Vulnerabilities |
87 via 274 paths |
---|---|
Dependencies |
54 |
Source |
Docker |
Target OS |
alpine:3.9.4 |
critical severity
- Vulnerable module: bzip2/libbz2
- Introduced through: bzip2/libbz2@1.0.6-r6
- Fixed in: 1.0.6-r7
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › bzip2/libbz2@1.0.6-r6
NVD Description
Note: Versions mentioned in the description apply only to the upstream bzip2
package and not the bzip2
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.
Remediation
Upgrade Alpine:3.9
bzip2
to version 1.0.6-r7 or higher.
References
- https://seclists.org/bugtraq/2019/Aug/4
- https://seclists.org/bugtraq/2019/Jul/22
- https://support.f5.com/csp/article/K68713584?utm_source=f5support&utm_medium=RSS
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12900
- https://lists.debian.org/debian-lts-announce/2019/06/msg00021.html
- https://security-tracker.debian.org/tracker/CVE-2019-12900
- https://security.FreeBSD.org/advisories/FreeBSD-SA-19:18.bzip2.asc
- http://packetstormsecurity.com/files/153644/Slackware-Security-Advisory-bzip2-Updates.html
- http://packetstormsecurity.com/files/153957/FreeBSD-Security-Advisory-FreeBSD-SA-19-18.bzip2.html
- https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://lists.apache.org/thread.html/ra0adb9653c7de9539b93cc8434143b655f753b9f60580ff260becb2b@%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rce8cd8c30f60604b580ea01bebda8a671a25c9a1629f409fc24e7774@%3Cuser.flink.apache.org%3E
- https://lists.apache.org/thread.html/rda98305669476c4d90cc8527c4deda7e449019dd1fe9936b56671dd4@%3Cuser.flink.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2019/07/msg00014.html
- https://lists.debian.org/debian-lts-announce/2019/10/msg00012.html
- https://lists.debian.org/debian-lts-announce/2019/10/msg00018.html
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00040.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00050.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00078.html
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00000.html
- https://usn.ubuntu.com/4146-1/
- https://usn.ubuntu.com/4146-2/
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-12900
- https://usn.ubuntu.com/4038-1/
- https://usn.ubuntu.com/4038-2/
- https://lists.apache.org/thread.html/ra0adb9653c7de9539b93cc8434143b655f753b9f60580ff260becb2b%40%3Cusers.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rce8cd8c30f60604b580ea01bebda8a671a25c9a1629f409fc24e7774%40%3Cuser.flink.apache.org%3E
- https://lists.apache.org/thread.html/rda98305669476c4d90cc8527c4deda7e449019dd1fe9936b56671dd4%40%3Cuser.flink.apache.org%3E
- https://support.f5.com/csp/article/K68713584?utm_source=f5support&%3Butm_medium=RSS
critical severity
- Vulnerable module: musl/musl
- Introduced through: musl/musl@1.1.20-r4 and musl/musl-utils@1.1.20-r4
- Fixed in: 1.1.20-r5
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › musl/musl@1.1.20-r4
-
Introduced through: openjdk@8-jdk-alpine › musl/musl-utils@1.1.20-r4
NVD Description
Note: Versions mentioned in the description apply only to the upstream musl
package and not the musl
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.
Remediation
Upgrade Alpine:3.9
musl
to version 1.1.20-r5 or higher.
References
critical severity
- Vulnerable module: sqlite/sqlite-libs
- Introduced through: sqlite/sqlite-libs@3.26.0-r3
- Fixed in: 3.28.0-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › sqlite/sqlite-libs@3.26.0-r3
NVD Description
Note: Versions mentioned in the description apply only to the upstream sqlite
package and not the sqlite
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.
Remediation
Upgrade Alpine:3.9
sqlite
to version 3.28.0-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8457
- https://security-tracker.debian.org/tracker/CVE-2019-8457
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OPKYSWCOM3CL66RI76TYVIG6TJ263RXH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SJPFGA45DI4F5MCF2OAACGH3HQOF4G3M/
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.sqlite.org/releaselog/3_28_0.html
- https://www.sqlite.org/src/info/90acdbfce9c08858
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://security.netapp.com/advisory/ntap-20190606-0002/
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00074.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-8457
- https://usn.ubuntu.com/4004-1/
- https://usn.ubuntu.com/4004-2/
- https://usn.ubuntu.com/4019-1/
- https://usn.ubuntu.com/4019-2/
- https://kc.mcafee.com/corporate/index?page=content&id=SB10365
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OPKYSWCOM3CL66RI76TYVIG6TJ263RXH/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SJPFGA45DI4F5MCF2OAACGH3HQOF4G3M/
high severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.272.10-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.272.10-r0 or higher.
References
- https://security.netapp.com/advisory/ntap-20200717-0005/
- https://www.debian.org/security/2020/dsa-4734
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEPHBZPNSLX43B26DWKB7OS6AROTS2BO/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QQUMIAON2YEFRONMIUVHAKYCIOLICDBA/
- https://security.gentoo.org/glsa/202008-24
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://lists.debian.org/debian-lts-announce/2020/08/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00019.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00027.html
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html
- https://usn.ubuntu.com/4433-1/
- https://usn.ubuntu.com/4453-1/
- https://security.gentoo.org/glsa/202209-15
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MEPHBZPNSLX43B26DWKB7OS6AROTS2BO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QQUMIAON2YEFRONMIUVHAKYCIOLICDBA/
high severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.252.09-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.252.09-r0 or higher.
References
- https://security.netapp.com/advisory/ntap-20200416-0004/
- https://www.debian.org/security/2020/dsa-4662
- https://www.debian.org/security/2020/dsa-4668
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/
- https://security.gentoo.org/glsa/202006-22
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html
- https://usn.ubuntu.com/4337-1/
- https://security.gentoo.org/glsa/202209-15
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/
high severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.252.09-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.252.09-r0 or higher.
References
- https://security.netapp.com/advisory/ntap-20200416-0004/
- https://www.debian.org/security/2020/dsa-4662
- https://www.debian.org/security/2020/dsa-4668
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/
- https://security.gentoo.org/glsa/202006-22
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html
- https://usn.ubuntu.com/4337-1/
- https://security.gentoo.org/glsa/202209-15
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/
high severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.242.08-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS v3.0 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.242.08-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2604
- https://seclists.org/bugtraq/2020/Feb/22
- https://kc.mcafee.com/corporate/index?page=content&id=SB10315
- https://www.debian.org/security/2020/dsa-4621
- https://lists.debian.org/debian-lts-announce/2020/02/msg00034.html
- https://security-tracker.debian.org/tracker/CVE-2020-2604
- https://security.gentoo.org/glsa/202101-19
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://security.netapp.com/advisory/ntap-20200122-0003/
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00050.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00060.html
- https://access.redhat.com/errata/RHSA-2020:0122
- https://access.redhat.com/errata/RHSA-2020:0128
- https://access.redhat.com/errata/RHSA-2020:0196
- https://access.redhat.com/errata/RHSA-2020:0202
- https://access.redhat.com/errata/RHSA-2020:0231
- https://access.redhat.com/errata/RHSA-2020:0232
- https://access.redhat.com/errata/RHSA-2020:0465
- https://access.redhat.com/errata/RHSA-2020:0467
- https://access.redhat.com/errata/RHSA-2020:0468
- https://access.redhat.com/errata/RHSA-2020:0469
- https://access.redhat.com/errata/RHSA-2020:0470
- https://access.redhat.com/errata/RHSA-2020:0541
- https://access.redhat.com/errata/RHSA-2020:0632
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-2604
- https://usn.ubuntu.com/4257-1/
- https://www.oracle.com/security-alerts/cpujul2021.html
high severity
- Vulnerable module: sqlite/sqlite-libs
- Introduced through: sqlite/sqlite-libs@3.26.0-r3
- Fixed in: 3.28.0-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › sqlite/sqlite-libs@3.26.0-r3
NVD Description
Note: Versions mentioned in the description apply only to the upstream sqlite
package and not the sqlite
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
An exploitable use after free vulnerability exists in the window function functionality of Sqlite3 3.26.0. A specially crafted SQL command can cause a use after free vulnerability, potentially resulting in remote code execution. An attacker can send a malicious SQL command to trigger this vulnerability.
Remediation
Upgrade Alpine:3.9
sqlite
to version 3.28.0-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5018
- https://security-tracker.debian.org/tracker/CVE-2019-5018
- https://security.gentoo.org/glsa/201908-09
- http://packetstormsecurity.com/files/152809/Sqlite3-Window-Function-Remote-Code-Execution.html
- https://security.netapp.com/advisory/ntap-20190521-0001/
- http://www.securityfocus.com/bid/108294
- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0777
- https://usn.ubuntu.com/4205-1/
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5018
high severity
- Vulnerable module: libjpeg-turbo/libjpeg-turbo
- Introduced through: libjpeg-turbo/libjpeg-turbo@1.5.3-r4
- Fixed in: 1.5.3-r6
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › libjpeg-turbo/libjpeg-turbo@1.5.3-r4
NVD Description
Note: Versions mentioned in the description apply only to the upstream libjpeg-turbo
package and not the libjpeg-turbo
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
In generate_jsimd_ycc_rgb_convert_neon of jsimd_arm64_neon.S, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution in an unprivileged process with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-120551338
Remediation
Upgrade Alpine:3.9
libjpeg-turbo
to version 1.5.3-r6 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2201
- https://security-tracker.debian.org/tracker/CVE-2019-2201
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y4QPASQPZO644STRFTLOD35RIRGWWRNI/
- https://security.gentoo.org/glsa/202003-23
- https://source.android.com/security/bulletin/2019-11-01
- https://lists.apache.org/thread.html/rc800763a88775ac9abb83b3402bcd0913d41ac65fdfc759af38f2280@%3Ccommits.mxnet.apache.org%3E
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00047.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00048.html
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-2201
- https://usn.ubuntu.com/4190-1/
- https://lists.debian.org/debian-lts-announce/2022/05/msg00048.html
- https://lists.apache.org/thread.html/rc800763a88775ac9abb83b3402bcd0913d41ac65fdfc759af38f2280%40%3Ccommits.mxnet.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y4QPASQPZO644STRFTLOD35RIRGWWRNI/
high severity
- Vulnerable module: libx11/libx11
- Introduced through: libx11/libx11@1.6.7-r0
- Fixed in: 1.6.12-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › libx11/libx11@1.6.7-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream libx11
package and not the libx11
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
An integer overflow vulnerability leading to a double-free was found in libX11. This flaw allows a local privileged attacker to cause an application compiled with libX11 to crash, or in some cases, result in arbitrary code execution. The highest threat from this flaw is to confidentiality, integrity as well as system availability.
Remediation
Upgrade Alpine:3.9
libx11
to version 1.6.12-r0 or higher.
