Bug#1069678: openjdk-8: CVE-2024-21011 CVE-2024-21068 CVE-2024-21085 CVE-2024-21094
Moritz Mühlenhoff
jmm at inutil.org
Mon Apr 22 15:42:15 BST 2024
Source: openjdk-8
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for openjdk-8.
CVE-2024-21011[0]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| Hotspot). Supported versions that are affected are Oracle Java SE:
| 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for
| JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition:
| 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows
| unauthenticated attacker with network access via multiple protocols
| to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition. Successful attacks of this vulnerability can
| result in unauthorized ability to cause a partial denial of service
| (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition. Note: This vulnerability can be
| exploited by using APIs in the specified Component, e.g., through a
| web service which supplies data to the APIs. This vulnerability also
| applies to Java deployments, typically in clients running sandboxed
| Java Web Start applications or sandboxed Java applets, that load and
| run untrusted code (e.g., code that comes from the internet) and
| rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7
| (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2024-21068[1]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| Hotspot). Supported versions that are affected are Oracle Java SE:
| 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK:
| 17.0.10, 21.0.2 and 22; Oracle GraalVM Enterprise Edition: 21.3.9.
| Difficult to exploit vulnerability allows unauthenticated attacker
| with network access via multiple protocols to compromise Oracle Java
| SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.
| Successful attacks of this vulnerability can result in unauthorized
| update, insert or delete access to some of Oracle Java SE, Oracle
| GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.
| Note: This vulnerability can be exploited by using APIs in the
| specified Component, e.g., through a web service which supplies data
| to the APIs. This vulnerability also applies to Java deployments,
| typically in clients running sandboxed Java Web Start applications
| or sandboxed Java applets, that load and run untrusted code (e.g.,
| code that comes from the internet) and rely on the Java sandbox for
| security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2024-21085[2]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise
| Edition product of Oracle Java SE (component: Concurrency).
| Supported versions that are affected are Oracle Java SE: 8u401,
| 8u401-perf, 11.0.22; Oracle GraalVM Enterprise Edition: 20.3.13 and
| 21.3.9. Difficult to exploit vulnerability allows unauthenticated
| attacker with network access via multiple protocols to compromise
| Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful
| attacks of this vulnerability can result in unauthorized ability to
| cause a partial denial of service (partial DOS) of Oracle Java SE,
| Oracle GraalVM Enterprise Edition. Note: This vulnerability can be
| exploited by using APIs in the specified Component, e.g., through a
| web service which supplies data to the APIs. This vulnerability also
| applies to Java deployments, typically in clients running sandboxed
| Java Web Start applications or sandboxed Java applets, that load and
| run untrusted code (e.g., code that comes from the internet) and
| rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7
| (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2024-21094[3]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| Hotspot). Supported versions that are affected are Oracle Java SE:
| 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for
| JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13
| and 21.3.9. Difficult to exploit vulnerability allows
| unauthenticated attacker with network access via multiple protocols
| to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition. Successful attacks of this vulnerability can
| result in unauthorized update, insert or delete access to some of
| Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise
| Edition accessible data. Note: This vulnerability can be exploited
| by using APIs in the specified Component, e.g., through a web
| service which supplies data to the APIs. This vulnerability also
| applies to Java deployments, typically in clients running sandboxed
| Java Web Start applications or sandboxed Java applets, that load and
| run untrusted code (e.g., code that comes from the internet) and
| rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7
| (Integrity impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-21011
https://www.cve.org/CVERecord?id=CVE-2024-21011
[1] https://security-tracker.debian.org/tracker/CVE-2024-21068
https://www.cve.org/CVERecord?id=CVE-2024-21068
[2] https://security-tracker.debian.org/tracker/CVE-2024-21085
https://www.cve.org/CVERecord?id=CVE-2024-21085
[3] https://security-tracker.debian.org/tracker/CVE-2024-21094
https://www.cve.org/CVERecord?id=CVE-2024-21094
Please adjust the affected versions in the BTS as needed.
More information about the pkg-java-maintainers
mailing list