Red Hat Security Advisory 2022-7050-01 - The OpenJDK 8 packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. This release of the Red Hat build of OpenJDK 8 for portable Linux serves as a replacement for Red Hat build of OpenJDK 8 and includes security and bug fixes as well as enhancements. For further information, refer to the release notes linked to in the References section. Issues addressed include a randomization vulnerability.
755052db7c3abf0e9d55b16f0f50a0efd67175f320044d4d95c3e0fb23b96c51-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: OpenJDK 8u352 Security Update for Portable Linux Builds
Advisory ID: RHSA-2022:7050-01
Product: OpenJDK
Advisory URL: https://access.redhat.com/errata/RHSA-2022:7050
Issue date: 2022-10-20
CVE Names: CVE-2022-21619 CVE-2022-21624 CVE-2022-21626
CVE-2022-21628
====================================================================
1. Summary:
The Red Hat build of OpenJDK 8 (java-1.8.0-openjdk) is now available for
portable Linux.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
The OpenJDK 8 packages provide the OpenJDK 8 Java Runtime Environment and
the OpenJDK 8 Java Software Development Kit.
This release of the Red Hat build of OpenJDK 8 (8u352) for portable Linux
serves as a replacement for Red Hat build of OpenJDK 8 (8u342) and includes
security and bug fixes as well as enhancements. For further information,
refer to the release notes linked to in the References section.
Security Fix(es):
* OpenJDK: improper handling of long NTLM client hostnames (Networking,
8286526) (CVE-2022-21619)
* OpenJDK: excessive memory allocation in X.509 certificate parsing
(Libraries, 8286533) (CVE-2022-21626)
* OpenJDK: insufficient randomization of JNDI DNS port numbers (JNDI,
8286910) (CVE-2022-21624)
* OpenJDK: HttpServer no connection count limit (Lightweight HTTP Server,
8286918) (CVE-2022-21628)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/documentation/en-us/openjdk/8/html/installing_and_using_openjdk_8_for_rhel/assembly_installing-openjdk-8-on-red-hat-enterprise-linux_openjdk#installing-jdk11-on-rhel-using-archive_openjdk
4. Bugs fixed (https://bugzilla.redhat.com/):
2133745 - CVE-2022-21619 OpenJDK: improper handling of long NTLM client hostnames (Security, 8286526)
2133753 - CVE-2022-21626 OpenJDK: excessive memory allocation in X.509 certificate parsing (Security, 8286533)
2133765 - CVE-2022-21624 OpenJDK: insufficient randomization of JNDI DNS port numbers (JNDI, 8286910)
2133769 - CVE-2022-21628 OpenJDK: HttpServer no connection count limit (Lightweight HTTP Server, 8286918)
5. References:
https://access.redhat.com/security/cve/CVE-2022-21619
https://access.redhat.com/security/cve/CVE-2022-21624
https://access.redhat.com/security/cve/CVE-2022-21626
https://access.redhat.com/security/cve/CVE-2022-21628
https://access.redhat.com/security/updates/classification/#moderate
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY1FiNdzjgjWX9erEAQjh9A//Y+wmqFn+nyZNgxiY6x/234XPYSL0WSyD
O2GSj68YQDlBtcn8jrPIJEFOpm7nfUGVpII57sFQP4skqM49Ift8rhaE+MIYTQ7k
dgWlABYxVJU4ptU18QbKtCWEJxdij1gm/8or/Sg385zV3+VcGRT6iPxGbWPbq8V1
R4siduc8JBlUk2jCbJM/OmLtfL0eQTxwwSvvpqqqaOgRla7cDt2NI1zzJvy9cA2q
fmgqHvhTe2o3CXtManguJBfo6mwuYHRj0z6c3iOefNY8Ia/80poDw2VPGwVb/DAP
/zu9caL6lPe8H2UKDYcj4307Uuf0U0XalTnr0Vob+jvPcyaGWBQVyxKkXMXK5b9B
sOk3bB5V0NNuajjk1CPijKSDNAM8N9U9CgzVtprUW2MNcAkcNpZbY1l5egWtRWvI
HjudZIaa6WMFfCvEfpvaiaJOtB7BGWstVisjyKvUbh2D1iaAlneFPdK6I7KZkzbT
NGXwbkLI844xANzhK3yAcn39/HYFZCu6yFDsLuhg6pFRYLqVxXIOOn5rIs45QPNL
TaRYjxxN+8vDqhNh/AfHrs2+4p5Wr9165tpjG9OZDh65VQxzroX2OSz4At6bXCVP
lNlF6HB0ofjkto8fNqnOlaJtN8yOvgaW1bibzHKTufvLY0JXcYjqWrDPU6IS9vkS
exATD5jqOYo=/ngT
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed