概述
Important: java-1.8.0-openjdk security and bug fix update
类型/严重性
Security Advisory: Important
标题
An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
描述
The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.
Security Fix(es):
- OpenJDK: array out-of-bounds access due to missing range check in C1 compiler (8314468) (CVE-2024-20918)
- OpenJDK: RSA padding issue and timing side-channel attack against TLS (8317547) (CVE-2024-20952)
- OpenJDK: JVM class file verifier flaw allows unverified bytecode execution (8314295) (CVE-2024-20919)
- OpenJDK: range check loop optimization issue (8314307) (CVE-2024-20921)
- OpenJDK: arbitrary Java code execution in Nashorn (8314284) (CVE-2024-20926)
- OpenJDK: logging of digital signature private keys (8316976) (CVE-2024-20945)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
- In the previous release in October 2023 (8u392), the RPMs were changed to use Provides for java, jre, java-headless, jre-headless, java-devel and java-sdk which included the full RPM version. This prevented the Provides being used to resolve a dependency on Java 1.8.0 (for example, "Requires: java-headless 1:1.8.0"). This change has now been reverted to the old "1:1.8.0" value. (RHEL-19635)
解决方案
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
All running instances of OpenJDK Java must be restarted for this update to take effect.
受影响的产品
-
Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.6 x86_64
-
Red Hat Enterprise Linux Server - AUS 8.6 x86_64
-
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.6 s390x
-
Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.6 ppc64le
-
Red Hat Enterprise Linux Server - TUS 8.6 x86_64
-
Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.6 aarch64
-
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6 ppc64le
-
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.6 x86_64
-
Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 8.6 x86_64
-
Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 8.6 ppc64le
-
Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 8.6 aarch64
修复
-
BZ - 2257728
- CVE-2024-20918 OpenJDK: array out-of-bounds access due to missing range check in C1 compiler (8314468)
-
BZ - 2257837
- CVE-2024-20952 OpenJDK: RSA padding issue and timing side-channel attack against TLS (8317547)
-
BZ - 2257850
- CVE-2024-20926 OpenJDK: arbitrary Java code execution in Nashorn (8314284)
-
BZ - 2257853
- CVE-2024-20919 OpenJDK: JVM class file verifier flaw allows unverified bytecode execution (8314295)
-
BZ - 2257859
- CVE-2024-20921 OpenJDK: range check loop optimization issue (8314307)
-
BZ - 2257874
- CVE-2024-20945 OpenJDK: logging of digital signature private keys (8316976)