ID

VAR-202204-0596

CVE

CVE-2022-21434

TITLE

Oracle Java SE  and  Oracle GraalVM Enterprise Edition  In  Libraries  Vulnerability

DESCRIPTION

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). For further information, refer to the release notes linked to in the References section. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html 3. Solution: For OpenShift Container Platform 4.7 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html 4. Bugs fixed (https://bugzilla.redhat.com/): 2066837 - CVE-2022-24769 moby: Default inheritable capabilities for linux container should be empty 2081642 - Placeholder bug for OCP 4.7.0 extras release 5. For the stable distribution (bullseye), these problems have been fixed in version 17.0.3+7-1~deb11u1. We recommend that you upgrade your openjdk-17 packages. For the detailed security status of openjdk-17 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openjdk-17 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmJxl3wACgkQEMKTtsN8 Tja/zg/7BeUmTL3RGbn6PBexYoRYRGd5TIgkjajpMhKJfgMJezJ95sDP1jKZmZ7W 5W7R3iqBYUIjJl+wcoDpSN2HyApXNUkLTMeTbNgJCwipJwk4LG79zcXLxAtBqmJl hKt8ij5V4wQiou1NDhTYpGdLLQUQ8wQEX05veO5U80KYuMc2TzvRwsjzzAF1K3WM zEKV8HJ3SLJcnb24s2PLpoPZLaWerJurcUwQG01OJVlp4smvuBzw1imExMOG5P9D iX9CogACSoupamHCkpInajxtvzLx/Kb39obHOVIJmYlVJif9Vt4XMd+IRFv1ZiWK bvmsexifgn96D2Qc9uoHMKanMsqb5bjN+jtyRSq/BRpADManyU9O0NPFAxuqkBk2 Zj1YiljDHTHdMmp/lnpMZA8Zxnm7JVQlNxxvrBsLttiEhytCkhAxBOzprXg00yoH HQaRiOsPCDUTlvS73V3e5QfqTjWihUHiIwprxzL0nVIq7gZfwDs7/80QPZjm/yPK OwOLGSobA2J/iyEG5VlLEaxyOBeyAfw5uMR5iHe0TKofyxBXFdSo69/oYDB8CVYp ncJxX9e32EIrB/4aqCM9r/nVhos4QdwDfJIWncQVooQQisPd8zXLccSi9PkFxFQS k4BnXv70QlIq9PnWi209kPyaU3TcQwEYRjZJBZqYRESaHLLnPGw= =O0QV -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: java-1.8.0-ibm security update Advisory ID: RHSA-2022:4959-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://access.redhat.com/errata/RHSA-2022:4959 Issue date: 2022-06-08 CVE Names: CVE-2021-35561 CVE-2022-21434 CVE-2022-21443 CVE-2022-21496 ==================================================================== 1. Summary: An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 7 Supplementary. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client Supplementary (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Supplementary (v. 7) - x86_64 Red Hat Enterprise Linux Server Supplementary (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 7) - x86_64 3. Description: IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR7-FP10. Security Fix(es): * OpenJDK: Excessive memory allocation in HashMap and HashSet (Utility, 8266097) (CVE-2021-35561) * OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434) * OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443) * OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of IBM Java must be restarted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 2014524 - CVE-2021-35561 OpenJDK: Excessive memory allocation in HashMap and HashSet (Utility, 8266097) 2075793 - CVE-2022-21443 OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) 2075836 - CVE-2022-21434 OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) 2075849 - CVE-2022-21496 OpenJDK: URI parsing inconsistencies (JNDI, 8278972) 6. Package List: Red Hat Enterprise Linux Client Supplementary (v. 7): x86_64: java-1.8.0-ibm-1.8.0.7.10-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-demo-1.8.0.7.10-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-devel-1.8.0.7.10-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-jdbc-1.8.0.7.10-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-plugin-1.8.0.7.10-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-src-1.8.0.7.10-1jpp.1.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Supplementary (v. 7): x86_64: java-1.8.0-ibm-1.8.0.7.10-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-demo-1.8.0.7.10-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-devel-1.8.0.7.10-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-src-1.8.0.7.10-1jpp.1.el7.