Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Access Restriction Bypass via incorrect principal selection when using Kerberos Constrained Delegation result in unauthorized access to critical data or complete access to all GraalVM accessible data.

Remediation

Upgrade openjdk-jre to version 7.0.321, 8.0.311, 11.0.13, 17.0.1 or higher.

References

• Oracle Security Advisory
• RedHat Bugzilla Bug

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Alpine. See How to fix? for Alpine:3.12 relevant fixed versions and status.

Rejected reason: Non Security Issue. See the binutils security policy for more details, https://sourceware.org/cgit/binutils-gdb/tree/binutils/SECURITY.txt

Remediation

Upgrade Alpine:3.12 binutils to version 2.34-r2 or higher.

References

• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3Z3KSJY3CLAAFFT7FNFCJOMDITPQGN56/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q6V2LF5AVOUTHPYY2O5TRNAIXVMXFDGL/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RNBNDMJWZOQYCEZXENHBSM6DBZ332UZZ/
• https://bugzilla.redhat.com/show_bug.cgi?id=1947111
• https://security.gentoo.org/glsa/202208-30
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3Z3KSJY3CLAAFFT7FNFCJOMDITPQGN56/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q6V2LF5AVOUTHPYY2O5TRNAIXVMXFDGL/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RNBNDMJWZOQYCEZXENHBSM6DBZ332UZZ/

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

It allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.

Remediation

Upgrade openjdk-jre to version 7.0.55, 8.0.5 or higher.

References

• Gentoo Security Advisory
• HP Security Bulletin
• Oracle Security Bulletin
• RHSA Security Advisory
• Security Focus

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Command Injection. It was discovered that the implementation of ProcessBuilder in the Libraries component of OpenJDK on the Windows platform did not properly detect command arguments that were not quoted correctly. This could lead to manipulation of command arguments when executing processes with arguments from untrusted sources.

Remediation

Upgrade openjdk-jre to version 16.0.1, 11.0.11, 8.0.291, 7.0.301 or higher.

References

• Oracle Security Advisory
• RedHat Bugzilla Bug

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Improper Access Control due to improper access restriction of the MethodHandle.invokeBasic method of the Hotspot component.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service that supplies data to the APIs.

Remediation

Upgrade openjdk-jre to version 7.0.351, 8.0.342, 11.0.16, 17.0.4, 18.0.2 or higher.

References

• OpenJDK Security Advisory
• Oracle Security Advisory
• RedHat Bugzilla Bug

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Improper Input Validation due to a range check loop optimization issue in the hotspot/compiler component. An attacker can obtain sensitive information without authorization by exploiting the improper input validation.

Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

Remediation

Upgrade openjdk-jre to version 8.0.401, 11.0.22, 17.0.10, 21.0.2 or higher.

References

• RedHat Bugzilla Bug
• Security Advisory
• Vulnerability Advisory

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Improper Input Validation due to a flaw in the JVM class file verifier in the hotspot/runtime component. An attacker can execute unverified bytecode by crafting a malicious input that bypasses the verification process.

Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.

Remediation

Upgrade openjdk-jre to version 8.0.401, 11.0.22, 17.0.10, 21.0.2 or higher.

References

• RedHat Bugzilla Bug
• Security Advisory
• Vulnerability Advisory

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Information Exposure in the core-libs/javax.script component.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

Remediation

Upgrade openjdk-jre to version 8.0.401, 11.0.22 or higher.

References

• Security Advisory
• Vulnerability Advisory

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. See How to fix? for Alpine:3.12 relevant fixed versions and status.

The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).

Remediation

Upgrade Alpine:3.12 openssl to version 1.1.1j-r0 or higher.

References

• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=122a19ab48091c657f7cb1fb3af9fc07bd557bbf
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8252ee4d90f3f2004d3d0aeeed003ad49c9a7807
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2
• https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846
• https://security.netapp.com/advisory/ntap-20210219-0009/
• https://security.netapp.com/advisory/ntap-20210513-0002/
• https://support.apple.com/kb/HT212528
• https://support.apple.com/kb/HT212529
• https://support.apple.com/kb/HT212534
• https://www.openssl.org/news/secadv/20210216.txt
• https://www.tenable.com/security/tns-2021-03
• https://www.tenable.com/security/tns-2021-09
• https://www.debian.org/security/2021/dsa-4855
• http://seclists.org/fulldisclosure/2021/May/67
• http://seclists.org/fulldisclosure/2021/May/68
• http://seclists.org/fulldisclosure/2021/May/70
• https://security.gentoo.org/glsa/202103-03
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=122a19ab48091c657f7cb1fb3af9fc07bd557bbf
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=8252ee4d90f3f2004d3d0aeeed003ad49c9a7807

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. See How to fix? for Alpine:3.12 relevant fixed versions and status.

The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).

Remediation

Upgrade Alpine:3.12 openssl to version 1.1.1i-r0 or higher.

References

• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2154ab83e14ede338d2ede9bbe5cdfce5d5a6c9e
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f960d81215ebf3f65e03d4d5d857fb9b666d6920
• https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44676
• https://security.netapp.com/advisory/ntap-20201218-0005/
• https://security.netapp.com/advisory/ntap-20210513-0002/
• https://www.openssl.org/news/secadv/20201208.txt
• https://www.tenable.com/security/tns-2020-11
• https://www.tenable.com/security/tns-2021-09
• https://www.tenable.com/security/tns-2021-10
• https://www.debian.org/security/2020/dsa-4807
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DGSI34Y5LQ5RYXN4M2I5ZQT65LFVDOUU/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWPSSZNZOBJU2YR6Z4TGHXKYW3YP5QG7/
• https://security.FreeBSD.org/advisories/FreeBSD-SA-20:33.openssl.asc
• https://security.gentoo.org/glsa/202012-13
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com/security-alerts/cpujan2021.html
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://lists.apache.org/thread.html/r63c6f2dd363d9b514d0a4bcf624580616a679898cc14c109a49b750c@%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/rbb769f771711fb274e0a4acb1b5911c8aab544a6ac5e8c12d40c5143@%3Ccommits.pulsar.apache.org%3E
• https://lists.debian.org/debian-lts-announce/2020/12/msg00020.html
• https://lists.debian.org/debian-lts-announce/2020/12/msg00021.html
• http://www.openwall.com/lists/oss-security/2021/09/14/2
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2154ab83e14ede338d2ede9bbe5cdfce5d5a6c9e
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f960d81215ebf3f65e03d4d5d857fb9b666d6920
• https://lists.apache.org/thread.html/r63c6f2dd363d9b514d0a4bcf624580616a679898cc14c109a49b750c%40%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/rbb769f771711fb274e0a4acb1b5911c8aab544a6ac5e8c12d40c5143%40%3Ccommits.pulsar.apache.org%3E
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DGSI34Y5LQ5RYXN4M2I5ZQT65LFVDOUU/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PWPSSZNZOBJU2YR6Z4TGHXKYW3YP5QG7/

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. See How to fix? for Alpine:3.12 relevant fixed versions and status.

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).

Remediation

Upgrade Alpine:3.12 openssl to version 1.1.1k-r0 or higher.

References

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd
• https://cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fb9fa6b51defd48157eeb207f52181f735d96148
• https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845
• https://kc.mcafee.com/corporate/index?page=content&id=SB10356
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013
• https://security.netapp.com/advisory/ntap-20210326-0006/
• https://security.netapp.com/advisory/ntap-20210513-0002/
• https://www.openssl.org/news/secadv/20210325.txt
• https://www.tenable.com/security/tns-2021-05
• https://www.tenable.com/security/tns-2021-06
• https://www.tenable.com/security/tns-2021-09
• https://www.tenable.com/security/tns-2021-10
• https://www.debian.org/security/2021/dsa-4875
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/
• https://security.gentoo.org/glsa/202103-03
• https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://lists.debian.org/debian-lts-announce/2021/08/msg00029.html
• http://www.openwall.com/lists/oss-security/2021/03/27/1
• http://www.openwall.com/lists/oss-security/2021/03/27/2
• http://www.openwall.com/lists/oss-security/2021/03/28/3
• http://www.openwall.com/lists/oss-security/2021/03/28/4
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=fb9fa6b51defd48157eeb207f52181f735d96148
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/

NVD Description

Note: Versions mentioned in the description apply only to the upstream musl package and not the musl package as distributed by Alpine. See How to fix? for Alpine:3.12 relevant fixed versions and status.

In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).

Remediation

Upgrade Alpine:3.12 musl to version 1.1.24-r10 or higher.

References

• http://www.openwall.com/lists/oss-security/2020/11/20/4
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKQ3RVSMVZNZNO4D65W2CZZ4DMYFZN2Q/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW27QVY7ERPTSGKS4KAWE5TU7EJWHKVQ/
• https://musl.libc.org/releases.html
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://lists.apache.org/thread.html/r2134abfe847bea7795f0e53756d10a47e6643f35ab8169df8b8a9eb1@%3Cnotifications.apisix.apache.org%3E
• https://lists.apache.org/thread.html/r90b60cf49348e515257b4950900c1bd3ab95a960cf2469d919c7264e@%3Cnotifications.apisix.apache.org%3E
• https://lists.apache.org/thread.html/ra63e8dc5137d952afc55dbbfa63be83304ecf842d1eab1ff3ebb29e2@%3Cnotifications.apisix.apache.org%3E
• https://lists.debian.org/debian-lts-announce/2020/11/msg00050.html
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://lists.apache.org/thread.html/r2134abfe847bea7795f0e53756d10a47e6643f35ab8169df8b8a9eb1%40%3Cnotifications.apisix.apache.org%3E
• https://lists.apache.org/thread.html/r90b60cf49348e515257b4950900c1bd3ab95a960cf2469d919c7264e%40%3Cnotifications.apisix.apache.org%3E
• https://lists.apache.org/thread.html/ra63e8dc5137d952afc55dbbfa63be83304ecf842d1eab1ff3ebb29e2%40%3Cnotifications.apisix.apache.org%3E
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKQ3RVSMVZNZNO4D65W2CZZ4DMYFZN2Q/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UW27QVY7ERPTSGKS4KAWE5TU7EJWHKVQ/

NVD Description

Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Alpine. See How to fix? for Alpine:3.12 relevant fixed versions and status.

A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input file to tar to cause uncontrolled consumption of memory. The highest threat from this vulnerability is to system availability.

Remediation

Upgrade Alpine:3.12 tar to version 1.32-r2 or higher.

References

• https://security.gentoo.org/glsa/202105-29
• https://bugzilla.redhat.com/show_bug.cgi?id=1917565
• https://git.savannah.gnu.org/cgit/tar.git/commit/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777
• https://savannah.gnu.org/bugs/?59897

NVD Description

Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. See How to fix? for Alpine:3.12 relevant fixed versions and status.

An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that

Remediation

Upgrade Alpine:3.12 busybox to version 1.31.1-r21 or higher.

References

• https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
• https://security.netapp.com/advisory/ntap-20211223-0002/
• https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling the implementation of the IdentityHashMap class doesn't properly validate the value of its size attribute when creating object instances from a serialized form. A specially-crafted input could cause a Java application to use an excessive amount of memory when deserialized.

Remediation

Upgrade openjdk-jre to version 7.0.331, 8.0.321, 11.0.14, 17.0.2 or higher.

References

• Oracle Security Alerts
• RedHat Bugzilla Bug

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. A flaw was found in the way the BMPImageReader class implementation in the ImageIO performs memory allocations when reading palette information from BMP images. A specially-crafted BMP file could cause a Java application to consume an excessive amount of memory when opened.

Remediation

Upgrade openjdk-jre to version 7.0.331, 8.0.321, 11.0.14, 17.0.2 or higher.

References

• Oracle Security Alerts
• RedHat Bugzilla Bug

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. A flaw was found in the way the Attributes class in the Libraries component performs reading of attributes with very long values from the JAR file manifests. A specially-crafted JAR archive could cause a Java application reading its manifest to use an excessive amount of system resources and hang.

Remediation

Upgrade openjdk-jre to version 7.0.331, 8.0.321, 11.0.14, 17.0.2 or higher.

References

• Oracle Security Alerts
• RedHat Bugzilla Bug

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when HttpServer has no connection count limit. Exploiting this vulnerability allows unauthenticated attackers with network access via HTTP protocol to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition.

Remediation

Upgrade openjdk-jre to version 8.0.351, 11.0.17, 17.0.5, 19.0.1 or higher.

References

• Oracle Security Alerts

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Cryptographic Weakness. A flaw was found in the way the Libraries component of OpenJDK enforced constraints defined in the jdk.jar.disabledAlgorithms security property. Verification of a JAR file signed using a disabled algorithm could succeed in certain cases, leading to bypass of the intended security restrictions.

This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

Remediation

Upgrade openjdk-jre to version 16.0.1, 11.0.11, 8.0.291, 7.0.301 or higher.

References

• Oracle Security Advisory
• RedHat Bugzilla Bug

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Denial of Service (DoS) by allowing unauthenticated users with network access to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition via multiple protocols.

Note: This issue is reported to only affect Java running on Solaris platform and is not believed to be applicable to other platforms.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade openjdk-jre to version 7.0.331, 8.0.321 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• Oracle Security Advisory
• RedHat Bugzilla Bug

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Denial of Service (DoS) by allowing unauthenticated attackers with network access via multiple protocols to compromise the application.
Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs through a web service that supplies data to the APIs.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade openjdk-jre to version 7.0.341, 8.0.331, 11.0.15, 17.0.3, 18.0.1 or higher.

References

• Oracle Security Report
• RedHat Bugzilla Bug

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Denial of Service (DoS) due to the computeNextExponential method of the Libraries component failing to comply with the documentation, returning sometimes negative numbers.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service that supplies data to the APIs.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade openjdk-jre to version 7.0.351, 8.0.342, 11.0.16, 17.0.4, 18.0.2 or higher.

References

• OpenJDK Security Advisory
• Oracle Security Advisory
• RedHat Bugzilla Bug

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Denial of Service (DoS) due to excessive memory allocation in X.509 certificate parsing (Security, 8286533). Exploiting this vulnerability allows unauthenticated attackers with network access via HTTPS to cause a partial denial of service of Oracle Java SE, Oracle GraalVM Enterprise Edition.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade openjdk-jre to version 8.0.351, 11.0.17 or higher.

References

• Oracle Security Alerts

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Denial of Service (DoS) in security-libs/javax.net.ssl, when running untrusted code.

Remediation

Upgrade openjdk-jre to version 8.0.391, 11.0.21, 17.0.9, 21.0.1 or higher.

References

• Vulnerability Advisory

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Improper Access Control. It allows unauthenticated attacker with network access via TLS to compromise Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service.

Remediation

Upgrade openjdk-jre to version 7.0.321, 8.0.311, 11.0.13, 17.0.1 or higher.

References

• Oracle Critical Patch Update Advisory
• RedHat Bugzilla Bug

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Improper Access Control via the CORBA component.

Note: This is only exploitable if data is supplied to APIs without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.

Remediation

Upgrade openjdk-jre to version 8.0.391 or higher.

References

• Vulnerability Advisory

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Improper Input Validation. It was discovered that the StringBuffer and StringBuilder classes implementation in the Libraries component failed to properly validate the value of the count attribute during object deserialization. A specially-crafted input could cause a Java application to misbehave because of StringBuffer or StringBuilder object instances in an inconsistent state.

Remediation

Upgrade openjdk-jre to version 7.0.331, 8.0.321, 11.0.14, 17.0.2 or higher.

References

• Oracle Security Alerts
• RedHat Bugzilla Bug

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Improper Input Validation. The ObjectInputStream class implementation in the Serialization component doesn't sufficiently validate data read from the input serialized stream when reading serialized exceptions. A specially-crafted serialized stream could use this flaw to bypass certain deserialization restrictions (defined via jdk.serialFilter system or security property).

Remediation

Upgrade openjdk-jre to version 7.0.331, 8.0.321, 11.0.14, 17.0.2 or higher.

References

• Oracle Security Alerts
• RedHat Bugzilla Bug

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Improper Input Validation by allowing unauthenticated malicious actors to update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs through a web service that supplies data to the APIs.

Remediation

Upgrade openjdk-jre to version 7.0.341, 8.0.331, 11.0.15, 17.0.3, 18.0.1 or higher.

References

• Oracle Security Report
• RedHat Bugzilla Bug

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Infinite loop. A flaw was found in the way the XMLEntityScanner and XML11EntityScanner classes in the JAXP component handles and normalized newlines in XML entities. A specially-crafted XML document could cause a Java application to enter an infinite loop when parsed.

Remediation

Upgrade openjdk-jre to version 7.0.331, 8.0.321, 11.0.14, 17.0.2 or higher.

References

• Oracle Security Alerts
• RedHat Bugzilla Bug

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Information Exposure. TransformerImpl class implementation in the JAXP component did not properly check access restrictions when performing URI resolution. This could possibly lead to information disclosure when performing XSLT transformations.

Remediation

Upgrade openjdk-jre to version 7.0.331, 8.0.321, 11.0.14, 17.0.2 or higher.

References

• Oracle Security Alerts
• RedHat Bugzilla Bug

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Information Exposure. The XMLEntityManager class implementation in the JAXP component doesn't properly perform access checks. A Java application using a SAX XML parser in certain configurations could be tricked into disclosing information when parsing a specially-crafted XML file.

Remediation

Upgrade openjdk-jre to version 7.0.331, 8.0.321, 11.0.14, 17.0.2 or higher.

References

• Oracle Security Alerts
• RedHat Bugzilla Bug

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Information Exposure due to a class compilation issue in the Hotspot component.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service that supplies data to the APIs.

Remediation

Upgrade openjdk-jre to version 7.0.351, 8.0.342, 11.0.16, 17.0.4, 18.0.2 or higher.

References

• OpenJDK Security Advisory
• Oracle Security Advisory
• RedHat Bugzilla Bug

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Integer Overflow or Wraparound. A flaw was found in the BMPImageReader class implementation in the ImageIO component, which allows a specially-crafted BMP image to bypass previously applied protection and cause a Java application to allocate an excessive amount of memory when opened.

Note:

this is due to an incomplete fix for CVE-2021-35586.

Remediation

Upgrade openjdk-jre to version 7.0.331, 8.0.321, 11.0.14, 17.0.2 or higher.

References

• Oracle Security Alerts
• RedHat Bugzilla Bug

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Integer Overflow or Wraparound. A flaw was found in the way the Hotspot component of OpenJDK handled array indexes on 64-bit x86 platform. A large index could trigger a displacement overflow in LIRGenerator::emit_array_address, possibly leading to access at an invalid array position.

Remediation

Upgrade openjdk-jre to version 7.0.331, 8.0.321, 11.0.14, 17.0.2 or higher.

References

• Oracle Security Alerts
• RedHat Bugzilla Bug

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Out-of-bounds Write. A flaw was found in the way the Hotspot component of OpenJDK processed classes with _fields that needed to be written to in Rewriter::scan_method().

Remediation

Upgrade openjdk-jre to version 7.0.331, 8.0.321, 11.0.14, 17.0.2 or higher.

References

• Oracle Security Alerts
• RedHat Bugzilla Bug

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Unsafe Reflection via improper object-to-string conversion in AnnotationInvocationHandler.

Remediation

Upgrade openjdk-jre to version 7.0.341, 8.0.331, 11.0.15, 17.0.3, 18.0.1 or higher.

References

• Oracle Security Report
• RedHat Bugzilla Bug

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Denial of Service (DoS) due to a segmentation fault in the ciMethodBlocks::make_block_at() function. This allows attackers to cause a denial of service.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade openjdk-jre to version 11.0.17, 13.0.13, 15.0.9, 17.0.5, 19.0.0 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• JDK Issue
• RedHat Bugzilla Bug

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the security-libs/javax.xml.crypto component. An attacker with local access could access private keys.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

Remediation

Upgrade openjdk-jre to version 8.0.401, 11.0.22, 17.0.10, 21.0.2 or higher.

References

• RedHat Bugzilla Bug
• Security Advisory
• Vulnerability Advisory

NVD Description

Note: Versions mentioned in the description apply only to the upstream zstd package and not the zstd package as distributed by Alpine. See How to fix? for Alpine:3.12 relevant fixed versions and status.

Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.

Remediation

Upgrade Alpine:3.12 zstd to version 1.4.9-r0 or higher.

References

• https://github.com/facebook/zstd/issues/2491
• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519
• https://www.facebook.com/security/advisories/cve-2021-24032

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Improper Validation. A flaw was found in the way the FtpClient implementation in the Networking component of OpenJDK handled responses to the FTP PASV command. A malicious FTP server could cause a Java application using FtpClient to connect to a host and port that is not accessible from the FTP server and perform port scanning or banner extraction.

Remediation

Upgrade openjdk-jre to version 7.0.311, 8.0.301, 11.0.12, 16.0.2 or higher.

References

• Oracle Security Advisory
• RedHat Bugzilla Bug

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Signature Validation Bypass. A flaw was found in the way the Library component of OpenJDK handled JAR files containing multiple MANIFEST.MF files. Such JAR files could cause signature verification process to return an incorrect result, possibly allowing tampering with signed JAR files.

Remediation

Upgrade openjdk-jre to version 7.0.311, 8.0.301, 11.0.12, 16.0.2 or higher.

References

• Oracle Security Advisory
• RedHat Bugzilla Bug