Vulnerabilities

 55 via 56 paths

Dependencies

 19

Source

 Group 6 Copy Created with Sketch. Docker

Target OS

 alpine:3.8.1
Test your Docker Hub image against our market leading vulnerability database Sign up for free
Severity
  • 2
  • 6
  • 31
  • 16
Status
  • 55
  • 0
  • 0
OS binaries
  • 2
  • 53

critical severity

Out-of-bounds Write

  • Vulnerable module: musl/musl
  • Introduced through: musl/musl@1.1.19-r10 and musl/musl-utils@1.1.19-r10
  • Fixed in: 1.1.19-r11

Detailed paths

  • Introduced through: azul/zulu-openjdk-alpine@6u119-6.22.0.3 musl/musl@1.1.19-r10
  • Introduced through: azul/zulu-openjdk-alpine@6u119-6.22.0.3 musl/musl-utils@1.1.19-r10

NVD Description

Note: Versions mentioned in the description apply only to the upstream musl package and not the musl package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.

Remediation

Upgrade Alpine:3.8 musl to version 1.1.19-r11 or higher.

References

Out-of-bounds Write vulnerability report

critical severity

CVE-2011-3548

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

It allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability, related to AWT.

Remediation

Upgrade openjdk-jre to version 7.0.1 or higher.

References

CVE-2011-3548 vulnerability report

high severity

Information Exposure

  • Vulnerable module: wget/wget
  • Introduced through: wget/wget@1.19.5-r0
  • Fixed in: 1.20.1-r0

Detailed paths

  • Introduced through: azul/zulu-openjdk-alpine@6u119-6.22.0.3 wget/wget@1.19.5-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream wget package and not the wget package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.

Remediation

Upgrade Alpine:3.8 wget to version 1.20.1-r0 or higher.

References

Information Exposure vulnerability report

high severity

Access Restriction Bypass

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Access Restriction Bypass by an unauthenticated attacker with network access via multiple protocols. This is due to incorrect implementation of the ECDSA cryptographic signature in Java. Exploiting this vulnerability results in unauthorized creation, deletion, or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.

Notes:

  1. This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

  2. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service that supplies data to the APIs.

Remediation

Upgrade openjdk-jre to version 7.0.341, 8.0.331, 11.0.15, 17.0.3, 18.0.1 or higher.

References

Access Restriction Bypass vulnerability report

high severity

Information Exposure

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Information Exposure by allowing unauthenticated attackers with network access via multiple protocols to access critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs through a web service that supplies data to the APIs.

Remediation

Upgrade openjdk-jre to version 7.0.341, 8.0.331, 11.0.15, 17.0.3, 18.0.1 or higher.

References

Information Exposure vulnerability report

high severity

Sandbox Bypass

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Sandbox Bypass. A flaw was found in the way the Hotspot component of OpenJDK performed range check elimination. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions.

Remediation

Upgrade openjdk-jre to version 8.0.301, 11.0.12, 16.0.2 or higher.

References

Sandbox Bypass vulnerability report

high severity

Covert Timing Channel

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Covert Timing Channel in the security-libs/java.security component. An attacker can recover ciphertexts via a side-channel attack by exploiting the Marvin security flaw.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

Remediation

Upgrade openjdk-jre to version 8.0.401, 11.0.22, 17.0.10, 21.0.2 or higher.

References

Covert Timing Channel vulnerability report

high severity

Improper Privilege Management

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Improper Privilege Management in the hotspot/compiler component.

Note This is only exploitable if the attacker utilizes APIs in the specified component, such as through a web service that provides data to the APIs. Additionally, the vulnerability affects Java deployments that execute untrusted code, relying on the Java sandbox for security.

Remediation

Upgrade openjdk-jre to version 8.0.401, 11.0.22, 17.0.10, 21.0.2 or higher.

References

Improper Privilege Management vulnerability report

medium severity

Access Restriction Bypass

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Access Restriction Bypass via incorrect principal selection when using Kerberos Constrained Delegation result in unauthorized access to critical data or complete access to all GraalVM accessible data.

Remediation

Upgrade openjdk-jre to version 7.0.321, 8.0.311, 11.0.13, 17.0.1 or higher.

References

Access Restriction Bypass vulnerability report

medium severity

CVE-2014-2422

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

It allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.

Remediation

Upgrade openjdk-jre to version 7.0.55, 8.0.5 or higher.

References

CVE-2014-2422 vulnerability report

medium severity

Improper Access Control

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Improper Access Control due to improper access restriction of the MethodHandle.invokeBasic method of the Hotspot component.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service that supplies data to the APIs.

Remediation

Upgrade openjdk-jre to version 7.0.351, 8.0.342, 11.0.16, 17.0.4, 18.0.2 or higher.

References

Improper Access Control vulnerability report

medium severity

Improper Input Validation

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Improper Input Validation due to a range check loop optimization issue in the hotspot/compiler component. An attacker can obtain sensitive information without authorization by exploiting the improper input validation.

Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

Remediation

Upgrade openjdk-jre to version 8.0.401, 11.0.22, 17.0.10, 21.0.2 or higher.

References

Improper Input Validation vulnerability report

medium severity

Improper Input Validation

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Improper Input Validation due to a flaw in the JVM class file verifier in the hotspot/runtime component. An attacker can execute unverified bytecode by crafting a malicious input that bypasses the verification process.

Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.

Remediation

Upgrade openjdk-jre to version 8.0.401, 11.0.22, 17.0.10, 21.0.2 or higher.

References

Improper Input Validation vulnerability report

medium severity

Information Exposure

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Information Exposure in the core-libs/javax.script component.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

Remediation

Upgrade openjdk-jre to version 8.0.401, 11.0.22 or higher.

References

Information Exposure vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling the implementation of the IdentityHashMap class doesn't properly validate the value of its size attribute when creating object instances from a serialized form. A specially-crafted input could cause a Java application to use an excessive amount of memory when deserialized.

Remediation

Upgrade openjdk-jre to version 7.0.331, 8.0.321, 11.0.14, 17.0.2 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. A flaw was found in the way the BMPImageReader class implementation in the ImageIO performs memory allocations when reading palette information from BMP images. A specially-crafted BMP file could cause a Java application to consume an excessive amount of memory when opened.

Remediation

Upgrade openjdk-jre to version 7.0.331, 8.0.321, 11.0.14, 17.0.2 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. A flaw was found in the way the Attributes class in the Libraries component performs reading of attributes with very long values from the JAR file manifests. A specially-crafted JAR archive could cause a Java application reading its manifest to use an excessive amount of system resources and hang.

Remediation

Upgrade openjdk-jre to version 7.0.331, 8.0.321, 11.0.14, 17.0.2 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when HttpServer has no connection count limit. Exploiting this vulnerability allows unauthenticated attackers with network access via HTTP protocol to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition.

Remediation

Upgrade openjdk-jre to version 8.0.351, 11.0.17, 17.0.5, 19.0.1 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Denial of Service (DoS)

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Denial of Service (DoS) by allowing unauthenticated users with network access to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition via multiple protocols.

Note: This issue is reported to only affect Java running on Solaris platform and is not believed to be applicable to other platforms.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade openjdk-jre to version 7.0.331, 8.0.321 or higher.

References

Denial of Service (DoS) vulnerability report

medium severity

Denial of Service (DoS)

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Denial of Service (DoS) by allowing unauthenticated attackers with network access via multiple protocols to compromise the application.
Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs through a web service that supplies data to the APIs.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade openjdk-jre to version 7.0.341, 8.0.331, 11.0.15, 17.0.3, 18.0.1 or higher.

References

Denial of Service (DoS) vulnerability report

medium severity

Denial of Service (DoS)

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Denial of Service (DoS) due to the computeNextExponential method of the Libraries component failing to comply with the documentation, returning sometimes negative numbers.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service that supplies data to the APIs.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade openjdk-jre to version 7.0.351, 8.0.342, 11.0.16, 17.0.4, 18.0.2 or higher.

References

Denial of Service (DoS) vulnerability report

medium severity

Denial of Service (DoS)

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Denial of Service (DoS) due to excessive memory allocation in X.509 certificate parsing (Security, 8286533). Exploiting this vulnerability allows unauthenticated attackers with network access via HTTPS to cause a partial denial of service of Oracle Java SE, Oracle GraalVM Enterprise Edition.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade openjdk-jre to version 8.0.351, 11.0.17 or higher.

References

Denial of Service (DoS) vulnerability report

medium severity

Denial of Service (DoS)

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Denial of Service (DoS) in security-libs/javax.net.ssl, when running untrusted code.

Remediation

Upgrade openjdk-jre to version 8.0.391, 11.0.21, 17.0.9, 21.0.1 or higher.

References

Denial of Service (DoS) vulnerability report

medium severity

Improper Access Control

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Improper Access Control. It allows unauthenticated attacker with network access via TLS to compromise Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service.

Remediation

Upgrade openjdk-jre to version 7.0.321, 8.0.311, 11.0.13, 17.0.1 or higher.

References

Improper Access Control vulnerability report

medium severity

Improper Access Control

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Improper Access Control via the CORBA component.

Note: This is only exploitable if data is supplied to APIs without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.

Remediation

Upgrade openjdk-jre to version 8.0.391 or higher.

References

Improper Access Control vulnerability report

medium severity

Improper Input Validation

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Improper Input Validation. It was discovered that the StringBuffer and StringBuilder classes implementation in the Libraries component failed to properly validate the value of the count attribute during object deserialization. A specially-crafted input could cause a Java application to misbehave because of StringBuffer or StringBuilder object instances in an inconsistent state.

Remediation

Upgrade openjdk-jre to version 7.0.331, 8.0.321, 11.0.14, 17.0.2 or higher.

References

Improper Input Validation vulnerability report

medium severity

Improper Input Validation

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Improper Input Validation. The ObjectInputStream class implementation in the Serialization component doesn't sufficiently validate data read from the input serialized stream when reading serialized exceptions. A specially-crafted serialized stream could use this flaw to bypass certain deserialization restrictions (defined via jdk.serialFilter system or security property).

Remediation

Upgrade openjdk-jre to version 7.0.331, 8.0.321, 11.0.14, 17.0.2 or higher.

References

Improper Input Validation vulnerability report

medium severity

Improper Input Validation

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Improper Input Validation by allowing unauthenticated malicious actors to update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs through a web service that supplies data to the APIs.

Remediation

Upgrade openjdk-jre to version 7.0.341, 8.0.331, 11.0.15, 17.0.3, 18.0.1 or higher.

References

Improper Input Validation vulnerability report

medium severity

Infinite loop

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Infinite loop. A flaw was found in the way the XMLEntityScanner and XML11EntityScanner classes in the JAXP component handles and normalized newlines in XML entities. A specially-crafted XML document could cause a Java application to enter an infinite loop when parsed.

Remediation

Upgrade openjdk-jre to version 7.0.331, 8.0.321, 11.0.14, 17.0.2 or higher.

References

Infinite loop vulnerability report

medium severity

Information Exposure

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Information Exposure. TransformerImpl class implementation in the JAXP component did not properly check access restrictions when performing URI resolution. This could possibly lead to information disclosure when performing XSLT transformations.

Remediation

Upgrade openjdk-jre to version 7.0.331, 8.0.321, 11.0.14, 17.0.2 or higher.

References

Information Exposure vulnerability report

medium severity

Information Exposure

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Information Exposure. The XMLEntityManager class implementation in the JAXP component doesn't properly perform access checks. A Java application using a SAX XML parser in certain configurations could be tricked into disclosing information when parsing a specially-crafted XML file.

Remediation

Upgrade openjdk-jre to version 7.0.331, 8.0.321, 11.0.14, 17.0.2 or higher.

References

Information Exposure vulnerability report

medium severity

Information Exposure

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Information Exposure due to a class compilation issue in the Hotspot component.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service that supplies data to the APIs.

Remediation

Upgrade openjdk-jre to version 7.0.351, 8.0.342, 11.0.16, 17.0.4, 18.0.2 or higher.

References

Information Exposure vulnerability report

medium severity

Integer Overflow or Wraparound

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Integer Overflow or Wraparound. A flaw was found in the BMPImageReader class implementation in the ImageIO component, which allows a specially-crafted BMP image to bypass previously applied protection and cause a Java application to allocate an excessive amount of memory when opened.

Note:

this is due to an incomplete fix for CVE-2021-35586.

Remediation

Upgrade openjdk-jre to version 7.0.331, 8.0.321, 11.0.14, 17.0.2 or higher.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Integer Overflow or Wraparound

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Integer Overflow or Wraparound. A flaw was found in the way the Hotspot component of OpenJDK handled array indexes on 64-bit x86 platform. A large index could trigger a displacement overflow in LIRGenerator::emit_array_address, possibly leading to access at an invalid array position.

Remediation

Upgrade openjdk-jre to version 7.0.331, 8.0.321, 11.0.14, 17.0.2 or higher.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Out-of-bounds Write

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Out-of-bounds Write. A flaw was found in the way the Hotspot component of OpenJDK processed classes with _fields that needed to be written to in Rewriter::scan_method().

Remediation

Upgrade openjdk-jre to version 7.0.331, 8.0.321, 11.0.14, 17.0.2 or higher.

References

Out-of-bounds Write vulnerability report

medium severity

Unsafe Reflection

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Unsafe Reflection via improper object-to-string conversion in AnnotationInvocationHandler.

Remediation

Upgrade openjdk-jre to version 7.0.341, 8.0.331, 11.0.15, 17.0.3, 18.0.1 or higher.

References

Unsafe Reflection vulnerability report

medium severity

Insertion of Sensitive Information into Log File

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the security-libs/javax.xml.crypto component. An attacker with local access could access private keys.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

Remediation

Upgrade openjdk-jre to version 8.0.401, 11.0.22, 17.0.10, 21.0.2 or higher.

References

Insertion of Sensitive Information into Log File vulnerability report

medium severity

Improper Validation

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Improper Validation. A flaw was found in the way the FtpClient implementation in the Networking component of OpenJDK handled responses to the FTP PASV command. A malicious FTP server could cause a Java application using FtpClient to connect to a host and port that is not accessible from the FTP server and perform port scanning or banner extraction.

Remediation

Upgrade openjdk-jre to version 7.0.311, 8.0.301, 11.0.12, 16.0.2 or higher.

References

Improper Validation vulnerability report

medium severity

Signature Validation Bypass

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Signature Validation Bypass. A flaw was found in the way the Library component of OpenJDK handled JAR files containing multiple MANIFEST.MF files. Such JAR files could cause signature verification process to return an incorrect result, possibly allowing tampering with signed JAR files.

Remediation

Upgrade openjdk-jre to version 7.0.311, 8.0.301, 11.0.12, 16.0.2 or higher.

References

Signature Validation Bypass vulnerability report

low severity

Denial of Service (DoS)

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Denial of Service (DoS) via the JNDI component. This allows an unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade openjdk-jre to version 7.0.311 or higher.

References

Denial of Service (DoS) vulnerability report

low severity

Denial of Service (DoS)

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Denial of Service (DoS) due to missing checks for negative ObjectIdentifier. exploiting this vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.

  1. This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

  2. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service that supplies data to the APIs.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade openjdk-jre to version 7.0.341, 8.0.331, 11.0.15, 17.0.3, 18.0.1 or higher.

References

Denial of Service (DoS) vulnerability report

low severity
new

Denial of Service (DoS)

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Denial of Service (DoS) in the hotspot/runtime component.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade openjdk-jre to version 8.0.411, 11.0.23, 17.0.11, 21.0.3, 22.0.1 or higher.

References

Denial of Service (DoS) vulnerability report

low severity

Deserialization of Untrusted Data

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Deserialization of Untrusted Data the ObjectInputStream class implementation in the Serialization component did not check superclasses against the deserialization filter (defined via jdk.serialFilter system or security property) in cases when those classes were available locally and not included in the serialized stream. A specially-crafted serialized stream could possibly use this flaw to bypass class deserialization restrictions.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502) is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, thus allowing the attacker to control the state or the flow of the execution.

Remediation

Upgrade openjdk-jre to version 7.0.331, 8.0.321, 11.0.14, 17.0.2 or higher.

References

Deserialization of Untrusted Data vulnerability report

low severity
new

Improper Access Control

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Improper Access Control in the hotspot/compiler component. An attacker can compromise data integrity.

Remediation

Upgrade openjdk-jre to version 8.0.411, 11.0.23, 17.0.11, 21.0.3, 22.0.1 or higher.

References

Improper Access Control vulnerability report

low severity

Insecure Randomness

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Insecure Randomness due to insufficient randomization of JNDI DNS port numbers. Successful attacks of this vulnerability can result in unauthorized update, insert, or deletion access to some accessible data.

Remediation

Upgrade openjdk-jre to version 8.0.351, 11.0.17, 17.0.5, 19.0.1 or higher.

References

Insecure Randomness vulnerability report

low severity

Remote Code Execution (RCE)

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Remote Code Execution (RCE) due to improper handling of long NTLM client hostnames. Exploiting this vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Oracle Java SE, and Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert, or deletion access to some accessible data. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service that supplies data to the APIs.

Note This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

Remediation

Upgrade openjdk-jre to version 8.0.351, 11.0.17, 17.0.5, 19.0.1 or higher.

References

Remote Code Execution (RCE) vulnerability report

low severity

Timing Attack

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Timing Attack. It was discovered that the TLS implementation in the JSSE component of OpenJDK used non-constant comparisons when checking various data (such as session identifiers or verification data blocks) during TLS handshakes. A malicious TLS client could possibly use this flaw to recover that data by observing timing differences in processing of various inputs.

Remediation

Upgrade openjdk-jre to version 7.0.321, 8.0.311, 11.0.13, 17.0.1 or higher.

References

Timing Attack vulnerability report

low severity

Timing Attack

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Timing Attack. Timing attacks are possible in implementations of ECDSA/EdDSA in cryptographic software libraries which allows for practical recovery of the long-term private key. This is possible in implementations which leak the bit-length of the scalar during scalar multiplication on an elliptic curve. This leakage might seem minuscule as the bit-length presents a very small amount of information present in the scalar. However, in the case of ECDSA/EdDSA signature generation, the leaked bit-length of the random nonce is enough for full recovery of the private key used after observing a few hundreds to a few thousands of signatures on known messages, due to the application of lattice techniques.

Remediation

Upgrade openjdk-jre to version 8.0.232, 11.0.5 or higher.

References

Timing Attack vulnerability report

low severity

Access Control Bypass

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Access Control Bypass in the JavaFX media component, when running untrusted code.

Remediation

Upgrade openjdk-jre to version 8.0.401 or higher.

References

Access Control Bypass vulnerability report

low severity
new

Improper Access Control

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Improper Access Control through the JavaFX component. An attacker can compromise Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data by exploiting this vulnerability with network access via multiple protocols.

Note

This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

Remediation

Upgrade openjdk-jre to version 8.0.411 or higher.

References

Improper Access Control vulnerability report

low severity
new

Improper Access Control

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Improper Access Control through the JavaFX component. An attacker can compromise accessible data by exploiting this vulnerability with network access via multiple protocols.

Note

This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

Remediation

Upgrade openjdk-jre to version 8.0.411 or higher.

References

Improper Access Control vulnerability report

low severity

Information Exposure

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Information Exposure via the JavaFX component, when running untrusted code.

Remediation

Upgrade openjdk-jre to version 8.0.401 or higher.

References

Information Exposure vulnerability report

low severity
new

Improper Access Control

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Improper Access Control through to the JavaFX component. An attacker can compromise the integrity of data by exploiting this vulnerability by logging into the infrastructure where the application executes.

Note

This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

Remediation

Upgrade openjdk-jre to version 8.0.411, 17.0.11, 21.0.3, 22.0.1 or higher.

References

Improper Access Control vulnerability report

low severity
new

Improper Access Control

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Improper Access Control through to the JavaFX component. An attacker can compromise the integrity of data by exploiting this vulnerability by logging into the infrastructure where the application executes.

Note This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

Remediation

Upgrade openjdk-jre to version 8.0.411, 17.0.11, 21.0.3, 22.0.1 or higher.

References

Improper Access Control vulnerability report

low severity

Improper Privilege Management

  • Vulnerable module: openjdk-jre
  • Introduced through: openjdk-jre@1.6.0-119-b119

Detailed paths

  • Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 openjdk-jre@1.6.0-119-b119

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Improper Privilege Management via the JavaFX component.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

Remediation

Upgrade openjdk-jre to version 8.0.401, 11.0.22, 17.0.10, 21.0.2 or higher.

References

Improper Privilege Management vulnerability report