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 7): ppc64: java-1.8.0-ibm-1.8.0.7.10-1jpp.1.el7.ppc64.rpm java-1.8.0-ibm-demo-1.8.0.7.10-1jpp.1.el7.ppc64.rpm java-1.8.0-ibm-devel-1.8.0.7.10-1jpp.1.el7.ppc64.rpm java-1.8.0-ibm-jdbc-1.8.0.7.10-1jpp.1.el7.ppc64.rpm java-1.8.0-ibm-plugin-1.8.0.7.10-1jpp.1.el7.ppc64.rpm java-1.8.0-ibm-src-1.8.0.7.10-1jpp.1.el7.ppc64.rpm ppc64le: java-1.8.0-ibm-1.8.0.7.10-1jpp.1.el7.ppc64le.rpm java-1.8.0-ibm-demo-1.8.0.7.10-1jpp.1.el7.ppc64le.rpm java-1.8.0-ibm-devel-1.8.0.7.10-1jpp.1.el7.ppc64le.rpm java-1.8.0-ibm-jdbc-1.8.0.7.10-1jpp.1.el7.ppc64le.rpm java-1.8.0-ibm-src-1.8.0.7.10-1jpp.1.el7.ppc64le.rpm s390x: java-1.8.0-ibm-1.8.0.7.10-1jpp.1.el7.s390x.rpm java-1.8.0-ibm-demo-1.8.0.7.10-1jpp.1.el7.s390x.rpm java-1.8.0-ibm-devel-1.8.0.7.10-1jpp.1.el7.s390x.rpm java-1.8.0-ibm-jdbc-1.8.0.7.10-1jpp.1.el7.s390x.rpm java-1.8.0-ibm-src-1.8.0.7.10-1jpp.1.el7.s390x.rpm x86_64: java-1.8.0-ibm-1.8.0.7.10-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-demo-1.8.0.7.10-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-devel-1.8.0.7.10-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-jdbc-1.8.0.7.10-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-plugin-1.8.0.7.10-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-src-1.8.0.7.10-1jpp.1.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 7): x86_64: java-1.8.0-ibm-1.8.0.7.10-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-demo-1.8.0.7.10-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-devel-1.8.0.7.10-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-jdbc-1.8.0.7.10-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-plugin-1.8.0.7.10-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-src-1.8.0.7.10-1jpp.1.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-35561 https://access.redhat.com/security/cve/CVE-2022-21434 https://access.redhat.com/security/cve/CVE-2022-21443 https://access.redhat.com/security/cve/CVE-2022-21496 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIUAwUBYqFNjNzjgjWX9erEAQgiIA/1FWxZFUVh5VUuwfuL4q1F2+a34xaDFJRC BHEFyCQS6s4VTItl0+M+qSa/Hme2JXg0ro2UpkCN22Te3H65kc+OxvZY04IyAmsr vk2xFLb2O5NXNh6tFvJF0ldnQMCXTTvFUOXonvR3oWzmI2rYoVPu9Eoyk5IIK+// mP/RocS+E7k2DS1HrqU+n+7YEIjw8Ccta6yJN/nVLuvP6829vOCVPvDVVpxOeym4 MYUuCO1vVnYdeTqRtqm4bdUbnEV7Rj+3GwbPfhe0PTTCRPmRZBC8txy37vlr0xbq L1no/07RBuW1GJM1vqnrn7xd9kAGwd/CFfgAx6Id5naf/BnTY7NTnjA5bX9GT2Dv /EP9M2/QhU5HGAchGrHoDjPmYF41tdxnIzAQi7657TwrorVWlT5Nlzb03GSjsz7G uClP/asaRoCpmLXM/c+O9DE0wbMs21+lXR+1fXNqlDXQ4PbF1Dz2chFcpvc+aHNf 7hTf6U9TXKItrR3CX6go0BLONjUmcsvIMNzo/PwoEjXUOn4/hq1SsFPT8+L/oMKo sLkJnjYcW3MuhHjbmUsupskZyHEWvLF+lEfhim2Bb+7XQ77/dTnVeM1TF2pw4346 z3rgMQPDZDryudJUGFQ8lWG3VNsJBVeV0odh3M4fT3TuGpzhLwY8du6XdJfFLuKb p8Zit/zyDw==hqP8 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Summary: Security updated rh-sso-7/sso75-openshift-rhel8 container image is now available for RHEL-8 based Middleware Containers. Description: The rh-sso-7/sso75-openshift-rhel8 container image has been updated for RHEL-8 based Middleware Containers to include the following security issues. Users of rh-sso-7/sso75-openshift-rhel8 container images are advised to upgrade to these updated images, which contain backported patches to correct these security issues, fix these bugs and add these enhancements. Users of these images are also encouraged to rebuild all container images that depend on these images. You can find images updated by this advisory in Red Hat Container Catalog (see References). Solution: The RHEL-8 based Middleware Containers container image provided by this update can be downloaded from the Red Hat Container Registry at registry.access.redhat.com. Dockerfiles and scripts should be amended either to refer to this new image specifically, or to the latest image generally. Bugs fixed (https://bugzilla.redhat.com/): 2071036 - CVE-2022-1245 keycloak: Privilege escalation vulnerability on Token Exchange 5

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

TYPE

info disclosure

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2024-12-21T22:28:53.236000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE