
    MD5: 300f503884c30cd88a1421d21725432a
    SHA-256: 323fa90836a0f8d013e953d7d29165af20933157682cef195bfb83442fb98f90
    Size: 48.74 MB
  12. java-17-openjdk-javadoc-17.0.8.0.7-2.el9.ML.1.x86_64.rpm
    MD5: 3ae5b1e2b0f4ed53767143b8f6518679
    SHA-256: 5a185a6b76a6069cec42c74c6e36f7e15db7cdc3c7b169292ab4ce93f91978a0
    Size: 12.47 MB
  13. java-17-openjdk-javadoc-zip-17.0.8.0.7-2.el9.ML.1.x86_64.rpm
    MD5: a00cb5ba33500c51470ef5ac4476f9da
    SHA-256: 5a5ab594af9bd77bd3bcdb10f588a74ba8d37653c58867c305b4cbc83e09081a
    Size: 39.42 MB
  14. java-17-openjdk-jmods-17.0.8.0.7-2.el9.ML.1.x86_64.rpm
    MD5: cff7c565d1b2897c5b902fd8a8850893
    SHA-256: e8bc211389cca4bf1e2a22ff20fe5d54e396d9cb03589e5759c11fc1c49182d2
    Size: 250.13 MB
  15. java-17-openjdk-jmods-fastdebug-17.0.8.0.7-2.el9.ML.1.x86_64.rpm
    MD5: b4eba048e4891e5465a72001f039c303
    SHA-256: 9e1436134bc4450ac4f5d1a0df2a523832cc6ebc4544b7cfc33a865af779e2a8
    Size: 249.74 MB
  16. java-17-openjdk-jmods-slowdebug-17.0.8.0.7-2.el9.ML.1.x86_64.rpm
    MD5: 902d848f2f72efe1ad075b130f15f562
    SHA-256: 0bbf1ba034cd1a68aff28304620fc4288bffa5f2d913fc19d53454328955fe0b
    Size: 179.37 MB
  17. java-17-openjdk-slowdebug-17.0.8.0.7-2.el9.ML.1.x86_64.rpm
    MD5: 03989cb1226fed19dfc77ae47a9a22c9
    SHA-256: 32338540c9960a674ef74ed418745b2b4b0b16898d18ff236833d087ad9ca635
    Size: 412.75 kB
  18. java-17-openjdk-src-17.0.8.0.7-2.el9.ML.1.x86_64.rpm
    MD5: 3080774d0bb8e83e6ae469c2ddd8cac4
    SHA-256: 2ac0ab1d606edc0b5fa656c9bc39e5a155edebb65a4a064592e67805480cab96
    Size: 44.70 MB
  19. java-17-openjdk-src-fastdebug-17.0.8.0.7-2.el9.ML.1.x86_64.rpm
    MD5: 528ac78ae630f9fbaac40ba37b5102d2
    SHA-256: b51eb1a148f1cfaaeaad22b59d107e1fb856491d42ef497c500ea5e609728045
    Size: 44.71 MB
  20. java-17-openjdk-src-slowdebug-17.0.8.0.7-2.el9.ML.1.x86_64.rpm
    MD5: ca0e887aaff66a1786a6209eacf51a67
    SHA-256: 2ba22cc4f9a2ad6df5e3ee72687161528270156556bd9da7b51b0c32152979c5
    Size: 44.71 MB
  21. java-17-openjdk-static-libs-17.0.8.0.7-2.el9.ML.1.x86_64.rpm
    MD5: 507be5feaf1993a2824d8a60e8a47f38
    SHA-256: b67235feadbccd9b63638c09e5b6f2862c7eb256479eabe2ae4f8fdbee3bbb47
    Size: 32.47 MB
  22. java-17-openjdk-static-libs-fastdebug-17.0.8.0.7-2.el9.ML.1.x86_64.rpm
    MD5: 7399e0a285350a321e82b9eedbdff36d
    SHA-256: 9459bd7e57e330347a2d798acf8c6bfd7cab4d1f68e8d4d7767b6b845df74856
    Size: 32.37 MB
  23. java-17-openjdk-static-libs-slowdebug-17.0.8.0.7-2.el9.ML.1.x86_64.rpm
    MD5: ee885959b73bcde56f83b784561ba266
    SHA-256: bc5f214c4cf351b9ac130b5d5cebc2729b459f82c245205c5033b43c9e79b9d8
    Size: 29.07 MB