ID

VAR-202204-0596

CVE

CVE-2022-21434

TITLE

Red Hat Security Advisory 2022-2218-01

DESCRIPTION

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2022-21443). Bugs fixed (https://bugzilla.redhat.com/): 2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data 2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way 2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling 2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter 2058404 - CVE-2022-0759 kubeclient: kubeconfig parsing error can lead to MITM attacks 5. JIRA issues fixed (https://issues.jboss.org/): LOG-2334 - [release-5.3] Events listing out of order in Kibana 6.8.1 LOG-2450 - http.max_header_size set to 128kb causes communication with elasticsearch to stop working LOG-2481 - EO shouldn't grant cluster-wide permission to system:serviceaccount:openshift-monitoring:prometheus-k8s when ES cluster is deployed. [openshift-logging 5.3] 6. ========================================================================= Ubuntu Security Notice USN-5546-1 August 04, 2022 openjdk-8, openjdk-lts, openjdk-17, openjdk-18 vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Several security issues were fixed in OpenJDK. Software Description: - openjdk-17: Open Source Java implementation - openjdk-18: Open Source Java implementation - openjdk-8: Open Source Java implementation - openjdk-lts: Open Source Java implementation Details: Neil Madden discovered that OpenJDK did not properly verify ECDSA signatures. A remote attacker could possibly use this issue to insert, edit or obtain sensitive information. This issue only affected OpenJDK 17 and OpenJDK 18. (CVE-2022-21449) It was discovered that OpenJDK incorrectly limited memory when compiling a specially crafted XPath expression. An attacker could possibly use this issue to cause a denial of service. This issue was fixed in OpenJDK 8 and OpenJDK 18. USN-5388-1 and USN-5388-2 addressed this issue in OpenJDK 11 and OpenJDK 17. (CVE-2022-21426) It was discovered that OpenJDK incorrectly handled converting certain object arguments into their textual representations. An attacker could possibly use this issue to cause a denial of service. This issue was fixed in OpenJDK 8 and OpenJDK 18. USN-5388-1 and USN-5388-2 addressed this issue in OpenJDK 11 and OpenJDK 17. (CVE-2022-21434) It was discovered that OpenJDK incorrectly validated the encoded length of certain object identifiers. An attacker could possibly use this issue to cause a denial of service. This issue was fixed in OpenJDK 8 and OpenJDK 18. USN-5388-1 and USN-5388-2 addressed this issue in OpenJDK 11 and OpenJDK 17. (CVE-2022-21443) It was discovered that OpenJDK incorrectly validated certain paths. An attacker could possibly use this issue to bypass the secure validation feature and expose sensitive information in XML files. This issue was fixed in OpenJDK 8 and OpenJDK 18. USN-5388-1 and USN-5388-2 addressed this issue in OpenJDK 11 and OpenJDK 17. (CVE-2022-21476) It was discovered that OpenJDK incorrectly parsed certain URI strings. An attacker could possibly use this issue to make applications accept invalid of malformed URI strings. This issue was fixed in OpenJDK 8 and OpenJDK 18. USN-5388-1 and USN-5388-2 addressed this issue in OpenJDK 11 and OpenJDK 17. (CVE-2022-21496) It was discovered that OpenJDK incorrectly generated class code in the Hotspot component. An attacker could possibly use this issue to obtain sensitive information. (CVE-2022-21540) It was dicovered that OpenJDK incorrectly restricted access to the invokeBasic() method in the Hotspot component. An attacker could possibly use this issue to insert, edit or obtain sensitive information. (CVE-2022-21541) It was discovered that OpenJDK incorrectly computed exponentials. An attacker could possibly use this issue to insert, edit or obtain sensitive information. This issue only affected OpenJDK 17. (CVE-2022-21549) It was discovered that OpenJDK includes a copy of Xalan that incorrectly handled integer truncation. An attacker could possibly use this issue to execute arbitrary code. (CVE-2022-34169) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS: openjdk-11-jdk 11.0.16+8-0ubuntu1~22.04 openjdk-11-jre 