Bug#1118944: openjdk-8: CVE-2025-53057 CVE-2025-53066

[Moritz Mühlenhoff]

Source: openjdk-8
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for openjdk-8.

CVE-2025-53057[0]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| Security).  Supported versions that are affected are Oracle Java SE:
| 8u461, 8u461-perf, 11.0.28, 17.0.16, 21.0.8, 25; Oracle GraalVM for
| JDK: 17.0.16 and  21.0.8; Oracle GraalVM Enterprise Edition:
| 21.3.15. Difficult to exploit vulnerability allows unauthenticated
| attacker with network access via multiple protocols to compromise
| Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise
| Edition.  Successful attacks of this vulnerability can result in
| unauthorized creation, deletion or modification access to critical
| data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition accessible data. Note: This vulnerability can be
| exploited by using APIs in the specified Component, e.g., through a
| web service which supplies data to the APIs. This vulnerability also
| applies to Java deployments, typically in clients running sandboxed
| Java Web Start applications or sandboxed Java applets, that load and
| run untrusted code (e.g., code that comes from the internet) and
| rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9
| (Integrity impacts).  CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).


CVE-2025-53066[1]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| JAXP).  Supported versions that are affected are Oracle Java SE:
| 8u461, 8u461-perf, 11.0.28, 17.0.16, 21.0.8, 25; Oracle GraalVM for
| JDK: 17.0.16 and  21.0.8; Oracle GraalVM Enterprise Edition:
| 21.3.15. Easily exploitable vulnerability allows unauthenticated
| attacker with network access via multiple protocols to compromise
| Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise
| Edition.  Successful attacks of this vulnerability can result in
| unauthorized access to critical data or complete access to all
| Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise
| Edition accessible data. Note: This vulnerability can be exploited
| by using APIs in the specified Component, e.g., through a web
| service which supplies data to the APIs. This vulnerability also
| applies to Java deployments, typically in clients running sandboxed
| Java Web Start applications or sandboxed Java applets, that load and
| run untrusted code (e.g., code that comes from the internet) and
| rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5
| (Confidentiality impacts).  CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-53057
    https://www.cve.org/CVERecord?id=CVE-2025-53057
[1] https://security-tracker.debian.org/tracker/CVE-2025-53066
    https://www.cve.org/CVERecord?id=CVE-2025-53066

Please adjust the affected versions in the BTS as needed.