Bug#1085696: openjdk-8: CVE-2024-21208 CVE-2024-21210 CVE-2024-21217 CVE-2024-21235

Mon Oct 21 19:45:04 BST 2024

Source: openjdk-8
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for openjdk-8.

CVE-2024-21208[0]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| Networking).  Supported versions that are affected are Oracle Java
| SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM
| for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition:
| 20.3.15 and  21.3.11. Difficult to exploit vulnerability allows
| unauthenticated attacker with network access via multiple protocols
| to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition.  Successful attacks of this vulnerability can
| result in unauthorized ability to cause a partial denial of service
| (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition. Note: This vulnerability applies to Java
| deployments, typically in clients running sandboxed Java Web Start
| applications or sandboxed Java applets, that load and run untrusted
| code (e.g., code that comes from the internet) and rely on the Java
| sandbox for security. This vulnerability does not apply to Java
| deployments, typically in servers, that load and run only trusted
| code (e.g., code installed by an administrator). CVSS 3.1 Base Score
| 3.7 (Availability impacts).  CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVE-2024-21210[1]:
| Vulnerability in Oracle Java SE (component: Hotspot).  Supported
| versions that are affected are Oracle Java SE: 8u421, 8u421-perf,
| 11.0.24, 17.0.12, 21.0.4 and  23. Difficult to exploit vulnerability
| allows unauthenticated attacker with network access via multiple
| protocols to compromise Oracle Java SE.  Successful attacks of this
| vulnerability can result in  unauthorized update, insert or delete
| access to some of Oracle Java SE accessible data. Note: This
| vulnerability can be exploited by using APIs in the specified
| Component, e.g., through a web service which supplies data to the
| APIs. This vulnerability also applies to Java deployments, typically
| in clients running sandboxed Java Web Start applications or
| sandboxed Java applets, that load and run untrusted code (e.g., code
| that comes from the internet) and rely on the Java sandbox for
| security. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

CVE-2024-21217[2]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| Serialization).  Supported versions that are affected are Oracle
| Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle
| GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise
| Edition: 20.3.15 and  21.3.11. Difficult to exploit vulnerability
| allows unauthenticated attacker with network access via multiple
| protocols to compromise Oracle Java SE, Oracle GraalVM for JDK,
| Oracle GraalVM Enterprise Edition.  Successful attacks of this
| vulnerability can result in unauthorized ability to cause a partial
| denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM
| for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability
| can be exploited by using APIs in the specified Component, e.g.,
| through a web service which supplies data to the APIs. This
| vulnerability also applies to Java deployments, typically in clients
| running sandboxed Java Web Start applications or sandboxed Java
| applets, that load and run untrusted code (e.g., code that comes
| from the internet) and rely on the Java sandbox for security. CVSS
| 3.1 Base Score 3.7 (Availability impacts).  CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVE-2024-21235[3]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| Hotspot).  Supported versions that are affected are Oracle Java SE:
| 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23;   Oracle GraalVM
| for JDK: 17.0.12, 21.0.4, 23;   Oracle GraalVM Enterprise Edition:
| 20.3.15 and  21.3.11. Difficult to exploit vulnerability allows
| unauthenticated attacker with network access via multiple protocols
| to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition.  Successful attacks of this vulnerability can
| result in  unauthorized update, insert or delete access to some of
| Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise
| Edition accessible data as well as  unauthorized read access to a
| subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition accessible data. Note: This vulnerability can be
| exploited by using APIs in the specified Component, e.g., through a
| web service which supplies data to the APIs. This vulnerability also
| applies to Java deployments, typically in clients running sandboxed
| Java Web Start applications or sandboxed Java applets, that load and
| run untrusted code (e.g., code that comes from the internet) and
| rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8
| (Confidentiality and Integrity impacts).  CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-21208
    https://www.cve.org/CVERecord?id=CVE-2024-21208
[1] https://security-tracker.debian.org/tracker/CVE-2024-21210
    https://www.cve.org/CVERecord?id=CVE-2024-21210
[2] https://security-tracker.debian.org/tracker/CVE-2024-21217
    https://www.cve.org/CVERecord?id=CVE-2024-21217
[3] https://security-tracker.debian.org/tracker/CVE-2024-21235
    https://www.cve.org/CVERecord?id=CVE-2024-21235

Please adjust the affected versions in the BTS as needed.