11.0.16+8-0ubuntu1~22.04 openjdk-11-jre-headless 11.0.16+8-0ubuntu1~22.04 openjdk-11-jre-zero 11.0.16+8-0ubuntu1~22.04 openjdk-17-jdk 17.0.4+8-1~22.04 openjdk-17-jre 17.0.4+8-1~22.04 openjdk-17-jre-headless 17.0.4+8-1~22.04 openjdk-17-jre-zero 17.0.4+8-1~22.04 openjdk-18-jdk 18.0.2+9-2~22.04 openjdk-18-jre 18.0.2+9-2~22.04 openjdk-18-jre-headless 18.0.2+9-2~22.04 openjdk-18-jre-zero 18.0.2+9-2~22.04 openjdk-8-jdk 8u342-b07-0ubuntu1~22.04 openjdk-8-jre 8u342-b07-0ubuntu1~22.04 openjdk-8-jre-headless 8u342-b07-0ubuntu1~22.04 openjdk-8-jre-zero 8u342-b07-0ubuntu1~22.04 Ubuntu 20.04 LTS: openjdk-11-jdk 11.0.16+8-0ubuntu1~20.04 openjdk-11-jre 11.0.16+8-0ubuntu1~20.04 openjdk-11-jre-headless 11.0.16+8-0ubuntu1~20.04 openjdk-11-jre-zero 11.0.16+8-0ubuntu1~20.04 openjdk-17-jdk 17.0.4+8-1~20.04 openjdk-17-jre 17.0.4+8-1~20.04 openjdk-17-jre-headless 17.0.4+8-1~20.04 openjdk-17-jre-zero 17.0.4+8-1~20.04 openjdk-8-jdk 8u342-b07-0ubuntu1~20.04 openjdk-8-jre 8u342-b07-0ubuntu1~20.04 openjdk-8-jre-headless 8u342-b07-0ubuntu1~20.04 openjdk-8-jre-zero 8u342-b07-0ubuntu1~20.04 Ubuntu 18.04 LTS: openjdk-11-jdk 11.0.16+8-0ubuntu1~18.04 openjdk-11-jre 11.0.16+8-0ubuntu1~18.04 openjdk-11-jre-headless 11.0.16+8-0ubuntu1~18.04 openjdk-11-jre-zero 11.0.16+8-0ubuntu1~18.04 openjdk-17-jdk 17.0.4+8-1~18.04 openjdk-17-jre 17.0.4+8-1~18.04 openjdk-17-jre-headless 17.0.4+8-1~18.04 openjdk-17-jre-zero 17.0.4+8-1~18.04 openjdk-8-jdk 8u342-b07-0ubuntu1~18.04 openjdk-8-jre 8u342-b07-0ubuntu1~18.04 openjdk-8-jre-headless 8u342-b07-0ubuntu1~18.04 openjdk-8-jre-zero 8u342-b07-0ubuntu1~18.04 This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart any Java applications or applets to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5546-1 CVE-2022-21426, CVE-2022-21434, CVE-2022-21443, CVE-2022-21449, CVE-2022-21476, CVE-2022-21496, CVE-2022-21540, CVE-2022-21541, CVE-2022-21549, CVE-2022-34169 Package Information: https://launchpad.net/ubuntu/+source/openjdk-17/17.0.4+8-1~22.04 https://launchpad.net/ubuntu/+source/openjdk-18/18.0.2+9-2~22.04 https://launchpad.net/ubuntu/+source/openjdk-8/8u342-b07-0ubuntu1~22.04 https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.16+8-0ubuntu1~22.04 https://launchpad.net/ubuntu/+source/openjdk-17/17.0.4+8-1~20.04 https://launchpad.net/ubuntu/+source/openjdk-8/8u342-b07-0ubuntu1~20.04 https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.16+8-0ubuntu1~20.04 https://launchpad.net/ubuntu/+source/openjdk-17/17.0.4+8-1~18.04 https://launchpad.net/ubuntu/+source/openjdk-8/8u342-b07-0ubuntu1~18.04 https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.16+8-0ubuntu1~18.04 . Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.8.41. See the following advisory for the RPM packages for this release: https://access.redhat.com/errata/RHBA-2022:2270 Space precludes documenting all of the container images in this advisory. You may download the oc tool and use it to inspect release image metadata as follows: (For x86_64 architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.8.41-x86_64 The image digest is sha256:4ebcb3aea63d4acbb92118d3ae7ed08d3ebb1a66e7f79fddbb4da74883a12d0a (For s390x architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.8.41-s390x The image digest is sha256:5ed0fc5b89e3ec257db50f936f788492211e4de4a741f930191ab2d3bc7ceec3 (For ppc64le architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.8.41-ppc64le The image digest is sha256:908ec3688cc152b15faaea3f71bb4ba59565df60e9846f08fcd15a6c2b43274a All OpenShift Container Platform 4.8 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html 3. Solution: For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html 4. Bugs fixed (https://bugzilla.redhat.com/): 2057544 - Cancel rpm-ostree transaction after failed rebase 2058674 - whereabouts IPAM CNI ip-reconciler cronjob specification requires hostnetwork, api-int lb usage & proper backoff 2062655 - [4.8.z backport] cluster scaling new nodes ovs-configuration fails on all new nodes 2070762 - [4.8z] WebScale: duplicate ecmp next hop error caused by multiple of the same gateway IPs in ovnkube cache 2074053 - Internal registries with a big number of images delay pod creation due to recursive SELinux file context relabeling 2074680 - csv_succeeded metric not present in olm-operator for all successful CSVs 2076211 - CVE-2022-1677 openshift/router: route hijacking attack via crafted HAProxy configuration file 2077004 - Bump to latest available 1.21.11 k8s 2077370 - [4.8.z] NetworkPolicy tests are failing on metal IPv6 2077765 - (release-4.8) Gather namespace names with overlapping UID ranges 2078477 - Latest ose-jenkins-agent-base:v4.9.0 image fails to start on OpenShift due to FIPS error 2084259 - [4.8] OCP ignores STOPSIGNAL in Dockerfile and sends SIGTERM 2088196 - Redfish set boot device failed for node in OCP 4.8 latest RC 5. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: java-1.8.0-ibm security update Advisory ID: RHSA-2022:5837-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:5837 Issue date: 2022-08-02 CVE Names: CVE-2021-35561 CVE-2022-21434 CVE-2022-21443 CVE-2022-21496 ==================================================================== 1. Summary: An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Supplementary (v. 8) - ppc64le, s390x, x86_64 3. Description: IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR7-FP10. Security Fix(es): * OpenJDK: Excessive memory allocation in HashMap and HashSet (Utility, 8266097) (CVE-2021-35561) * OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434) * OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443) * OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of IBM Java must be restarted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 2014524 - CVE-2021-35561 OpenJDK: Excessive memory allocation in HashMap and HashSet (Utility, 8266097) 2075793 - CVE-2022-21443 OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) 2075836 - CVE-2022-21434 OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) 2075849 - CVE-2022-21496 OpenJDK: URI parsing inconsistencies (JNDI, 8278972) 6. Package List: Red Hat Enterprise Linux Supplementary (v. 8): ppc64le: java-1.8.0-ibm-1.8.0.7.10-1.el8_6.ppc64le.rpm java-1.8.0-ibm-demo-1.8.0.7.10-1.el8_6.ppc64le.rpm java-1.8.0-ibm-devel-1.8.0.7.10-1.el8_6.ppc64le.rpm java-1.8.0-ibm-headless-1.8.0.7.10-1.el8_6.ppc64le.rpm java-1.8.0-ibm-jdbc-1.8.0.7.10-1.el8_6.ppc64le.rpm java-1.8.0-ibm-plugin-1.8.0.7.10-1.el8_6.ppc64le.rpm java-1.8.0-ibm-src-1.8.0.7.10-1.el8_6.ppc64le.rpm java-1.8.0-ibm-webstart-1.8.0.7.10-1.el8_6.ppc64le.rpm s390x: java-1.8.0-ibm-1.8.0.7.10-1.el8_6.s390x.rpm java-1.8.0-ibm-demo-1.8.0.7.10-1.el8_6.s390x.rpm java-1.8.0-ibm-devel-1.8.0.7.10-1.el8_6.s390x.rpm java-1.8.0-ibm-headless-1.8.0.7.10-1.el8_6.s390x.rpm java-1.8.0-ibm-jdbc-1.8.0.7.10-1.el8_6.s390x.rpm java-1.8.0-ibm-src-1.8.0.7.10-1.el8_6.s390x.rpm x86_64: java-1.8.0-ibm-1.8.0.7.10-1.el8_6.x86_64.rpm java-1.8.0-ibm-demo-1.8.0.7.10-1.el8_6.x86_64.rpm java-1.8.0-ibm-devel-1.8.0.7.10-1.el8_6.x86_64.rpm java-1.8.0-ibm-headless-1.8.0.7.10-1.el8_6.x86_64.rpm java-1.8.0-ibm-jdbc-1.8.0.7.10-1.el8_6.x86_64.rpm java-1.8.0-ibm-plugin-1.8.0.7.10-1.el8_6.x86_64.rpm java-1.8.0-ibm-src-1.8.0.7.10-1.el8_6.x86_64.rpm java-1.8.0-ibm-webstart-1.8.0.7.10-1.el8_6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYuqtQtzjgjWX9erEAQiKcQ//cLT6WktkC0RdGKMnXfqPYE1XEgVzDMQs qt6vConknSdPnXr5MkcKsitAf7+V/n9GKqV/gReOMypR1OOO1u4liU7b0vWRtR9U txnquHFGAyebY8az1ugd4Yf16RiId+TgpICpmgHzoEy8NC8DLPFFwUas9t5Uu/FR 7PZSZS13HQ3kTRhYaBFgEWU9fGn8huP5ReAw+JRkd8tZlBmHv/OTLA4W4+ctADFP 14StepQDoWcpaI6IRD2VCnB2C1Kb23V8k4J4RjPnPjYKtUlYvgfIqaGxPTZStEI5 J83RS7WFNFvMDqLwmd3cX7ytxYLFs89B0GGrdOib8UJ/Kji9aEu69q+cpZEp39VA cPgSnyY74566Lfd1Qh24jZbENkaWyeiIm85fEjPafBoA4OoHI/fsVRC68d9qY8DR 5iRdqn8CpbCNhi82ysu5LYLF0hS6UjA//+jw19EjL7XyxWotnBsAD59VXzY1y0xW yMn5YocNHh5qKj8NjKWT1FarqVGfGsu/4js0PrzzUNaamztaqrsqsUvN0MNkx0w6 4Invi9zwQVk/zHRdfQ54JT9wlQXNh0cJbNn1nV2tRLWaaAUUvQqR5Ga1GSrnA5wB cV97qSfX5VXr+I45A79V0kQ802jjz13kW8TCBJbpOvA5E7Q4CqgBwsCHoaWPfyKl OaijEQoubcM=o/eU -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . This update rectifies this situation and again uses the database provided in the JDK bundle. Users may also now configure the cacerts database in the java.security file using the property security.systemCACerts. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2025-01-28T21:07:04.612000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE