Debian Bug report logs -
#1035957
openjdk-17: CVE-2023-21930 CVE-2023-21937 CVE-2023-21938 CVE-2023-21939 CVE-2023-21954 CVE-2023-21967 CVE-2023-21968
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, OpenJDK Team <openjdk-17@packages.debian.org>:
Bug#1035957; Package src:openjdk-17.
(Thu, 11 May 2023 15:48:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, OpenJDK Team <openjdk-17@packages.debian.org>.
(Thu, 11 May 2023 15:48:08 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: openjdk-17
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for openjdk-17.
CVE-2023-21930[0]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition
| product of Oracle Java SE (component: JSSE). Supported versions that
| are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6,
| 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1.
| Difficult to exploit vulnerability allows unauthenticated attacker
| with network access via TLS to compromise Oracle Java SE, Oracle
| GraalVM Enterprise Edition. Successful attacks of this vulnerability
| can result in unauthorized creation, deletion or modification access
| to critical data or all Oracle Java SE, Oracle GraalVM Enterprise
| Edition accessible data as well as unauthorized access to critical
| data or complete access to all Oracle Java SE, Oracle GraalVM
| Enterprise Edition accessible data. Note: This vulnerability applies
| to Java deployments, typically in clients running sandboxed Java Web
| Start applications or sandboxed Java applets, that load and run
| untrusted code (e.g., code that comes from the internet) and rely on
| the Java sandbox for security. This vulnerability can also be
| exploited by using APIs in the specified Component, e.g., through a
| web service which supplies data to the APIs. CVSS 3.1 Base Score 7.4
| (Confidentiality and Integrity impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
CVE-2023-21937[1]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition
| product of Oracle Java SE (component: Networking). Supported versions
| that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18,
| 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and
| 22.3.1. Difficult to exploit vulnerability allows unauthenticated
| attacker with network access via multiple protocols to compromise
| Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks
| of this vulnerability can result in unauthorized update, insert or
| delete access to some of Oracle Java SE, Oracle GraalVM Enterprise
| Edition accessible data. Note: This vulnerability applies to Java
| deployments, typically in clients running sandboxed Java Web Start
| applications or sandboxed Java applets, that load and run untrusted
| code (e.g., code that comes from the internet) and rely on the Java
| sandbox for security. This vulnerability can also be exploited by
| using APIs in the specified Component, e.g., through a web service
| which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2023-21938[2]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition
| product of Oracle Java SE (component: Libraries). Supported versions
| that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18,
| 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and
| 22.3.0. Difficult to exploit vulnerability allows unauthenticated
| attacker with network access via multiple protocols to compromise
| Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks
| of this vulnerability can result in unauthorized update, insert or
| delete access to some of Oracle Java SE, Oracle GraalVM Enterprise
| Edition accessible data. Note: This vulnerability applies to Java
| deployments, typically in clients running sandboxed Java Web Start
| applications or sandboxed Java applets, that load and run untrusted
| code (e.g., code that comes from the internet) and rely on the Java
| sandbox for security. This vulnerability does not apply to Java
| deployments, typically in servers, that load and run only trusted code
| (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7
| (Integrity impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2023-21939[3]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition
| product of Oracle Java SE (component: Swing). Supported versions that
| are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6,
| 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1.
| Easily exploitable vulnerability allows unauthenticated attacker with
| network access via HTTP to compromise Oracle Java SE, Oracle GraalVM
| Enterprise Edition. Successful attacks of this vulnerability can
| result in unauthorized update, insert or delete access to some of
| Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.
| Note: This vulnerability applies to Java deployments, typically in
| clients running sandboxed Java Web Start applications or sandboxed
| Java applets, that load and run untrusted code (e.g., code that comes
| from the internet) and rely on the Java sandbox for security. This
| vulnerability can also be exploited by using APIs in the specified
| Component, e.g., through a web service which supplies data to the
| APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2023-21954[4]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition
| product of Oracle Java SE (component: Hotspot). Supported versions
| that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18,
| 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1.
| Difficult to exploit vulnerability allows unauthenticated attacker
| with network access via multiple protocols to compromise Oracle Java
| SE, Oracle GraalVM Enterprise Edition. Successful attacks of this
| vulnerability can result in unauthorized access to critical data or
| complete access to all Oracle Java SE, Oracle GraalVM Enterprise
| Edition accessible data. Note: This vulnerability applies to Java
| deployments, typically in clients running sandboxed Java Web Start
| applications or sandboxed Java applets, that load and run untrusted
| code (e.g., code that comes from the internet) and rely on the Java
| sandbox for security. This vulnerability can also be exploited by
| using APIs in the specified Component, e.g., through a web service
| which supplies data to the APIs. CVSS 3.1 Base Score 5.9
| (Confidentiality impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVE-2023-21967[5]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition
| product of Oracle Java SE (component: JSSE). Supported versions that
| are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6,
| 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1.
| Difficult to exploit vulnerability allows unauthenticated attacker
| with network access via HTTPS to compromise Oracle Java SE, Oracle
| GraalVM Enterprise Edition. Successful attacks of this vulnerability
| can result in unauthorized ability to cause a hang or frequently
| repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM
| Enterprise Edition. Note: This vulnerability applies to Java
| deployments, typically in clients running sandboxed Java Web Start
| applications or sandboxed Java applets, that load and run untrusted
| code (e.g., code that comes from the internet) and rely on the Java
| sandbox for security. This vulnerability can also be exploited by
| using APIs in the specified Component, e.g., through a web service
| which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Availability
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
CVE-2023-21968[6]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition
| product of Oracle Java SE (component: Libraries). Supported versions
| that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18,
| 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and
| 22.3.1. Difficult to exploit vulnerability allows unauthenticated
| attacker with network access via multiple protocols to compromise
| Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks
| of this vulnerability can result in unauthorized update, insert or
| delete access to some of Oracle Java SE, Oracle GraalVM Enterprise
| Edition accessible data. Note: This vulnerability applies to Java
| deployments, typically in clients running sandboxed Java Web Start
| applications or sandboxed Java applets, that load and run untrusted
| code (e.g., code that comes from the internet) and rely on the Java
| sandbox for security. This vulnerability can also be exploited by
| using APIs in the specified Component, e.g., through a web service
| which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity
| impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-21930
https://www.cve.org/CVERecord?id=CVE-2023-21930
[1] https://security-tracker.debian.org/tracker/CVE-2023-21937
https://www.cve.org/CVERecord?id=CVE-2023-21937
[2] https://security-tracker.debian.org/tracker/CVE-2023-21938
https://www.cve.org/CVERecord?id=CVE-2023-21938
[3] https://security-tracker.debian.org/tracker/CVE-2023-21939
https://www.cve.org/CVERecord?id=CVE-2023-21939
[4] https://security-tracker.debian.org/tracker/CVE-2023-21954
https://www.cve.org/CVERecord?id=CVE-2023-21954
[5] https://security-tracker.debian.org/tracker/CVE-2023-21967
https://www.cve.org/CVERecord?id=CVE-2023-21967
[6] https://security-tracker.debian.org/tracker/CVE-2023-21968
https://www.cve.org/CVERecord?id=CVE-2023-21968
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 11 May 2023 18:27:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri May 12 13:12:36 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon