openjdk-8: CVE-2024-21011 CVE-2024-21068 CVE-2024-21085 CVE-2024-21094

Debian Bug report logs - #1069678
openjdk-8: CVE-2024-21011 CVE-2024-21068 CVE-2024-21085 CVE-2024-21094

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: submit@bugs.debian.org

Subject: openjdk-8: CVE-2024-21011 CVE-2024-21068 CVE-2024-21085 CVE-2024-21094

Date: Mon, 22 Apr 2024 16:42:15 +0200

Source: openjdk-8
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for openjdk-8.

CVE-2024-21011[0]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| Hotspot).  Supported versions that are affected are Oracle Java SE:
| 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for
| JDK: 17.0.10, 21.0.2, 22;   Oracle GraalVM Enterprise Edition:
| 20.3.13 and  21.3.9. Difficult to exploit vulnerability allows
| unauthenticated attacker with network access via multiple protocols
| to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition.  Successful attacks of this vulnerability can
| result in unauthorized ability to cause a partial denial of service
| (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition. Note: This vulnerability can be
| exploited by using APIs in the specified Component, e.g., through a
| web service which supplies data to the APIs. This vulnerability also
| applies to Java deployments, typically in clients running sandboxed
| Java Web Start applications or sandboxed Java applets, that load and
| run untrusted code (e.g., code that comes from the internet) and
| rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7
| (Availability impacts).  CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVE-2024-21068[1]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| Hotspot).  Supported versions that are affected are Oracle Java SE:
| 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK:
| 17.0.10, 21.0.2 and  22; Oracle GraalVM Enterprise Edition: 21.3.9.
| Difficult to exploit vulnerability allows unauthenticated attacker
| with network access via multiple protocols to compromise Oracle Java
| SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.
| Successful attacks of this vulnerability can result in  unauthorized
| update, insert or delete access to some of Oracle Java SE, Oracle
| GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.
| Note: This vulnerability can be exploited by using APIs in the
| specified Component, e.g., through a web service which supplies data
| to the APIs. This vulnerability also applies to Java deployments,
| typically in clients running sandboxed Java Web Start applications
| or sandboxed Java applets, that load and run untrusted code (e.g.,
| code that comes from the internet) and rely on the Java sandbox for
| security. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).


CVE-2024-21085[2]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise
| Edition product of Oracle Java SE (component: Concurrency).
| Supported versions that are affected are Oracle Java SE: 8u401,
| 8u401-perf, 11.0.22; Oracle GraalVM Enterprise Edition: 20.3.13 and
| 21.3.9. Difficult to exploit vulnerability allows unauthenticated
| attacker with network access via multiple protocols to compromise
| Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful
| attacks of this vulnerability can result in unauthorized ability to
| cause a partial denial of service (partial DOS) of Oracle Java SE,
| Oracle GraalVM Enterprise Edition. Note: This vulnerability can be
| exploited by using APIs in the specified Component, e.g., through a
| web service which supplies data to the APIs. This vulnerability also
| applies to Java deployments, typically in clients running sandboxed
| Java Web Start applications or sandboxed Java applets, that load and
| run untrusted code (e.g., code that comes from the internet) and
| rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7
| (Availability impacts).  CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).


CVE-2024-21094[3]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| Hotspot).  Supported versions that are affected are Oracle Java SE:
| 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for
| JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13
| and  21.3.9. Difficult to exploit vulnerability allows
| unauthenticated attacker with network access via multiple protocols
| to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition.  Successful attacks of this vulnerability can
| result in  unauthorized update, insert or delete access to some of
| Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise
| Edition accessible data. Note: This vulnerability can be exploited
| by using APIs in the specified Component, e.g., through a web
| service which supplies data to the APIs. This vulnerability also
| applies to Java deployments, typically in clients running sandboxed
| Java Web Start applications or sandboxed Java applets, that load and
| run untrusted code (e.g., code that comes from the internet) and
| rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7
| (Integrity impacts).  CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-21011
    https://www.cve.org/CVERecord?id=CVE-2024-21011
[1] https://security-tracker.debian.org/tracker/CVE-2024-21068
    https://www.cve.org/CVERecord?id=CVE-2024-21068
[2] https://security-tracker.debian.org/tracker/CVE-2024-21085
    https://www.cve.org/CVERecord?id=CVE-2024-21085
[3] https://security-tracker.debian.org/tracker/CVE-2024-21094
    https://www.cve.org/CVERecord?id=CVE-2024-21094

Please adjust the affected versions in the BTS as needed.

Message #10 received at 1069678@bugs.debian.org (full text, mbox, reply):

From: Thorsten Glaser <tg@mirbsd.de>

To: Moritz Mühlenhoff <jmm@inutil.org>, 1069678@bugs.debian.org

Subject: Re: Bug#1069678: openjdk-8: CVE-2024-21011 CVE-2024-21068 CVE-2024-21085 CVE-2024-21094

Date: Mon, 22 Apr 2024 22:41:03 +0000 (UTC)

tags 1069678 + pending
thanks

I’m working on it. Upload should come RSN.

AIUI the security team can feel free to ignore openjdk-8
as it’s in sid for bootstrapping and preparing ELTS upgrades
and downstreams purposes, and not “as is” security-supported
in Debian, so if it helps lowering the workload…

Message #17 received at 1069678-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1069678-close@bugs.debian.org

Subject: Bug#1069678: fixed in openjdk-8 8u412-ga-1

Date: Mon, 22 Apr 2024 23:34:17 +0000

[Message part 1 (text/plain, inline)]

Source: openjdk-8
Source-Version: 8u412-ga-1
Done: Thorsten Glaser <tg@mirbsd.de>

We believe that the bug you reported is fixed in the latest version of
openjdk-8, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1069678@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Glaser <tg@mirbsd.de> (supplier of updated openjdk-8 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384

Format: 1.8
Date: Tue, 23 Apr 2024 01:10:58 +0200
Source: openjdk-8
Architecture: source
Version: 8u412-ga-1
Distribution: unstable
Urgency: medium
Maintainer: Java Maintenance <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Thorsten Glaser <tg@mirbsd.de>
Closes: 1069678
Changes:
 openjdk-8 (8u412-ga-1) unstable; urgency=medium
 .
   * New upstream release (Closes: #1069678)
   * CVEs
     - CVE-2024-21011
     - CVE-2024-21085
     - CVE-2024-21068
     - CVE-2024-21094
   * Security fixes
     - JDK-8317507, JDK-8325348: C2 compilation fails
       with "Exceeded _node_regs array"
     - JDK-8318340: Improve RSA key implementations
     - JDK-8319851: Improve exception logging
     - JDK-8322114: Improve Pack 200 handling
     - JDK-8322122: Enhance generation of addresses
   * Other changes see
     https://mail.openjdk.org/pipermail/jdk8u-dev/2024-April/018329.html
   * Upload sponsored by QVEST ⮡ dıgıtal
   * Re-enable running tests by default except on noble/i386 (lacks prereqs)
   * Switch from pkg-config to pkgconf for bookworm/mantic+ (lintian)
Checksums-Sha1:
 5c5ed2623241e7d5f4eeb94cfb91cd8bb31e633a 4654 openjdk-8_8u412-ga-1.dsc
 9dc20878f0c0472682f19f502b565e551906cfb8 66876897 openjdk-8_8u412-ga.orig.tar.gz
 1f2715683cdf7cc7030fe105dfb2d8dde641bb73 168464 openjdk-8_8u412-ga-1.debian.tar.xz
Checksums-Sha256:
 bac6e428ffe74857a49275e859aaa29a0893238b569706b223565e5c6fbe37c2 4654 openjdk-8_8u412-ga-1.dsc
 9a78d2af269acc8ed70ecbdbae8cee608470882aa01ef00a49d399e9e539bb72 66876897 openjdk-8_8u412-ga.orig.tar.gz
 6038dfec34fc7cdbe1a9f17d24dcaa18385fdddc2898b0c6f69d2cbba995c95e 168464 openjdk-8_8u412-ga-1.debian.tar.xz
Files:
 5fa3f28a6b159dd9d641359cb47dc6d3 4654 java optional openjdk-8_8u412-ga-1.dsc
 c43b4e22ae57477cd6a436bbb083c772 66876897 java optional openjdk-8_8u412-ga.orig.tar.gz
 5e80728ccee8cb57305d0eb7c4ff45eb 168464 java optional openjdk-8_8u412-ga-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (MirBSD)

iQIcBAEBCQAGBQJmJu+bAAoJEHa1NLLpkAfgzIkQAM6nUJm+2l2bGlZnBMYJp2BI
aSxfiWziGP4kyqbXdyFl39jI+zZLptNyRaXAi/CpFMY/TRu7AIYr3c5u3ESKvIna
cF3qdjYLDeoI+jI1wtDi/05P5x4D1nCG291aZyPM3JvdyW8ioc7tWbmyY+TolMD0
+h85CGugzQFef8hYL0pSVVRDgPklPK/D+nSPGNbZIbHU0b7kkouZ2i71WZjhdwi6
nEgDOT/bdt8noTcJpSEsxl34stL9RnQGMQJ9Cz7aEdL9moAcn69Nc6hH7DBvkCJU
l0cz2hApUpR9z77alSQ6nqiq4pHAiHiNwKWxE8p8v9IsffJbdUUV67VqdDSV4Fpy
LoFvepOzZGGFKOi1IEysP0oFW77u8tmcFIJOV4/SBEvoYLfDY9BhqEbcEmTKfRRP
nnCyfjtEzPaqaL+8INhg5TApbRH48sBiwK2hvnpn+dDINqugz6M294cMTvKYHIQg
VC8gcyZD5dJhmp8Y3G5oTv4jTWYwCl7932CiNGEayUblhw/9saRKyE/b4ahpC19J
Xj44NKAp87i3X4EfH8d554J5k2QiqFCJjt4rKDPuZQhfa6C1dAigo3icV1RRR1Vh
IGZFfEkG44PUJMVOC2lkIncnl3tIjxb1ighELnLYDazhpi2wxT4yoTjsSM+9pNVn
sGwJ3nFWO2DHO3O+c2AT
=Szl1
-----END PGP SIGNATURE-----

[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.