Headline
Ubuntu Security Notice USN-6528-1
Ubuntu Security Notice 6528-1 - It was discovered that the HotSpot VM implementation in OpenJDK did not properly validate bytecode blocks in certain situations. An attacker could possibly use this to cause a denial of service. Carter Kozak discovered that OpenJDK, when compiling with AVX-512 instruction support enabled, could produce code that resulted in memory corruption in certain situations. An attacker targeting applications built in this way could possibly use this to cause a denial of service or execute arbitrary code. In Ubuntu, OpenJDK defaults to not using AVX-512 instructions.
=========================================================================
Ubuntu Security Notice USN-6528-1
November 29, 2023
openjdk-8 vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 23.04
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
Summary:
Several security issues were fixed in OpenJDK.
Software Description:
- openjdk-8: Open Source Java implementation
Details:
It was discovered that the HotSpot VM implementation in OpenJDK did not
properly validate bytecode blocks in certain situations. An attacker could
possibly use this to cause a denial of service. (CVE-2022-40433)
Carter Kozak discovered that OpenJDK, when compiling with AVX-512
instruction support enabled, could produce code that resulted in memory
corruption in certain situations. An attacker targeting applications built
in this way could possibly use this to cause a denial of service or execute
arbitrary code. In Ubuntu, OpenJDK defaults to not using AVX-512
instructions. (CVE-2023-22025)
It was discovered that the CORBA implementation in OpenJDK did not properly
perform deserialization of IOR string objects. An attacker could possibly
use this to bypass Java sandbox restrictions. (CVE-2023-22067)
It was discovered that OpenJDK did not properly perform PKIX certification
path validation in certain situations. An attacker could use this to cause
a denial of service. (CVE-2023-22081)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
openjdk-8-jdk 8u392-ga-1~23.10
openjdk-8-jdk-headless 8u392-ga-1~23.10
openjdk-8-jre 8u392-ga-1~23.10
openjdk-8-jre-headless 8u392-ga-1~23.10
openjdk-8-jre-zero 8u392-ga-1~23.10
Ubuntu 23.04:
openjdk-8-jdk 8u392-ga-1~23.04
openjdk-8-jdk-headless 8u392-ga-1~23.04
openjdk-8-jre 8u392-ga-1~23.04
openjdk-8-jre-headless 8u392-ga-1~23.04
openjdk-8-jre-zero 8u392-ga-1~23.04
Ubuntu 22.04 LTS:
openjdk-8-jdk 8u392-ga-1~22.04
openjdk-8-jdk-headless 8u392-ga-1~22.04
openjdk-8-jre 8u392-ga-1~22.04
openjdk-8-jre-headless 8u392-ga-1~22.04
openjdk-8-jre-zero 8u392-ga-1~22.04
Ubuntu 20.04 LTS:
openjdk-8-jdk 8u392-ga-1~20.04
openjdk-8-jdk-headless 8u392-ga-1~20.04
openjdk-8-jre 8u392-ga-1~20.04
openjdk-8-jre-headless 8u392-ga-1~20.04
openjdk-8-jre-zero 8u392-ga-1~20.04
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
openjdk-8-jdk 8u392-ga-1~18.04
openjdk-8-jdk-headless 8u392-ga-1~18.04
openjdk-8-jre 8u392-ga-1~18.04
openjdk-8-jre-headless 8u392-ga-1~18.04
openjdk-8-jre-zero 8u392-ga-1~18.04
Ubuntu 16.04 LTS (Available with Ubuntu Pro):
openjdk-8-jdk 8u392-ga-1~16.04
openjdk-8-jdk-headless 8u392-ga-1~16.04
openjdk-8-jre 8u392-ga-1~16.04
openjdk-8-jre-headless 8u392-ga-1~16.04
openjdk-8-jre-jamvm 8u392-ga-1~16.04
openjdk-8-jre-zero 8u392-ga-1~16.04
This update uses a new upstream release, which includes additional
bug fixes. After a standard system update you need to restart any
Java applications to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6528-1
CVE-2022-40433, CVE-2023-22025, CVE-2023-22067, CVE-2023-22081
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-8/8u392-ga-1~23.10
https://launchpad.net/ubuntu/+source/openjdk-8/8u392-ga-1~23.04
https://launchpad.net/ubuntu/+source/openjdk-8/8u392-ga-1~22.04
https://launchpad.net/ubuntu/+source/openjdk-8/8u392-ga-1~20.04
Related news
Red Hat Security Advisory 2024-0879-03 - An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 7 Supplementary. Issues addressed include denial of service and deserialization vulnerabilities.
Red Hat Security Advisory 2024-0866-03 - An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 8. Issues addressed include denial of service and deserialization vulnerabilities.
Dell vApp Manger, versions prior to 9.2.4.x contain an arbitrary file read vulnerability. A remote attacker could potentially exploit this vulnerability to read arbitrary files from the target system.
Debian Linux Security Advisory 5548-1 - Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service.
Debian Linux Security Advisory 5537-1 - Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in bypass of sandbox restrictions or denial of service.
Debian Linux Security Advisory 5537-1 - Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in bypass of sandbox restrictions or denial of service.
Red Hat Security Advisory 2023-5761-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Issues addressed include a deserialization vulnerability.
Red Hat Security Advisory 2023-5761-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Issues addressed include a deserialization vulnerability.
Red Hat Security Advisory 2023-5753-01 - The java-17-openjdk packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit.
Red Hat Security Advisory 2023-5753-01 - The java-17-openjdk packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit.
Red Hat Security Advisory 2023-5752-01 - The java-17-openjdk packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit.
Red Hat Security Advisory 2023-5752-01 - The java-17-openjdk packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit.
Red Hat Security Advisory 2023-5751-01 - The java-17-openjdk packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit.
Red Hat Security Advisory 2023-5751-01 - The java-17-openjdk packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit.
Red Hat Security Advisory 2023-5750-01 - The java-17-openjdk packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit.
Red Hat Security Advisory 2023-5750-01 - The java-17-openjdk packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit.
Red Hat Security Advisory 2023-5747-01 - The java-17-openjdk packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit.
Red Hat Security Advisory 2023-5747-01 - The java-17-openjdk packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit.
Red Hat Security Advisory 2023-5746-01 - The OpenJDK 17 packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit. This release of the Red Hat build of OpenJDK 17 for Windows serves as a replacement for the Red Hat build of OpenJDK 17 and includes security and bug fixes, and enhancements.
Red Hat Security Advisory 2023-5746-01 - The OpenJDK 17 packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit. This release of the Red Hat build of OpenJDK 17 for Windows serves as a replacement for the Red Hat build of OpenJDK 17 and includes security and bug fixes, and enhancements.
Red Hat Security Advisory 2023-5745-01 - The OpenJDK 17 packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit. This release of the Red Hat build of OpenJDK 17 for portable Linux serves as a replacement for the Red Hat build of OpenJDK 17 and includes security and bug fixes, and enhancements. Issues addressed include an integer overflow vulnerability.
Red Hat Security Advisory 2023-5745-01 - The OpenJDK 17 packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit. This release of the Red Hat build of OpenJDK 17 for portable Linux serves as a replacement for the Red Hat build of OpenJDK 17 and includes security and bug fixes, and enhancements. Issues addressed include an integer overflow vulnerability.
Red Hat Security Advisory 2023-5744-01 - The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.
Vulnerability in the Sun ZFS Storage Appliance product of Oracle Systems (component: Core). The supported version that is affected is 8.8.60. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Sun ZFS Storage Appliance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Sun ZFS Storage Appliance. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the Sun ZFS Storage Appliance product of Oracle Systems (component: Core). The supported version that is affected is 8.8.60. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Sun ZFS Storage Appliance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Sun ZFS Storage Appliance. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
An issue was discovered in function ciMethodBlocks::make_block_at in Oracle JDK (HotSpot VM) 11, 17 and OpenJDK (HotSpot VM) 8, 11, 17, allows attackers to cause a denial of service. Note: Vendor states that this to is Defense in Depth at most due to the nature of the issue and the special circumstances required (server must be running particular code locally, code compiled with an old, old version of javac, etc.).
An issue was discovered in function ciMethodBlocks::make_block_at in Oracle JDK (HotSpot VM) 11, 17 and OpenJDK (HotSpot VM) 8, 11, 17, allows attackers to cause a denial of service.