References
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14363
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AVXCQOSCAPKYYHFIJAZ6E2C7LJBTLXF/
- https://github.com/Ruia-ruia/Exploits/blob/master/DFX11details.txt
- https://github.com/Ruia-ruia/Exploits/blob/master/x11doublefree.sh
- https://lists.x.org/archives/xorg-announce/2020-August/003056.html
- https://usn.ubuntu.com/4487-2/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7AVXCQOSCAPKYYHFIJAZ6E2C7LJBTLXF/
high severity
- Vulnerable module: krb5/krb5-libs
- Introduced through: krb5/krb5-libs@1.15.5-r0
- Fixed in: 1.15.5-r1
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › krb5/krb5-libs@1.15.5-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream krb5
package and not the krb5
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
MIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before 1.18.3 allows unbounded recursion via an ASN.1-encoded Kerberos message because the lib/krb5/asn.1/asn1_encode.c support for BER indefinite lengths lacks a recursion limit.
Remediation
Upgrade Alpine:3.9
krb5
to version 1.15.5-r1 or higher.
References
- https://github.com/krb5/krb5/commit/57415dda6cf04e73ffc3723be518eddfae599bfd
- https://security.netapp.com/advisory/ntap-20201202-0001/
- https://security.netapp.com/advisory/ntap-20210513-0002/
- https://www.debian.org/security/2020/dsa-4795
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/45KKOZQWIIIW5C45PJVGQ32AXBSYNBE7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/73IGOG6CZAVMVNS4GGRMOLOZ7B6QVA7F/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KPH2V3WSQTELROZK3GFCPQDOFLKIZ6H5/
- https://security.gentoo.org/glsa/202011-17
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/11/msg00011.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/45KKOZQWIIIW5C45PJVGQ32AXBSYNBE7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/73IGOG6CZAVMVNS4GGRMOLOZ7B6QVA7F/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KPH2V3WSQTELROZK3GFCPQDOFLKIZ6H5/
high severity
- Vulnerable module: openssl/libcrypto1.1
- Introduced through: openssl/libcrypto1.1@1.1.1b-r1 and openssl/libssl1.1@1.1.1b-r1
- Fixed in: 1.1.1j-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openssl/libcrypto1.1@1.1.1b-r1
-
Introduced through: openjdk@8-jdk-alpine › openssl/libssl1.1@1.1.1b-r1
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssl
package and not the openssl
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).
Remediation
Upgrade Alpine:3.9
openssl
to version 1.1.1j-r0 or higher.
References
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846
- https://security.netapp.com/advisory/ntap-20210219-0009/
- https://www.openssl.org/news/secadv/20210216.txt
- https://www.tenable.com/security/tns-2021-03
- https://www.tenable.com/security/tns-2021-09
- https://www.tenable.com/security/tns-2021-10
- https://www.debian.org/security/2021/dsa-4855
- https://security.gentoo.org/glsa/202103-03
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://kc.mcafee.com/corporate/index?page=content&id=SB10366
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
- https://security.netapp.com/advisory/ntap-20240621-0006/
high severity
- Vulnerable module: openssl/libcrypto1.1
- Introduced through: openssl/libcrypto1.1@1.1.1b-r1 and openssl/libssl1.1@1.1.1b-r1
- Fixed in: 1.1.1g-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openssl/libcrypto1.1@1.1.1b-r1
-
Introduced through: openjdk@8-jdk-alpine › openssl/libssl1.1@1.1.1b-r1
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssl
package and not the openssl
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).
Remediation
Upgrade Alpine:3.9
openssl
to version 1.1.1g-r0 or higher.
References
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=eb563247aef3e83dda7679c43f9649270462e5b1
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440
- https://security.netapp.com/advisory/ntap-20200424-0003/
- https://security.netapp.com/advisory/ntap-20200717-0004/
- https://www.openssl.org/news/secadv/20200421.txt
- https://www.synology.com/security/advisory/Synology_SA_20_05
- https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL
- https://www.tenable.com/security/tns-2020-03
- https://www.tenable.com/security/tns-2020-04
- https://www.tenable.com/security/tns-2020-11
- https://www.tenable.com/security/tns-2021-10
- https://www.debian.org/security/2020/dsa-4661
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/
- https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc
- http://seclists.org/fulldisclosure/2020/May/5
- https://security.gentoo.org/glsa/202004-10
- http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html
- https://github.com/irsl/CVE-2020-1967
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E
- http://www.openwall.com/lists/oss-security/2020/04/22/2
- https://www.oracle.com//security-alerts/cpujul2021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=eb563247aef3e83dda7679c43f9649270462e5b1
- https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee%40%3Cdev.tomcat.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/
high severity
- Vulnerable module: sqlite/sqlite-libs
- Introduced through: sqlite/sqlite-libs@3.26.0-r3
- Fixed in: 3.28.0-r2
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › sqlite/sqlite-libs@3.26.0-r3
NVD Description
Note: Versions mentioned in the description apply only to the upstream sqlite
package and not the sqlite
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage.
Remediation
Upgrade Alpine:3.9
sqlite
to version 3.28.0-r2 or higher.
References
high severity
- Vulnerable module: sqlite/sqlite-libs
- Introduced through: sqlite/sqlite-libs@3.26.0-r3
- Fixed in: 3.28.0-r3
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › sqlite/sqlite-libs@3.26.0-r3
NVD Description
Note: Versions mentioned in the description apply only to the upstream sqlite
package and not the sqlite
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled.
Remediation
Upgrade Alpine:3.9
sqlite
to version 3.28.0-r3 or higher.
References
- https://security.netapp.com/advisory/ntap-20200416-0001/
- https://security.FreeBSD.org/advisories/FreeBSD-SA-20:22.sqlite.asc
- https://security.gentoo.org/glsa/202007-26
- https://www3.sqlite.org/cgi/src/info/4a302b42c7bf5e11
- https://www3.sqlite.org/cgi/src/tktview?name=af4556bb5c
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://lists.debian.org/debian-lts-announce/2020/05/msg00006.html
- https://lists.debian.org/debian-lts-announce/2020/08/msg00037.html
- https://usn.ubuntu.com/4394-1/
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://www.tenable.com/security/tns-2021-14
high severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.272.10-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.272.10-r0 or higher.
References
- https://security.netapp.com/advisory/ntap-20200717-0005/
- https://www.debian.org/security/2020/dsa-4734
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEPHBZPNSLX43B26DWKB7OS6AROTS2BO/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QQUMIAON2YEFRONMIUVHAKYCIOLICDBA/
- https://security.gentoo.org/glsa/202008-24
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://lists.debian.org/debian-lts-announce/2020/08/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00019.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00027.html
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html
- https://usn.ubuntu.com/4433-1/
- https://usn.ubuntu.com/4453-1/
- https://security.gentoo.org/glsa/202209-15
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MEPHBZPNSLX43B26DWKB7OS6AROTS2BO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QQUMIAON2YEFRONMIUVHAKYCIOLICDBA/
high severity
- Vulnerable module: openssl/libcrypto1.1
- Introduced through: openssl/libcrypto1.1@1.1.1b-r1 and openssl/libssl1.1@1.1.1b-r1
- Fixed in: 1.1.1k-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openssl/libcrypto1.1@1.1.1b-r1
-
Introduced through: openjdk@8-jdk-alpine › openssl/libssl1.1@1.1.1b-r1
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssl
package and not the openssl
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).
Remediation
Upgrade Alpine:3.9
openssl
to version 1.1.1k-r0 or higher.
References
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845
- https://kc.mcafee.com/corporate/index?page=content&id=SB10356
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013
- https://security.netapp.com/advisory/ntap-20210326-0006/
- https://www.openssl.org/news/secadv/20210325.txt
- https://www.tenable.com/security/tns-2021-05
- https://www.tenable.com/security/tns-2021-08
- https://www.tenable.com/security/tns-2021-09
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/
- https://security.gentoo.org/glsa/202103-03
- https://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.html
- https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- http://www.openwall.com/lists/oss-security/2021/03/27/1
- http://www.openwall.com/lists/oss-security/2021/03/27/2
- http://www.openwall.com/lists/oss-security/2021/03/28/3
- http://www.openwall.com/lists/oss-security/2021/03/28/4
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/
medium severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.232.09-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Kerberos). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. While the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 6.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.232.09-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2949
- https://seclists.org/bugtraq/2019/Oct/27
- https://seclists.org/bugtraq/2019/Oct/31
- https://kc.mcafee.com/corporate/index?page=content&id=SB10315
- https://support.f5.com/csp/article/K54213762?utm_source=f5support&utm_medium=RSS
- https://www.debian.org/security/2019/dsa-4546
- https://www.debian.org/security/2019/dsa-4548
- https://security-tracker.debian.org/tracker/CVE-2019-2949
- https://lists.debian.org/debian-lts-announce/2019/12/msg00005.html
- https://security.netapp.com/advisory/ntap-20191017-0001/
- http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://access.redhat.com/errata/RHSA-2019:3134
- https://access.redhat.com/errata/RHSA-2019:3135
- https://access.redhat.com/errata/RHSA-2019:3136
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00064.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00066.html
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00031.html
- https://usn.ubuntu.com/4223-1/
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-2949
- https://support.f5.com/csp/article/K54213762?utm_source=f5support&%3Butm_medium=RSS
medium severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.232.09-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. While the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS v3.0 Base Score 6.8 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.232.09-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2989
- https://seclists.org/bugtraq/2019/Oct/27
- https://seclists.org/bugtraq/2019/Oct/31
- https://kc.mcafee.com/corporate/index?page=content&id=SB10315
- https://www.debian.org/security/2019/dsa-4546
- https://www.debian.org/security/2019/dsa-4548
- https://lists.debian.org/debian-lts-announce/2019/12/msg00005.html
- https://security-tracker.debian.org/tracker/CVE-2019-2989
- https://security.netapp.com/advisory/ntap-20191017-0001/
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00064.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00066.html
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00031.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://access.redhat.com/errata/RHSA-2019:3134
- https://access.redhat.com/errata/RHSA-2019:3135
- https://access.redhat.com/errata/RHSA-2019:3136
- https://access.redhat.com/errata/RHSA-2019:3157
- https://access.redhat.com/errata/RHSA-2019:3158
- https://access.redhat.com/errata/RHSA-2019:4109
- https://access.redhat.com/errata/RHSA-2019:4110
- https://access.redhat.com/errata/RHSA-2019:4113
- https://access.redhat.com/errata/RHSA-2019:4115
- https://access.redhat.com/errata/RHSA-2020:0006
- https://access.redhat.com/errata/RHSA-2020:0046
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-2989
- https://usn.ubuntu.com/4223-1/
medium severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.242.08-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. While the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 6.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.242.08-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2601
- https://seclists.org/bugtraq/2020/Feb/22
- https://seclists.org/bugtraq/2020/Jan/24
- https://www.debian.org/security/2020/dsa-4605
- https://www.debian.org/security/2020/dsa-4621
- https://lists.debian.org/debian-lts-announce/2020/02/msg00034.html
- https://security-tracker.debian.org/tracker/CVE-2020-2601
- https://security.gentoo.org/glsa/202101-19
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://security.netapp.com/advisory/ntap-20200122-0003/
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00050.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00060.html
- https://access.redhat.com/errata/RHSA-2020:0122
- https://access.redhat.com/errata/RHSA-2020:0128
- https://access.redhat.com/errata/RHSA-2020:0157
- https://access.redhat.com/errata/RHSA-2020:0196
- https://access.redhat.com/errata/RHSA-2020:0202
- https://access.redhat.com/errata/RHSA-2020:0231
- https://access.redhat.com/errata/RHSA-2020:0232
- https://access.redhat.com/errata/RHSA-2020:0541
- https://access.redhat.com/errata/RHSA-2020:0632
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-2601
- https://usn.ubuntu.com/4257-1/
medium severity
- Vulnerable module: e2fsprogs/libcom_err
- Introduced through: e2fsprogs/libcom_err@1.44.5-r0
- Fixed in: 1.44.5-r1
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › e2fsprogs/libcom_err@1.44.5-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream e2fsprogs
package and not the e2fsprogs
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.
Remediation
Upgrade Alpine:3.9
e2fsprogs
to version 1.44.5-r1 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094
- https://seclists.org/bugtraq/2019/Sep/58
- https://security.netapp.com/advisory/ntap-20200115-0002/
- https://www.debian.org/security/2019/dsa-4535
- https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html
- https://security-tracker.debian.org/tracker/CVE-2019-5094
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/
- https://security.gentoo.org/glsa/202003-05
- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887
- https://usn.ubuntu.com/4142-1/
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5094
- https://usn.ubuntu.com/4142-2/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/
medium severity
- Vulnerable module: e2fsprogs/libcom_err
- Introduced through: e2fsprogs/libcom_err@1.44.5-r0
- Fixed in: 1.44.5-r2
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › e2fsprogs/libcom_err@1.44.5-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream e2fsprogs
package and not the e2fsprogs
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.
Remediation
Upgrade Alpine:3.9
e2fsprogs
to version 1.44.5-r2 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188
- https://security-tracker.debian.org/tracker/CVE-2019-5188
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/
- https://lists.debian.org/debian-lts-announce/2020/03/msg00030.html
- https://lists.debian.org/debian-lts-announce/2020/07/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html
- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5188
- https://usn.ubuntu.com/4249-1/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/
- https://security.netapp.com/advisory/ntap-20220506-0001/
medium severity
- Vulnerable module: libx11/libx11
- Introduced through: libx11/libx11@1.6.7-r0
- Fixed in: 1.6.10-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › libx11/libx11@1.6.7-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream libx11
package and not the libx11
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
An integer overflow leading to a heap-buffer overflow was found in The X Input Method (XIM) client was implemented in libX11 before version 1.6.10. As per upstream this is security relevant when setuid programs call XIM client functions while running with elevated privileges. No such programs are shipped with Red Hat Enterprise Linux.
Remediation
Upgrade Alpine:3.9
libx11
to version 1.6.10-r0 or higher.
References
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14344
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4VDDSAYV7XGNRCXE7HCU23645MG74OFF/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AVXCQOSCAPKYYHFIJAZ6E2C7LJBTLXF/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XY4H2SIEF2362AMNX5ZKWAELGU7LKFJB/
- https://security.gentoo.org/glsa/202008-18
- https://lists.x.org/archives/xorg-announce/2020-July/003050.html
- https://www.openwall.com/lists/oss-security/2020/07/31/1
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00014.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00015.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00024.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00031.html
- https://usn.ubuntu.com/4487-1/
- https://usn.ubuntu.com/4487-2/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4VDDSAYV7XGNRCXE7HCU23645MG74OFF/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7AVXCQOSCAPKYYHFIJAZ6E2C7LJBTLXF/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XY4H2SIEF2362AMNX5ZKWAELGU7LKFJB/
medium severity
- Vulnerable module: freetype/freetype
- Introduced through: freetype/freetype@2.9.1-r2
- Fixed in: 2.9.1-r3
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › freetype/freetype@2.9.1-r2
NVD Description
Note: Versions mentioned in the description apply only to the upstream freetype
package and not the freetype
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Remediation
Upgrade Alpine:3.9
freetype
to version 2.9.1-r3 or higher.
References
- https://www.debian.org/security/2021/dsa-4824
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J3QVIGAAJ4D62YEJAJJWMCCBCOQ6TVL7/
- http://seclists.org/fulldisclosure/2020/Nov/33
- https://security.gentoo.org/glsa/202011-12
- https://security.gentoo.org/glsa/202012-04
- https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html
- https://crbug.com/1139963
- https://googleprojectzero.blogspot.com/p/rca-cve-2020-15999.html
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00016.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J3QVIGAAJ4D62YEJAJJWMCCBCOQ6TVL7/
- https://security.gentoo.org/glsa/202401-19
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
medium severity
- Vulnerable module: libjpeg-turbo/libjpeg-turbo
- Introduced through: libjpeg-turbo/libjpeg-turbo@1.5.3-r4
- Fixed in: 1.5.3-r5
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › libjpeg-turbo/libjpeg-turbo@1.5.3-r4
NVD Description
Note: Versions mentioned in the description apply only to the upstream libjpeg-turbo
package and not the libjpeg-turbo
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
get_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG through 3.3.1 allows attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted 8-bit BMP in which one or more of the color indices is out of range for the number of palette entries.
Remediation
Upgrade Alpine:3.9
libjpeg-turbo
to version 1.5.3-r5 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14498
- https://lists.debian.org/debian-lts-announce/2019/03/msg00021.html
- https://security-tracker.debian.org/tracker/CVE-2018-14498
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F7YP4QUEYGHI4Q7GIAVFVKWQ7DJMBYLU/
- https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9c78a04df4e44ef6487eee99c4258397f4fdca55
- https://github.com/libjpeg-turbo/libjpeg-turbo/issues/258
- https://github.com/mozilla/mozjpeg/issues/299
- https://lists.debian.org/debian-lts-announce/2020/07/msg00033.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00015.html
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00015.html
- https://access.redhat.com/errata/RHSA-2019:2052
- https://access.redhat.com/errata/RHSA-2019:3705
- https://usn.ubuntu.com/4190-1/
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-14498
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7YP4QUEYGHI4Q7GIAVFVKWQ7DJMBYLU/
medium severity
- Vulnerable module: sqlite/sqlite-libs
- Introduced through: sqlite/sqlite-libs@3.26.0-r3
- Fixed in: 3.28.0-r1
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › sqlite/sqlite-libs@3.26.0-r3
NVD Description
Note: Versions mentioned in the description apply only to the upstream sqlite
package and not the sqlite
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a "severe division by zero in the query planner."
Remediation
Upgrade Alpine:3.9
sqlite
to version 3.28.0-r1 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16168
- https://www.tenable.com/security/tns-2021-08
- https://www.tenable.com/security/tns-2021-11
- https://www.tenable.com/security/tns-2021-14
- https://security-tracker.debian.org/tracker/CVE-2019-16168
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZARJHJJDBHI7CE5PZEBXS5HKK6HXKW2/
- https://security.gentoo.org/glsa/202003-16
- https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg116312.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.sqlite.org/src/info/e4598ecbdd18bd82945f6029013296690e719a62
- https://www.sqlite.org/src/timeline?c=98357d8c1263920b
- https://lists.debian.org/debian-lts-announce/2020/08/msg00037.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://security.netapp.com/advisory/ntap-20190926-0003/
- https://security.netapp.com/advisory/ntap-20200122-0003/
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00032.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00033.html
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-16168
- https://usn.ubuntu.com/4205-1/
- https://kc.mcafee.com/corporate/index?page=content&id=SB10365
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XZARJHJJDBHI7CE5PZEBXS5HKK6HXKW2/
- https://www.mail-archive.com/sqlite-users%40mailinglists.sqlite.org/msg116312.html
medium severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.232.09-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.232.09-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2958
- https://security-tracker.debian.org/tracker/CVE-2019-2958
- https://lists.debian.org/debian-lts-announce/2019/12/msg00005.html
- https://security.netapp.com/advisory/ntap-20191017-0001/
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00064.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00066.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00031.html
medium severity
- Vulnerable module: openssl/libcrypto1.1
- Introduced through: openssl/libcrypto1.1@1.1.1b-r1 and openssl/libssl1.1@1.1.1b-r1
- Fixed in: 1.1.1j-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openssl/libcrypto1.1@1.1.1b-r1
-
Introduced through: openjdk@8-jdk-alpine › openssl/libssl1.1@1.1.1b-r1
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssl
package and not the openssl
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).
Remediation
Upgrade Alpine:3.9
openssl
to version 1.1.1j-r0 or higher.
References
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=122a19ab48091c657f7cb1fb3af9fc07bd557bbf
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8252ee4d90f3f2004d3d0aeeed003ad49c9a7807
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846
- https://security.netapp.com/advisory/ntap-20210219-0009/
- https://security.netapp.com/advisory/ntap-20210513-0002/
- https://support.apple.com/kb/HT212528
- https://support.apple.com/kb/HT212529
- https://support.apple.com/kb/HT212534
- https://www.openssl.org/news/secadv/20210216.txt
- https://www.tenable.com/security/tns-2021-03
- https://www.tenable.com/security/tns-2021-09
- https://www.debian.org/security/2021/dsa-4855
- http://seclists.org/fulldisclosure/2021/May/67
- http://seclists.org/fulldisclosure/2021/May/68
- http://seclists.org/fulldisclosure/2021/May/70
- https://security.gentoo.org/glsa/202103-03
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=122a19ab48091c657f7cb1fb3af9fc07bd557bbf
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=8252ee4d90f3f2004d3d0aeeed003ad49c9a7807
- https://security.netapp.com/advisory/ntap-20240621-0006/
medium severity
- Vulnerable module: openssl/libcrypto1.1
- Introduced through: openssl/libcrypto1.1@1.1.1b-r1 and openssl/libssl1.1@1.1.1b-r1
- Fixed in: 1.1.1k-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openssl/libcrypto1.1@1.1.1b-r1
-
Introduced through: openjdk@8-jdk-alpine › openssl/libssl1.1@1.1.1b-r1
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssl
package and not the openssl
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).
Remediation
Upgrade Alpine:3.9
openssl
to version 1.1.1k-r0 or higher.
References
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd
- https://cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fb9fa6b51defd48157eeb207f52181f735d96148
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845
- https://kc.mcafee.com/corporate/index?page=content&id=SB10356
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013
- https://security.netapp.com/advisory/ntap-20210326-0006/
- https://security.netapp.com/advisory/ntap-20210513-0002/
- https://www.openssl.org/news/secadv/20210325.txt
- https://www.tenable.com/security/tns-2021-05
- https://www.tenable.com/security/tns-2021-06
- https://www.tenable.com/security/tns-2021-09
- https://www.tenable.com/security/tns-2021-10
- https://www.debian.org/security/2021/dsa-4875
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/
- https://security.gentoo.org/glsa/202103-03
- https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://lists.debian.org/debian-lts-announce/2021/08/msg00029.html
- http://www.openwall.com/lists/oss-security/2021/03/27/1
- http://www.openwall.com/lists/oss-security/2021/03/27/2
- http://www.openwall.com/lists/oss-security/2021/03/28/3
- http://www.openwall.com/lists/oss-security/2021/03/28/4
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=fb9fa6b51defd48157eeb207f52181f735d96148
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/
- https://security.netapp.com/advisory/ntap-20240621-0006/
medium severity
- Vulnerable module: openssl/libcrypto1.1
- Introduced through: openssl/libcrypto1.1@1.1.1b-r1 and openssl/libssl1.1@1.1.1b-r1
- Fixed in: 1.1.1i-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openssl/libcrypto1.1@1.1.1b-r1
-
Introduced through: openjdk@8-jdk-alpine › openssl/libssl1.1@1.1.1b-r1
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssl
package and not the openssl
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).
Remediation
Upgrade Alpine:3.9
openssl
to version 1.1.1i-r0 or higher.
References
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2154ab83e14ede338d2ede9bbe5cdfce5d5a6c9e
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f960d81215ebf3f65e03d4d5d857fb9b666d6920
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44676
- https://security.netapp.com/advisory/ntap-20201218-0005/
- https://security.netapp.com/advisory/ntap-20210513-0002/
- https://www.openssl.org/news/secadv/20201208.txt
- https://www.tenable.com/security/tns-2020-11
- https://www.tenable.com/security/tns-2021-09
- https://www.tenable.com/security/tns-2021-10
- https://www.debian.org/security/2020/dsa-4807
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DGSI34Y5LQ5RYXN4M2I5ZQT65LFVDOUU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWPSSZNZOBJU2YR6Z4TGHXKYW3YP5QG7/
- https://security.FreeBSD.org/advisories/FreeBSD-SA-20:33.openssl.asc
- https://security.gentoo.org/glsa/202012-13
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://lists.apache.org/thread.html/r63c6f2dd363d9b514d0a4bcf624580616a679898cc14c109a49b750c@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rbb769f771711fb274e0a4acb1b5911c8aab544a6ac5e8c12d40c5143@%3Ccommits.pulsar.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/12/msg00020.html
- https://lists.debian.org/debian-lts-announce/2020/12/msg00021.html
- http://www.openwall.com/lists/oss-security/2021/09/14/2
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2154ab83e14ede338d2ede9bbe5cdfce5d5a6c9e
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f960d81215ebf3f65e03d4d5d857fb9b666d6920
- https://lists.apache.org/thread.html/r63c6f2dd363d9b514d0a4bcf624580616a679898cc14c109a49b750c%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rbb769f771711fb274e0a4acb1b5911c8aab544a6ac5e8c12d40c5143%40%3Ccommits.pulsar.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DGSI34Y5LQ5RYXN4M2I5ZQT65LFVDOUU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PWPSSZNZOBJU2YR6Z4TGHXKYW3YP5QG7/
- https://security.netapp.com/advisory/ntap-20240621-0006/
medium severity
- Vulnerable module: sqlite/sqlite-libs
- Introduced through: sqlite/sqlite-libs@3.26.0-r3
- Fixed in: 3.28.0-r2
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › sqlite/sqlite-libs@3.26.0-r3
NVD Description
Note: Versions mentioned in the description apply only to the upstream sqlite
package and not the sqlite
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
SQLite 3.30.1 mishandles pExpr->y.pTab, as demonstrated by the TK_COLUMN case in sqlite3ExprCodeTarget in expr.c.
Remediation
Upgrade Alpine:3.9
sqlite
to version 3.28.0-r2 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19242
- https://security-tracker.debian.org/tracker/CVE-2019-19242
- https://github.com/sqlite/sqlite/commit/57f7ece78410a8aae86aa4625fb7556897db384c
- https://www.oracle.com/security-alerts/cpuapr2020.html
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-19242
- https://usn.ubuntu.com/4205-1/
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
medium severity
- Vulnerable module: libtasn1/libtasn1
- Introduced through: libtasn1/libtasn1@4.13-r0
- Fixed in: 4.14-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › libtasn1/libtasn1@4.13-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream libtasn1
package and not the libtasn1
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file.
Remediation
Upgrade Alpine:3.9
libtasn1
to version 4.14-r0 or higher.
References
- https://gitlab.com/gnutls/libtasn1/issues/4
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000654
- https://security-tracker.debian.org/tracker/CVE-2018-1000654
- https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00009.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00018.html
- http://www.securityfocus.com/bid/105151
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-1000654
- https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E
medium severity
- Vulnerable module: musl/musl
- Introduced through: musl/musl@1.1.20-r4 and musl/musl-utils@1.1.20-r4
- Fixed in: 1.1.20-r6
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › musl/musl@1.1.20-r4
-
Introduced through: openjdk@8-jdk-alpine › musl/musl-utils@1.1.20-r4
NVD Description
Note: Versions mentioned in the description apply only to the upstream musl
package and not the musl
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).
Remediation
Upgrade Alpine:3.9
musl
to version 1.1.20-r6 or higher.
References
- http://www.openwall.com/lists/oss-security/2020/11/20/4
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKQ3RVSMVZNZNO4D65W2CZZ4DMYFZN2Q/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW27QVY7ERPTSGKS4KAWE5TU7EJWHKVQ/
- https://musl.libc.org/releases.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://lists.apache.org/thread.html/r2134abfe847bea7795f0e53756d10a47e6643f35ab8169df8b8a9eb1@%3Cnotifications.apisix.apache.org%3E
- https://lists.apache.org/thread.html/r90b60cf49348e515257b4950900c1bd3ab95a960cf2469d919c7264e@%3Cnotifications.apisix.apache.org%3E
- https://lists.apache.org/thread.html/ra63e8dc5137d952afc55dbbfa63be83304ecf842d1eab1ff3ebb29e2@%3Cnotifications.apisix.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/11/msg00050.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://lists.apache.org/thread.html/r2134abfe847bea7795f0e53756d10a47e6643f35ab8169df8b8a9eb1%40%3Cnotifications.apisix.apache.org%3E
- https://lists.apache.org/thread.html/r90b60cf49348e515257b4950900c1bd3ab95a960cf2469d919c7264e%40%3Cnotifications.apisix.apache.org%3E
- https://lists.apache.org/thread.html/ra63e8dc5137d952afc55dbbfa63be83304ecf842d1eab1ff3ebb29e2%40%3Cnotifications.apisix.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKQ3RVSMVZNZNO4D65W2CZZ4DMYFZN2Q/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UW27QVY7ERPTSGKS4KAWE5TU7EJWHKVQ/
medium severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.222.10-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.222.10-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2762
- https://kc.mcafee.com/corporate/index?page=content&id=SB10300
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03977en_us
- https://security-tracker.debian.org/tracker/CVE-2019-2762
- https://lists.debian.org/debian-lts-announce/2019/08/msg00020.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://access.redhat.com/errata/RHSA-2019:2494
- https://access.redhat.com/errata/RHSA-2019:2495
- https://access.redhat.com/errata/RHSA-2019:2585
- https://access.redhat.com/errata/RHSA-2019:2590
- https://access.redhat.com/errata/RHSA-2019:2592
- https://access.redhat.com/errata/RHSA-2019:2737
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00038.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00044.html
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-2762
- https://usn.ubuntu.com/4080-1/
- https://usn.ubuntu.com/4083-1/
medium severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.222.10-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.222.10-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2769
- https://kc.mcafee.com/corporate/index?page=content&id=SB10300
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03977en_us
- https://security-tracker.debian.org/tracker/CVE-2019-2769
- https://lists.debian.org/debian-lts-announce/2019/08/msg00020.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://access.redhat.com/errata/RHSA-2019:2494
- https://access.redhat.com/errata/RHSA-2019:2495
- https://access.redhat.com/errata/RHSA-2019:2585
- https://access.redhat.com/errata/RHSA-2019:2590
- https://access.redhat.com/errata/RHSA-2019:2592
- https://access.redhat.com/errata/RHSA-2019:2737
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00038.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00044.html
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-2769
- https://usn.ubuntu.com/4080-1/
- https://usn.ubuntu.com/4083-1/
medium severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.272.10-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JAXP). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.272.10-r0 or higher.
References
- https://kc.mcafee.com/corporate/index?page=content&id=SB10332
- https://security.netapp.com/advisory/ntap-20200717-0005/
- https://www.debian.org/security/2020/dsa-4734
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEPHBZPNSLX43B26DWKB7OS6AROTS2BO/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QQUMIAON2YEFRONMIUVHAKYCIOLICDBA/
- https://security.gentoo.org/glsa/202008-24
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://lists.apache.org/thread.html/rf96c5afb26b596b4b97883aa90b6c0b0fc4c26aaeea7123c21912103@%3Cj-users.xerces.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/08/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00019.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00027.html
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html
- https://usn.ubuntu.com/4433-1/
- https://usn.ubuntu.com/4453-1/
- https://security.gentoo.org/glsa/202209-15
- https://lists.apache.org/thread.html/rf96c5afb26b596b4b97883aa90b6c0b0fc4c26aaeea7123c21912103%40%3Cj-users.xerces.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MEPHBZPNSLX43B26DWKB7OS6AROTS2BO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QQUMIAON2YEFRONMIUVHAKYCIOLICDBA/
medium severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.272.10-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 11.0.8 and 15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.272.10-r0 or higher.
References
- https://security.netapp.com/advisory/ntap-20201023-0004/
- https://www.debian.org/security/2020/dsa-4779
- https://security.gentoo.org/glsa/202101-19
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://lists.debian.org/debian-lts-announce/2020/10/msg00031.html
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html
medium severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.252.09-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.252.09-r0 or higher.
References
- https://kc.mcafee.com/corporate/index?page=content&id=SB10318
- https://security.netapp.com/advisory/ntap-20200416-0004/
- https://www.debian.org/security/2020/dsa-4662
- https://www.debian.org/security/2020/dsa-4668
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/
- https://security.gentoo.org/glsa/202006-22
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html
- https://usn.ubuntu.com/4337-1/
- https://security.gentoo.org/glsa/202209-15
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/
medium severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.252.09-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.252.09-r0 or higher.
References
- https://kc.mcafee.com/corporate/index?page=content&id=SB10318
- https://security.netapp.com/advisory/ntap-20200416-0004/
- https://www.debian.org/security/2020/dsa-4662
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/
- https://security.gentoo.org/glsa/202006-22
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html
- https://usn.ubuntu.com/4337-1/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/
medium severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.222.10-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.222.10-r0 or higher.
References
- https://seclists.org/bugtraq/2019/Apr/30
- https://seclists.org/bugtraq/2019/Apr/36
- https://seclists.org/bugtraq/2019/May/56
- https://seclists.org/bugtraq/2019/May/59
- https://seclists.org/bugtraq/2019/May/67
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03977en_us
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7317
- https://www.debian.org/security/2019/dsa-4435
- https://www.debian.org/security/2019/dsa-4448
- https://www.debian.org/security/2019/dsa-4451
- https://lists.debian.org/debian-lts-announce/2019/05/msg00032.html
- https://lists.debian.org/debian-lts-announce/2019/05/msg00038.html
- https://security-tracker.debian.org/tracker/CVE-2019-7317
- https://security.gentoo.org/glsa/201908-02
- https://github.com/glennrp/libpng/issues/275
- http://packetstormsecurity.com/files/152561/Slackware-Security-Advisory-libpng-Updates.html
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12803
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://security.netapp.com/advisory/ntap-20190719-0005/
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00029.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00084.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://access.redhat.com/errata/RHSA-2019:2494
- https://access.redhat.com/errata/RHSA-2019:2495
- https://access.redhat.com/errata/RHSA-2019:2585
- https://access.redhat.com/errata/RHSA-2019:2590
- https://access.redhat.com/errata/RHSA-2019:2592
- https://access.redhat.com/errata/RHSA-2019:2737
- https://access.redhat.com/errata/RHSA-2019:1265
- https://access.redhat.com/errata/RHSA-2019:1267
- https://access.redhat.com/errata/RHSA-2019:1269
- https://access.redhat.com/errata/RHSA-2019:1308
- https://access.redhat.com/errata/RHSA-2019:1309
- https://access.redhat.com/errata/RHSA-2019:1310
- http://www.securityfocus.com/bid/108098
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00038.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00044.html
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-7317
- https://usn.ubuntu.com/3962-1/
- https://usn.ubuntu.com/3991-1/
- https://usn.ubuntu.com/3997-1/
- https://usn.ubuntu.com/4080-1/
- https://usn.ubuntu.com/4083-1/
medium severity
- Vulnerable module: openssl/libcrypto1.1
- Introduced through: openssl/libcrypto1.1@1.1.1b-r1 and openssl/libssl1.1@1.1.1b-r1
- Fixed in: 1.1.1d-r2
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openssl/libcrypto1.1@1.1.1b-r1
-
Introduced through: openjdk@8-jdk-alpine › openssl/libssl1.1@1.1.1b-r1
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssl
package and not the openssl
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).
Remediation
Upgrade Alpine:3.9
openssl
to version 1.1.1d-r2 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551
- https://seclists.org/bugtraq/2019/Dec/39
- https://seclists.org/bugtraq/2019/Dec/46
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98
- https://www.tenable.com/security/tns-2019-09
- https://www.tenable.com/security/tns-2020-03
- https://www.tenable.com/security/tns-2020-11
- https://www.tenable.com/security/tns-2021-10
- https://www.debian.org/security/2021/dsa-4855
- https://www.debian.org/security/2019/dsa-4594
- https://security-tracker.debian.org/tracker/CVE-2019-1551
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/
- https://security.gentoo.org/glsa/202004-10
- http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://security.netapp.com/advisory/ntap-20191210-0001/
- https://www.openssl.org/news/secadv/20191206.txt
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html
- https://usn.ubuntu.com/4376-1/
- https://usn.ubuntu.com/4504-1/
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1551
- https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=419102400a2811582a7a3d4a4e317d72e5ce0a8f
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f1c5eea8a817075d31e43f5876993c6710238c98
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/
medium severity
- Vulnerable module: openssl/libcrypto1.1
- Introduced through: openssl/libcrypto1.1@1.1.1b-r1 and openssl/libssl1.1@1.1.1b-r1
- Fixed in: 1.1.1d-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openssl/libcrypto1.1@1.1.1b-r1
-
Introduced through: openjdk@8-jdk-alpine › openssl/libssl1.1@1.1.1b-r1
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssl
package and not the openssl
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).
Remediation
Upgrade Alpine:3.9
openssl
to version 1.1.1d-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549
- https://seclists.org/bugtraq/2019/Oct/1
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be
- https://support.f5.com/csp/article/K44070243
- https://support.f5.com/csp/article/K44070243?utm_source=f5support&utm_medium=RSS
- https://www.debian.org/security/2019/dsa-4539
- https://security-tracker.debian.org/tracker/CVE-2019-1549
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://security.netapp.com/advisory/ntap-20190919-0002/
- https://www.openssl.org/news/secadv/20190910.txt
- https://usn.ubuntu.com/4376-1/
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1549
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/
- https://support.f5.com/csp/article/K44070243?utm_source=f5support&%3Butm_medium=RSS
medium severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.222.10-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 7u221, 8u212 and 11.0.3. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE executes to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.222.10-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2745
- https://kc.mcafee.com/corporate/index?page=content&id=SB10300
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03977en_us
- https://security-tracker.debian.org/tracker/CVE-2019-2745
- https://lists.debian.org/debian-lts-announce/2019/08/msg00020.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00038.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00044.html
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-2745
- https://usn.ubuntu.com/4080-1/
medium severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.222.10-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.222.10-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2816
- https://kc.mcafee.com/corporate/index?page=content&id=SB10300
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03977en_us
- https://security-tracker.debian.org/tracker/CVE-2019-2816
- https://lists.debian.org/debian-lts-announce/2019/08/msg00020.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://access.redhat.com/errata/RHSA-2019:2494
- https://access.redhat.com/errata/RHSA-2019:2495
- https://access.redhat.com/errata/RHSA-2019:2585
- https://access.redhat.com/errata/RHSA-2019:2590
- https://access.redhat.com/errata/RHSA-2019:2592
- https://access.redhat.com/errata/RHSA-2019:2737
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00038.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00044.html
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-2816
- https://usn.ubuntu.com/4080-1/
- https://usn.ubuntu.com/4083-1/
medium severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.232.09-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.232.09-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2975
- https://seclists.org/bugtraq/2019/Oct/27
- https://seclists.org/bugtraq/2019/Oct/31
- https://kc.mcafee.com/corporate/index?page=content&id=SB10315
- https://www.debian.org/security/2019/dsa-4546
- https://www.debian.org/security/2019/dsa-4548
- https://security-tracker.debian.org/tracker/CVE-2019-2975
- https://security.netapp.com/advisory/ntap-20191017-0001/
- http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://access.redhat.com/errata/RHSA-2019:4113
- https://access.redhat.com/errata/RHSA-2019:4115
- https://access.redhat.com/errata/RHSA-2020:0006
- https://access.redhat.com/errata/RHSA-2020:0046
- https://access.redhat.com/errata/RHSA-2019:3134
- https://access.redhat.com/errata/RHSA-2019:3135
- https://access.redhat.com/errata/RHSA-2019:3136
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00064.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00066.html
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00031.html
- https://usn.ubuntu.com/4223-1/
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-2975
medium severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.272.10-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.272.10-r0 or higher.
References
- https://security.netapp.com/advisory/ntap-20200717-0005/
- https://www.debian.org/security/2020/dsa-4734
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEPHBZPNSLX43B26DWKB7OS6AROTS2BO/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QQUMIAON2YEFRONMIUVHAKYCIOLICDBA/
- https://security.gentoo.org/glsa/202008-24
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://lists.debian.org/debian-lts-announce/2020/08/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00019.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00027.html
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html
- https://usn.ubuntu.com/4433-1/
- https://usn.ubuntu.com/4453-1/
- https://security.gentoo.org/glsa/202209-15
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MEPHBZPNSLX43B26DWKB7OS6AROTS2BO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QQUMIAON2YEFRONMIUVHAKYCIOLICDBA/
medium severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.242.08-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.242.08-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2593
- https://seclists.org/bugtraq/2020/Feb/22
- https://seclists.org/bugtraq/2020/Jan/24
- https://kc.mcafee.com/corporate/index?page=content&id=SB10315
- https://www.debian.org/security/2020/dsa-4605
- https://www.debian.org/security/2020/dsa-4621
- https://lists.debian.org/debian-lts-announce/2020/02/msg00034.html
- https://security-tracker.debian.org/tracker/CVE-2020-2593
- https://security.gentoo.org/glsa/202101-19
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://security.netapp.com/advisory/ntap-20200122-0003/
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00050.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00060.html
- https://access.redhat.com/errata/RHSA-2020:0122
- https://access.redhat.com/errata/RHSA-2020:0128
- https://access.redhat.com/errata/RHSA-2020:0157
- https://access.redhat.com/errata/RHSA-2020:0196
- https://access.redhat.com/errata/RHSA-2020:0202
- https://access.redhat.com/errata/RHSA-2020:0231
- https://access.redhat.com/errata/RHSA-2020:0232
- https://access.redhat.com/errata/RHSA-2020:0465
- https://access.redhat.com/errata/RHSA-2020:0467
- https://access.redhat.com/errata/RHSA-2020:0468
- https://access.redhat.com/errata/RHSA-2020:0469
- https://access.redhat.com/errata/RHSA-2020:0470
- https://access.redhat.com/errata/RHSA-2020:0541
- https://access.redhat.com/errata/RHSA-2020:0632
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-2593
- https://usn.ubuntu.com/4257-1/
medium severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.252.09-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Lightweight HTTP Server). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.252.09-r0 or higher.
References
- https://security.netapp.com/advisory/ntap-20200416-0004/
- https://www.debian.org/security/2020/dsa-4662
- https://www.debian.org/security/2020/dsa-4668
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/
- https://security.gentoo.org/glsa/202006-22
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html
- https://usn.ubuntu.com/4337-1/
- https://security.gentoo.org/glsa/202209-15
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/
medium severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.232.09-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE product of Oracle Java SE (component: Javadoc). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.232.09-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2999
- https://seclists.org/bugtraq/2019/Oct/27
- https://seclists.org/bugtraq/2019/Oct/31
- https://www.debian.org/security/2019/dsa-4546
- https://www.debian.org/security/2019/dsa-4548
- https://security-tracker.debian.org/tracker/CVE-2019-2999
- https://lists.debian.org/debian-lts-announce/2019/12/msg00005.html
- https://security.netapp.com/advisory/ntap-20191017-0001/
- http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://access.redhat.com/errata/RHSA-2019:4109
- https://access.redhat.com/errata/RHSA-2019:4110
- https://access.redhat.com/errata/RHSA-2019:4113
- https://access.redhat.com/errata/RHSA-2019:4115
- https://access.redhat.com/errata/RHSA-2020:0006
- https://access.redhat.com/errata/RHSA-2020:0046
- https://access.redhat.com/errata/RHSA-2019:3134
- https://access.redhat.com/errata/RHSA-2019:3135
- https://access.redhat.com/errata/RHSA-2019:3136
- https://access.redhat.com/errata/RHSA-2019:3157
- https://access.redhat.com/errata/RHSA-2019:3158
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00064.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00066.html
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00031.html
- https://usn.ubuntu.com/4223-1/
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-2999
medium severity
- Vulnerable module: openssl/libcrypto1.1
- Introduced through: openssl/libcrypto1.1@1.1.1b-r1 and openssl/libssl1.1@1.1.1b-r1
- Fixed in: 1.1.1d-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openssl/libcrypto1.1@1.1.1b-r1
-
Introduced through: openjdk@8-jdk-alpine › openssl/libssl1.1@1.1.1b-r1
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssl
package and not the openssl
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
Remediation
Upgrade Alpine:3.9
openssl
to version 1.1.1d-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547
- https://seclists.org/bugtraq/2019/Oct/0
- https://seclists.org/bugtraq/2019/Oct/1
- https://seclists.org/bugtraq/2019/Sep/25
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a
- https://security.netapp.com/advisory/ntap-20200122-0002/
- https://security.netapp.com/advisory/ntap-20200416-0003/
- https://support.f5.com/csp/article/K73422160?utm_source=f5support&utm_medium=RSS
- https://www.tenable.com/security/tns-2019-08
- https://www.tenable.com/security/tns-2019-09
- https://www.debian.org/security/2019/dsa-4539
- https://www.debian.org/security/2019/dsa-4540
- https://security-tracker.debian.org/tracker/CVE-2019-1547
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/
- https://security.gentoo.org/glsa/201911-04
- http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html
- https://arxiv.org/abs/1909.01785
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://security.netapp.com/advisory/ntap-20190919-0002/
- https://www.openssl.org/news/secadv/20190910.txt
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html
- https://usn.ubuntu.com/4376-1/
- https://usn.ubuntu.com/4376-2/
- https://usn.ubuntu.com/4504-1/
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1547
- https://kc.mcafee.com/corporate/index?page=content&id=SB10365
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/
- https://support.f5.com/csp/article/K73422160?utm_source=f5support&%3Butm_medium=RSS
- https://security.netapp.com/advisory/ntap-20240621-0006/
medium severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.272.10-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 4.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.272.10-r0 or higher.
References
- https://security.netapp.com/advisory/ntap-20201023-0004/
- https://www.debian.org/security/2020/dsa-4779
- https://security.gentoo.org/glsa/202101-19
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://lists.debian.org/debian-lts-announce/2020/10/msg00031.html
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html
low severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.222.10-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: JCE). The supported version that is affected is Java SE: 8u212. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.222.10-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2842
- https://kc.mcafee.com/corporate/index?page=content&id=SB10300
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03977en_us
- https://security-tracker.debian.org/tracker/CVE-2019-2842
- http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00044.html
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-2842
- https://usn.ubuntu.com/4080-1/
low severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.232.09-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.232.09-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2894
- https://seclists.org/bugtraq/2019/Oct/27
- https://seclists.org/bugtraq/2019/Oct/31
- https://kc.mcafee.com/corporate/index?page=content&id=SB10315
- https://www.debian.org/security/2019/dsa-4546
- https://www.debian.org/security/2019/dsa-4548
- https://security-tracker.debian.org/tracker/CVE-2019-2894
- https://minerva.crocs.fi.muni.cz/
- https://lists.debian.org/debian-lts-announce/2019/12/msg00005.html
- https://security.netapp.com/advisory/ntap-20191017-0001/
- http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- http://www.openwall.com/lists/oss-security/2019/10/02/2
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00064.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00066.html
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00031.html
- https://usn.ubuntu.com/4223-1/
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-2894
low severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.232.09-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.232.09-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2962
- https://seclists.org/bugtraq/2019/Oct/27
- https://seclists.org/bugtraq/2019/Oct/31
- https://www.debian.org/security/2019/dsa-4546
- https://www.debian.org/security/2019/dsa-4548
- https://security-tracker.debian.org/tracker/CVE-2019-2962
- https://lists.debian.org/debian-lts-announce/2019/12/msg00005.html
- https://security.netapp.com/advisory/ntap-20191017-0001/
- http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://access.redhat.com/errata/RHSA-2019:4109
- https://access.redhat.com/errata/RHSA-2019:4110
- https://access.redhat.com/errata/RHSA-2019:4113
- https://access.redhat.com/errata/RHSA-2019:4115
- https://access.redhat.com/errata/RHSA-2020:0006
- https://access.redhat.com/errata/RHSA-2020:0046
- https://access.redhat.com/errata/RHSA-2019:3134
- https://access.redhat.com/errata/RHSA-2019:3135
- https://access.redhat.com/errata/RHSA-2019:3136
- https://access.redhat.com/errata/RHSA-2019:3157
- https://access.redhat.com/errata/RHSA-2019:3158
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00064.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00066.html
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00031.html
- https://usn.ubuntu.com/4223-1/
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-2962
low severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.232.09-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.232.09-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2964
- https://seclists.org/bugtraq/2019/Oct/27
- https://seclists.org/bugtraq/2019/Oct/31
- https://www.debian.org/security/2019/dsa-4546
- https://www.debian.org/security/2019/dsa-4548
- https://security-tracker.debian.org/tracker/CVE-2019-2964
- https://lists.debian.org/debian-lts-announce/2019/12/msg00005.html
- https://security.netapp.com/advisory/ntap-20191017-0001/
- http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://access.redhat.com/errata/RHSA-2019:4109
- https://access.redhat.com/errata/RHSA-2019:4110
- https://access.redhat.com/errata/RHSA-2019:4113
- https://access.redhat.com/errata/RHSA-2019:4115
- https://access.redhat.com/errata/RHSA-2020:0006
- https://access.redhat.com/errata/RHSA-2020:0046
- https://access.redhat.com/errata/RHSA-2019:3134
- https://access.redhat.com/errata/RHSA-2019:3135
- https://access.redhat.com/errata/RHSA-2019:3136
- https://access.redhat.com/errata/RHSA-2019:3157
- https://access.redhat.com/errata/RHSA-2019:3158
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00064.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00066.html
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00031.html
- https://usn.ubuntu.com/4223-1/
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-2964
low severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.232.09-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JAXP). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.232.09-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2973
- https://seclists.org/bugtraq/2019/Oct/27
- https://seclists.org/bugtraq/2019/Oct/31
- https://www.debian.org/security/2019/dsa-4546
- https://www.debian.org/security/2019/dsa-4548
- https://security-tracker.debian.org/tracker/CVE-2019-2973
- https://lists.debian.org/debian-lts-announce/2019/12/msg00005.html
- https://security.netapp.com/advisory/ntap-20191017-0001/
- http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://access.redhat.com/errata/RHSA-2019:4109
- https://access.redhat.com/errata/RHSA-2019:4110
- https://access.redhat.com/errata/RHSA-2019:4113
- https://access.redhat.com/errata/RHSA-2019:4115
- https://access.redhat.com/errata/RHSA-2020:0006
- https://access.redhat.com/errata/RHSA-2020:0046
- https://access.redhat.com/errata/RHSA-2019:3134
- https://access.redhat.com/errata/RHSA-2019:3135
- https://access.redhat.com/errata/RHSA-2019:3136
- https://access.redhat.com/errata/RHSA-2019:3157
- https://access.redhat.com/errata/RHSA-2019:3158
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00064.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00066.html
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00031.html
- https://usn.ubuntu.com/4223-1/
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-2973
low severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.232.09-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.232.09-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2978
- https://seclists.org/bugtraq/2019/Oct/27
- https://seclists.org/bugtraq/2019/Oct/31
- https://www.debian.org/security/2019/dsa-4546
- https://www.debian.org/security/2019/dsa-4548
- https://security-tracker.debian.org/tracker/CVE-2019-2978
- https://lists.debian.org/debian-lts-announce/2019/12/msg00005.html
- https://security.netapp.com/advisory/ntap-20191017-0001/
- http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://access.redhat.com/errata/RHSA-2019:4109
- https://access.redhat.com/errata/RHSA-2019:4110
- https://access.redhat.com/errata/RHSA-2019:4113
- https://access.redhat.com/errata/RHSA-2019:4115
- https://access.redhat.com/errata/RHSA-2020:0006
- https://access.redhat.com/errata/RHSA-2020:0046
- https://access.redhat.com/errata/RHSA-2019:3134
- https://access.redhat.com/errata/RHSA-2019:3135
- https://access.redhat.com/errata/RHSA-2019:3136
- https://access.redhat.com/errata/RHSA-2019:3157
- https://access.redhat.com/errata/RHSA-2019:3158
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00064.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00066.html
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00031.html
- https://usn.ubuntu.com/4223-1/
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-2978
low severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.232.09-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JAXP). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.232.09-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2981
- https://seclists.org/bugtraq/2019/Oct/27
- https://seclists.org/bugtraq/2019/Oct/31
- https://www.debian.org/security/2019/dsa-4546
- https://www.debian.org/security/2019/dsa-4548
- https://security-tracker.debian.org/tracker/CVE-2019-2981
- https://lists.debian.org/debian-lts-announce/2019/12/msg00005.html
- https://security.netapp.com/advisory/ntap-20191017-0001/
- http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://access.redhat.com/errata/RHSA-2019:4109
- https://access.redhat.com/errata/RHSA-2019:4110
- https://access.redhat.com/errata/RHSA-2019:4113
- https://access.redhat.com/errata/RHSA-2019:4115
- https://access.redhat.com/errata/RHSA-2020:0006
- https://access.redhat.com/errata/RHSA-2020:0046
- https://access.redhat.com/errata/RHSA-2019:3134
- https://access.redhat.com/errata/RHSA-2019:3135
- https://access.redhat.com/errata/RHSA-2019:3136
- https://access.redhat.com/errata/RHSA-2019:3157
- https://access.redhat.com/errata/RHSA-2019:3158
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00064.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00066.html
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00031.html
- https://usn.ubuntu.com/4223-1/
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-2981
low severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.232.09-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.232.09-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2983
- https://seclists.org/bugtraq/2019/Oct/27
- https://seclists.org/bugtraq/2019/Oct/31
- https://www.debian.org/security/2019/dsa-4546
- https://www.debian.org/security/2019/dsa-4548
- https://security-tracker.debian.org/tracker/CVE-2019-2983
- https://lists.debian.org/debian-lts-announce/2019/12/msg00005.html
- https://security.netapp.com/advisory/ntap-20191017-0001/
- http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://access.redhat.com/errata/RHSA-2019:4109
- https://access.redhat.com/errata/RHSA-2019:4110
- https://access.redhat.com/errata/RHSA-2019:4113
- https://access.redhat.com/errata/RHSA-2019:4115
- https://access.redhat.com/errata/RHSA-2020:0006
- https://access.redhat.com/errata/RHSA-2020:0046
- https://access.redhat.com/errata/RHSA-2019:3134
- https://access.redhat.com/errata/RHSA-2019:3135
- https://access.redhat.com/errata/RHSA-2019:3136
- https://access.redhat.com/errata/RHSA-2019:3157
- https://access.redhat.com/errata/RHSA-2019:3158
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00064.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00066.html
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00031.html
- https://usn.ubuntu.com/4223-1/
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-2983
low severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.232.09-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 11.0.4 and 13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.232.09-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2987
- https://seclists.org/bugtraq/2019/Oct/27
- https://seclists.org/bugtraq/2019/Oct/31
- https://www.debian.org/security/2019/dsa-4546
- https://www.debian.org/security/2019/dsa-4548
- https://security-tracker.debian.org/tracker/CVE-2019-2987
- https://lists.debian.org/debian-lts-announce/2019/12/msg00005.html
- https://security.netapp.com/advisory/ntap-20191017-0001/
- http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://access.redhat.com/errata/RHSA-2019:3134
- https://access.redhat.com/errata/RHSA-2019:3135
- https://access.redhat.com/errata/RHSA-2019:3136
- https://access.redhat.com/errata/RHSA-2019:3157
- https://access.redhat.com/errata/RHSA-2019:3158
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00064.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00066.html
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00031.html
- https://usn.ubuntu.com/4223-1/
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-2987
low severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.232.09-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.232.09-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2988
- https://seclists.org/bugtraq/2019/Oct/27
- https://seclists.org/bugtraq/2019/Oct/31
- https://www.debian.org/security/2019/dsa-4546
- https://www.debian.org/security/2019/dsa-4548
- https://security-tracker.debian.org/tracker/CVE-2019-2988
- https://lists.debian.org/debian-lts-announce/2019/12/msg00005.html
- https://security.netapp.com/advisory/ntap-20191017-0001/
- http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://access.redhat.com/errata/RHSA-2019:4109
- https://access.redhat.com/errata/RHSA-2019:4110
- https://access.redhat.com/errata/RHSA-2019:4113
- https://access.redhat.com/errata/RHSA-2019:4115
- https://access.redhat.com/errata/RHSA-2020:0006
- https://access.redhat.com/errata/RHSA-2020:0046
- https://access.redhat.com/errata/RHSA-2019:3134
- https://access.redhat.com/errata/RHSA-2019:3135
- https://access.redhat.com/errata/RHSA-2019:3136
- https://access.redhat.com/errata/RHSA-2019:3157
- https://access.redhat.com/errata/RHSA-2019:3158
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00064.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00066.html
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00031.html
- https://usn.ubuntu.com/4223-1/
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-2988
low severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.232.09-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.232.09-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2992
- https://seclists.org/bugtraq/2019/Oct/27
- https://seclists.org/bugtraq/2019/Oct/31
- https://www.debian.org/security/2019/dsa-4546
- https://www.debian.org/security/2019/dsa-4548
- https://security-tracker.debian.org/tracker/CVE-2019-2992
- https://lists.debian.org/debian-lts-announce/2019/12/msg00005.html
- https://security.netapp.com/advisory/ntap-20191017-0001/
- http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://access.redhat.com/errata/RHSA-2019:4109
- https://access.redhat.com/errata/RHSA-2019:4110
- https://access.redhat.com/errata/RHSA-2019:4113
- https://access.redhat.com/errata/RHSA-2019:4115
- https://access.redhat.com/errata/RHSA-2020:0006
- https://access.redhat.com/errata/RHSA-2020:0046
- https://access.redhat.com/errata/RHSA-2019:3134
- https://access.redhat.com/errata/RHSA-2019:3135
- https://access.redhat.com/errata/RHSA-2019:3136
- https://access.redhat.com/errata/RHSA-2019:3157
- https://access.redhat.com/errata/RHSA-2019:3158
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00064.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00066.html
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00031.html
- https://usn.ubuntu.com/4223-1/
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-2992
low severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.272.10-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.272.10-r0 or higher.
References
- https://security.netapp.com/advisory/ntap-20200717-0005/
- https://www.debian.org/security/2020/dsa-4734
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEPHBZPNSLX43B26DWKB7OS6AROTS2BO/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QQUMIAON2YEFRONMIUVHAKYCIOLICDBA/
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://lists.debian.org/debian-lts-announce/2020/08/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00019.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00027.html
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html
- https://usn.ubuntu.com/4433-1/
- https://usn.ubuntu.com/4453-1/
- https://security.gentoo.org/glsa/202209-15
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MEPHBZPNSLX43B26DWKB7OS6AROTS2BO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QQUMIAON2YEFRONMIUVHAKYCIOLICDBA/
low severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.272.10-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u261 and 8u251; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.272.10-r0 or higher.
References
- https://kc.mcafee.com/corporate/index?page=content&id=SB10332
- https://security.netapp.com/advisory/ntap-20200717-0005/
- https://www.debian.org/security/2020/dsa-4734
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/
- https://security.gentoo.org/glsa/202008-24
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://lists.debian.org/debian-lts-announce/2020/08/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html
- https://usn.ubuntu.com/4453-1/
- https://security.gentoo.org/glsa/202209-15
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/
low severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.272.10-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u261 and 8u251; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.272.10-r0 or higher.
References
- https://kc.mcafee.com/corporate/index?page=content&id=SB10332
- https://security.netapp.com/advisory/ntap-20200717-0005/
- https://www.debian.org/security/2020/dsa-4734
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/
- https://security.gentoo.org/glsa/202008-24
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://lists.debian.org/debian-lts-announce/2020/08/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html
- https://usn.ubuntu.com/4453-1/
- https://security.gentoo.org/glsa/202209-15
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/
low severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.272.10-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.272.10-r0 or higher.
References
- https://kc.mcafee.com/corporate/index?page=content&id=SB10332
- https://security.netapp.com/advisory/ntap-20200717-0005/
- https://www.debian.org/security/2020/dsa-4734
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEPHBZPNSLX43B26DWKB7OS6AROTS2BO/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QQUMIAON2YEFRONMIUVHAKYCIOLICDBA/
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://lists.debian.org/debian-lts-announce/2020/08/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00019.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00027.html
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html
- https://usn.ubuntu.com/4433-1/
- https://usn.ubuntu.com/4453-1/
- https://security.gentoo.org/glsa/202209-15
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MEPHBZPNSLX43B26DWKB7OS6AROTS2BO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QQUMIAON2YEFRONMIUVHAKYCIOLICDBA/
low severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.272.10-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.272.10-r0 or higher.
References
- https://security.netapp.com/advisory/ntap-20201023-0004/
- https://www.debian.org/security/2020/dsa-4779
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6CJCO52DHIQJHLPF6HMTC5Z2VKFRQMY/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OMJMTXFJRONFT72YAEQNRFKYZZU4W3HD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XKRGVMZT3EUUWKUA6DBT56FT3UOKPHQ2/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVPLGNHNJ4UJ6IO6R2XXEKCTCI2DRPDQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YCKZAI4AWSKO5O5VDXHFFKNLOZGZ3KEE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z7XEONOP6JB7SD7AMUWZTLZF2L4QD546/
- https://security.gentoo.org/glsa/202101-19
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://lists.debian.org/debian-lts-announce/2020/10/msg00031.html
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6CJCO52DHIQJHLPF6HMTC5Z2VKFRQMY/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OMJMTXFJRONFT72YAEQNRFKYZZU4W3HD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XKRGVMZT3EUUWKUA6DBT56FT3UOKPHQ2/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XVPLGNHNJ4UJ6IO6R2XXEKCTCI2DRPDQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YCKZAI4AWSKO5O5VDXHFFKNLOZGZ3KEE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7XEONOP6JB7SD7AMUWZTLZF2L4QD546/
low severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.272.10-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JNDI). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.272.10-r0 or higher.
References
- https://security.netapp.com/advisory/ntap-20201023-0004/
- https://www.debian.org/security/2020/dsa-4779
- https://security.gentoo.org/glsa/202101-19
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://lists.debian.org/debian-lts-announce/2020/10/msg00031.html
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html
low severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.272.10-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.272.10-r0 or higher.
References
- https://security.netapp.com/advisory/ntap-20201023-0004/
- https://www.debian.org/security/2020/dsa-4779
- https://security.gentoo.org/glsa/202101-19
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://lists.debian.org/debian-lts-announce/2020/10/msg00031.html
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html
low severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.272.10-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.272.10-r0 or higher.
References
- https://security.netapp.com/advisory/ntap-20201023-0004/
- https://www.debian.org/security/2020/dsa-4779
- https://security.gentoo.org/glsa/202101-19
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://lists.debian.org/debian-lts-announce/2020/10/msg00031.html
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html
low severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.242.08-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.242.08-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2583
- https://seclists.org/bugtraq/2020/Feb/22
- https://seclists.org/bugtraq/2020/Jan/24
- https://kc.mcafee.com/corporate/index?page=content&id=SB10315
- https://www.debian.org/security/2020/dsa-4605
- https://www.debian.org/security/2020/dsa-4621
- https://lists.debian.org/debian-lts-announce/2020/02/msg00034.html
- https://security-tracker.debian.org/tracker/CVE-2020-2583
- https://security.gentoo.org/glsa/202101-19
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://security.netapp.com/advisory/ntap-20200122-0003/
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00050.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00060.html
- https://access.redhat.com/errata/RHSA-2020:0122
- https://access.redhat.com/errata/RHSA-2020:0128
- https://access.redhat.com/errata/RHSA-2020:0157
- https://access.redhat.com/errata/RHSA-2020:0196
- https://access.redhat.com/errata/RHSA-2020:0202
- https://access.redhat.com/errata/RHSA-2020:0231
- https://access.redhat.com/errata/RHSA-2020:0232
- https://access.redhat.com/errata/RHSA-2020:0465
- https://access.redhat.com/errata/RHSA-2020:0467
- https://access.redhat.com/errata/RHSA-2020:0468
- https://access.redhat.com/errata/RHSA-2020:0469
- https://access.redhat.com/errata/RHSA-2020:0470
- https://access.redhat.com/errata/RHSA-2020:0541
- https://access.redhat.com/errata/RHSA-2020:0632
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-2583
- https://usn.ubuntu.com/4257-1/
low severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.242.08-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.242.08-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2590
- https://seclists.org/bugtraq/2020/Feb/22
- https://seclists.org/bugtraq/2020/Jan/24
- https://kc.mcafee.com/corporate/index?page=content&id=SB10315
- https://www.debian.org/security/2020/dsa-4605
- https://www.debian.org/security/2020/dsa-4621
- https://lists.debian.org/debian-lts-announce/2020/02/msg00034.html
- https://security-tracker.debian.org/tracker/CVE-2020-2590
- https://security.gentoo.org/glsa/202101-19
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://security.netapp.com/advisory/ntap-20200122-0003/
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00050.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00060.html
- https://access.redhat.com/errata/RHSA-2020:0122
- https://access.redhat.com/errata/RHSA-2020:0128
- https://access.redhat.com/errata/RHSA-2020:0157
- https://access.redhat.com/errata/RHSA-2020:0196
- https://access.redhat.com/errata/RHSA-2020:0202
- https://access.redhat.com/errata/RHSA-2020:0231
- https://access.redhat.com/errata/RHSA-2020:0232
- https://access.redhat.com/errata/RHSA-2020:0541
- https://access.redhat.com/errata/RHSA-2020:0632
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-2590
- https://usn.ubuntu.com/4257-1/
low severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.242.08-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.242.08-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2654
- https://seclists.org/bugtraq/2020/Feb/22
- https://seclists.org/bugtraq/2020/Jan/24
- https://kc.mcafee.com/corporate/index?page=content&id=SB10315
- https://www.debian.org/security/2020/dsa-4605
- https://www.debian.org/security/2020/dsa-4621
- https://lists.debian.org/debian-lts-announce/2020/02/msg00034.html
- https://security-tracker.debian.org/tracker/CVE-2020-2654
- https://security.gentoo.org/glsa/202101-19
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://security.netapp.com/advisory/ntap-20200122-0003/
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00050.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00060.html
- https://access.redhat.com/errata/RHSA-2020:0122
- https://access.redhat.com/errata/RHSA-2020:0128
- https://access.redhat.com/errata/RHSA-2020:0157
- https://access.redhat.com/errata/RHSA-2020:0196
- https://access.redhat.com/errata/RHSA-2020:0202
- https://access.redhat.com/errata/RHSA-2020:0231
- https://access.redhat.com/errata/RHSA-2020:0232
- https://access.redhat.com/errata/RHSA-2020:0541
- https://access.redhat.com/errata/RHSA-2020:0632
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-2654
- https://usn.ubuntu.com/4257-1/
low severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.242.08-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u241 and 8u231; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.242.08-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2659
- https://seclists.org/bugtraq/2020/Feb/22
- https://www.debian.org/security/2020/dsa-4621
- https://lists.debian.org/debian-lts-announce/2020/02/msg00034.html
- https://security-tracker.debian.org/tracker/CVE-2020-2659
- https://security.gentoo.org/glsa/202101-19
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://security.netapp.com/advisory/ntap-20200122-0003/
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00060.html
- https://access.redhat.com/errata/RHSA-2020:0157
- https://access.redhat.com/errata/RHSA-2020:0196
- https://access.redhat.com/errata/RHSA-2020:0202
- https://access.redhat.com/errata/RHSA-2020:0231
- https://access.redhat.com/errata/RHSA-2020:0465
- https://access.redhat.com/errata/RHSA-2020:0467
- https://access.redhat.com/errata/RHSA-2020:0468
- https://access.redhat.com/errata/RHSA-2020:0469
- https://access.redhat.com/errata/RHSA-2020:0470
- https://access.redhat.com/errata/RHSA-2020:0541
- https://access.redhat.com/errata/RHSA-2020:0632
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-2659
- https://usn.ubuntu.com/4257-1/
low severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.252.09-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.252.09-r0 or higher.
References
- https://kc.mcafee.com/corporate/index?page=content&id=SB10332
- https://security.netapp.com/advisory/ntap-20200416-0004/
- https://www.debian.org/security/2020/dsa-4662
- https://www.debian.org/security/2020/dsa-4668
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/
- https://www.oracle.com/security-alerts/cpuapr2020.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html
- https://usn.ubuntu.com/4337-1/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/
low severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.252.09-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.252.09-r0 or higher.
References
- https://kc.mcafee.com/corporate/index?page=content&id=SB10332
- https://security.netapp.com/advisory/ntap-20200416-0004/
- https://www.debian.org/security/2020/dsa-4662
- https://www.debian.org/security/2020/dsa-4668
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/
- https://security.gentoo.org/glsa/202006-22
- https://www.oracle.com/security-alerts/cpuapr2020.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html
- https://usn.ubuntu.com/4337-1/
- https://security.gentoo.org/glsa/202209-15
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/
low severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.252.09-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.252.09-r0 or higher.
References
- https://kc.mcafee.com/corporate/index?page=content&id=SB10332
- https://security.netapp.com/advisory/ntap-20200416-0004/
- https://www.debian.org/security/2020/dsa-4662
- https://www.debian.org/security/2020/dsa-4668
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/
- https://security.gentoo.org/glsa/202006-22
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html
- https://usn.ubuntu.com/4337-1/
- https://security.gentoo.org/glsa/202209-15
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/
low severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.252.09-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.252.09-r0 or higher.
References
- https://kc.mcafee.com/corporate/index?page=content&id=SB10332
- https://security.netapp.com/advisory/ntap-20200416-0004/
- https://www.debian.org/security/2020/dsa-4662
- https://www.debian.org/security/2020/dsa-4668
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/
- https://security.gentoo.org/glsa/202006-22
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html
- https://usn.ubuntu.com/4337-1/
- https://security.gentoo.org/glsa/202209-15
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/
low severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.252.09-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.252.09-r0 or higher.
References
- https://kc.mcafee.com/corporate/index?page=content&id=SB10332
- https://security.netapp.com/advisory/ntap-20200416-0004/
- https://www.debian.org/security/2020/dsa-4662
- https://www.debian.org/security/2020/dsa-4668
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/
- https://security.gentoo.org/glsa/202006-22
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html
- https://usn.ubuntu.com/4337-1/
- https://security.gentoo.org/glsa/202209-15
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/
low severity
- Vulnerable module: openssl/libcrypto1.1
- Introduced through: openssl/libcrypto1.1@1.1.1b-r1 and openssl/libssl1.1@1.1.1b-r1
- Fixed in: 1.1.1j-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openssl/libcrypto1.1@1.1.1b-r1
-
Introduced through: openjdk@8-jdk-alpine › openssl/libssl1.1@1.1.1b-r1
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssl
package and not the openssl
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.0.2y (Affected 1.0.2s-1.0.2x).
Remediation
Upgrade Alpine:3.9
openssl
to version 1.1.1j-r0 or higher.
References
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30919ab80a478f2d81f2e9acdcca3fa4740cd547
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846
- https://security.netapp.com/advisory/ntap-20210219-0009/
- https://www.openssl.org/news/secadv/20210216.txt
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30919ab80a478f2d81f2e9acdcca3fa4740cd547
- https://security.netapp.com/advisory/ntap-20240621-0006/
low severity
- Vulnerable module: openssl/libcrypto1.1
- Introduced through: openssl/libcrypto1.1@1.1.1b-r1 and openssl/libssl1.1@1.1.1b-r1
- Fixed in: 1.1.1d-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openssl/libcrypto1.1@1.1.1b-r1
-
Introduced through: openjdk@8-jdk-alpine › openssl/libssl1.1@1.1.1b-r1
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssl
package and not the openssl
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
Remediation
Upgrade Alpine:3.9
openssl
to version 1.1.1d-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563
- https://seclists.org/bugtraq/2019/Oct/0
- https://seclists.org/bugtraq/2019/Oct/1
- https://seclists.org/bugtraq/2019/Sep/25
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f
- https://support.f5.com/csp/article/K97324400?utm_source=f5support&utm_medium=RSS
- https://www.tenable.com/security/tns-2019-09
- https://www.debian.org/security/2019/dsa-4539
- https://www.debian.org/security/2019/dsa-4540
- https://security-tracker.debian.org/tracker/CVE-2019-1563
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/
- https://security.gentoo.org/glsa/201911-04
- http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://security.netapp.com/advisory/ntap-20190919-0002/
- https://www.openssl.org/news/secadv/20190910.txt
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html
- https://usn.ubuntu.com/4376-1/
- https://usn.ubuntu.com/4376-2/
- https://usn.ubuntu.com/4504-1/
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1563
- https://kc.mcafee.com/corporate/index?page=content&id=SB10365
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/
- https://support.f5.com/csp/article/K97324400?utm_source=f5support&%3Butm_medium=RSS
low severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.222.10-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.222.10-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2786
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03977en_us
- https://security-tracker.debian.org/tracker/CVE-2019-2786
- http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://access.redhat.com/errata/RHSA-2019:2585
- https://access.redhat.com/errata/RHSA-2019:2590
- https://access.redhat.com/errata/RHSA-2019:2592
- https://access.redhat.com/errata/RHSA-2019:2737
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00038.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00044.html
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-2786
- https://usn.ubuntu.com/4080-1/
- https://usn.ubuntu.com/4083-1/
low severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.222.10-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.222.10-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2766
- https://kc.mcafee.com/corporate/index?page=content&id=SB10300
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03977en_us
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00038.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00044.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-2766
low severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.232.09-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.232.09-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2933
- https://kc.mcafee.com/corporate/index?page=content&id=SB10315
- https://security-tracker.debian.org/tracker/CVE-2019-2933
- https://lists.debian.org/debian-lts-announce/2019/12/msg00005.html
- https://security.netapp.com/advisory/ntap-20191017-0001/
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00064.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00066.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00031.html
low severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.232.09-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.232.09-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2945
- https://seclists.org/bugtraq/2019/Oct/27
- https://seclists.org/bugtraq/2019/Oct/31
- https://www.debian.org/security/2019/dsa-4546
- https://www.debian.org/security/2019/dsa-4548
- https://security-tracker.debian.org/tracker/CVE-2019-2945
- https://lists.debian.org/debian-lts-announce/2019/12/msg00005.html
- https://security.netapp.com/advisory/ntap-20191017-0001/
- http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://access.redhat.com/errata/RHSA-2019:4109
- https://access.redhat.com/errata/RHSA-2019:4110
- https://access.redhat.com/errata/RHSA-2019:4113
- https://access.redhat.com/errata/RHSA-2019:4115
- https://access.redhat.com/errata/RHSA-2020:0006
- https://access.redhat.com/errata/RHSA-2020:0046
- https://access.redhat.com/errata/RHSA-2019:3134
- https://access.redhat.com/errata/RHSA-2019:3135
- https://access.redhat.com/errata/RHSA-2019:3136
- https://access.redhat.com/errata/RHSA-2019:3157
- https://access.redhat.com/errata/RHSA-2019:3158
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00064.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00066.html
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00031.html
- https://usn.ubuntu.com/4223-1/
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-2945
low severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.272.10-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.272.10-r0 or higher.
References
- https://security.netapp.com/advisory/ntap-20201023-0004/
- https://www.debian.org/security/2020/dsa-4779
- https://security.gentoo.org/glsa/202101-19
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://lists.debian.org/debian-lts-announce/2020/10/msg00031.html
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html
low severity
- Vulnerable module: openjdk8/openjdk8
- Introduced through: openjdk8/openjdk8@8.212.04-r0, openjdk8/openjdk8-jre@8.212.04-r0 and others
- Fixed in: 8.272.10-r0
Detailed paths
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-base@8.212.04-r0
-
Introduced through: openjdk@8-jdk-alpine › openjdk8/openjdk8-jre-lib@8.212.04-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream openjdk8
package and not the openjdk8
package as distributed by Alpine
.
See How to fix?
for Alpine:3.9
relevant fixed versions and status.
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).
Remediation
Upgrade Alpine:3.9
openjdk8
to version 8.272.10-r0 or higher.
References
- https://security.netapp.com/advisory/ntap-20201023-0004/
- https://www.debian.org/security/2020/dsa-4779
- https://security.gentoo.org/glsa/202101-19
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://lists.debian.org/debian-lts-announce/2020/10/msg00031.html
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html