Ubuntu Security Notice 6077-1 - Ben Smyth discovered that OpenJDK incorrectly handled half-duplex connections during TLS handshake. A remote attacker could possibly use this issue to insert, edit or obtain sensitive information. It was discovered that OpenJDK incorrectly handled certain inputs. An attacker could possibly use this issue to insert, edit or obtain sensitive information.
e55b8ae2444473529159e92a21b7de23ff79ac167ebabd54e20dcb07f03f0efc
=========================================================================
Ubuntu Security Notice USN-6077-1
May 16, 2023
openjdk-8, openjdk-lts, openjdk-17, openjdk-20 vulnerabilities
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.04
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
Summary:
Several security issues were fixed in OpenJDK.
Software Description:
- openjdk-17: Open Source Java implementation
- openjdk-20: Open Source Java implementation
- openjdk-8: Open Source Java implementation
- openjdk-lts: Open Source Java implementation
Details:
Ben Smyth discovered that OpenJDK incorrectly handled half-duplex
connections during TLS handshake. A remote attacker could possibly use
this issue to insert, edit or obtain sensitive information.
(CVE-2023-21930)
It was discovered that OpenJDK incorrectly handled certain inputs. An
attacker could possibly use this issue to insert, edit or obtain sensitive
information. (CVE-2023-21937)
It was discovered that OpenJDK incorrectly handled command arguments. An
attacker could possibly use this issue to insert, edit or obtain sensitive
information. (CVE-2023-21938)
It was discovered that OpenJDK incorrectly validated HTML documents. An
attacker could possibly use this issue to insert, edit or obtain sensitive
information. (CVE-2023-21939)
Ramki Ramakrishna discovered that OpenJDK incorrectly handled garbage
collection. An attacker could possibly use this issue to bypass Java
sandbox restrictions. (CVE-2023-21954)
Jonathan Looney discovered that OpenJDK incorrectly handled certificate
chains during TLS session negotiation. A remote attacker could possibly
use this issue to cause a denial of service. (CVE-2023-21967)
Adam Reziouk discovered that OpenJDK incorrectly sanitized URIs. An
attacker could possibly use this issue to bypass Java sandbox
restrictions. (CVE-2023-21968)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.04:
openjdk-11-jdk 11.0.19+7~us1-0ubuntu1~23.04
openjdk-11-jre 11.0.19+7~us1-0ubuntu1~23.04
openjdk-11-jre-headless 11.0.19+7~us1-0ubuntu1~23.04
openjdk-11-jre-zero 11.0.19+7~us1-0ubuntu1~23.04
openjdk-17-jdk 17.0.7+7~us1-0ubuntu1~23.04
openjdk-17-jre 17.0.7+7~us1-0ubuntu1~23.04
openjdk-17-jre-headless 17.0.7+7~us1-0ubuntu1~23.04
openjdk-17-jre-zero 17.0.7+7~us1-0ubuntu1~23.04
openjdk-20-jdk 20.0.1+9~us1-0ubuntu1~23.04
openjdk-20-jre 20.0.1+9~us1-0ubuntu1~23.04
openjdk-20-jre-headless 20.0.1+9~us1-0ubuntu1~23.04
openjdk-20-jre-zero 20.0.1+9~us1-0ubuntu1~23.04
openjdk-8-jdk 8u372-ga~us1-0ubuntu1~23.04
openjdk-8-jre 8u372-ga~us1-0ubuntu1~23.04
openjdk-8-jre-headless 8u372-ga~us1-0ubuntu1~23.04
openjdk-8-jre-zero 8u372-ga~us1-0ubuntu1~23.04
Ubuntu 22.10:
openjdk-11-jdk 11.0.19+7~us1-0ubuntu1~22.10.1
openjdk-11-jre 11.0.19+7~us1-0ubuntu1~22.10.1
openjdk-11-jre-headless 11.0.19+7~us1-0ubuntu1~22.10.1
openjdk-11-jre-zero 11.0.19+7~us1-0ubuntu1~22.10.1
openjdk-17-jdk 17.0.7+7~us1-0ubuntu1~22.10.2
openjdk-17-jre 17.0.7+7~us1-0ubuntu1~22.10.2
openjdk-17-jre-headless 17.0.7+7~us1-0ubuntu1~22.10.2
openjdk-17-jre-zero 17.0.7+7~us1-0ubuntu1~22.10.2
openjdk-20-jdk 20.0.1+9~us1-0ubuntu1~22.10
openjdk-20-jre 20.0.1+9~us1-0ubuntu1~22.10
openjdk-20-jre-headless 20.0.1+9~us1-0ubuntu1~22.10
openjdk-20-jre-zero 20.0.1+9~us1-0ubuntu1~22.10
openjdk-8-jdk 8u372-ga~us1-0ubuntu1~22.10
openjdk-8-jre 8u372-ga~us1-0ubuntu1~22.10
openjdk-8-jre-headless 8u372-ga~us1-0ubuntu1~22.10
openjdk-8-jre-zero 8u372-ga~us1-0ubuntu1~22.10
Ubuntu 22.04 LTS:
openjdk-11-jdk 11.0.19+7~us1-0ubuntu1~22.04.1
openjdk-11-jre 11.0.19+7~us1-0ubuntu1~22.04.1
openjdk-11-jre-headless 11.0.19+7~us1-0ubuntu1~22.04.1
openjdk-11-jre-zero 11.0.19+7~us1-0ubuntu1~22.04.1
openjdk-17-jdk 17.0.7+7~us1-0ubuntu1~22.04.2
openjdk-17-jre 17.0.7+7~us1-0ubuntu1~22.04.2
openjdk-17-jre-headless 17.0.7+7~us1-0ubuntu1~22.04.2
openjdk-17-jre-zero 17.0.7+7~us1-0ubuntu1~22.04.2
openjdk-8-jdk 8u372-ga~us1-0ubuntu1~22.04
openjdk-8-jre 8u372-ga~us1-0ubuntu1~22.04
openjdk-8-jre-headless 8u372-ga~us1-0ubuntu1~22.04
openjdk-8-jre-zero 8u372-ga~us1-0ubuntu1~22.04
Ubuntu 20.04 LTS:
openjdk-11-jdk 11.0.19+7~us1-0ubuntu1~20.04.1
openjdk-11-jre 11.0.19+7~us1-0ubuntu1~20.04.1
openjdk-11-jre-headless 11.0.19+7~us1-0ubuntu1~20.04.1
openjdk-11-jre-zero 11.0.19+7~us1-0ubuntu1~20.04.1
openjdk-17-jdk 17.0.7+7~us1-0ubuntu1~20.04
openjdk-17-jre 17.0.7+7~us1-0ubuntu1~20.04
openjdk-17-jre-headless 17.0.7+7~us1-0ubuntu1~20.04
openjdk-17-jre-zero 17.0.7+7~us1-0ubuntu1~20.04
openjdk-8-jdk 8u372-ga~us1-0ubuntu1~20.04
openjdk-8-jre 8u372-ga~us1-0ubuntu1~20.04
openjdk-8-jre-headless 8u372-ga~us1-0ubuntu1~20.04
openjdk-8-jre-zero 8u372-ga~us1-0ubuntu1~20.04
Ubuntu 18.04 LTS:
openjdk-11-jdk 11.0.19+7~us1-0ubuntu1~18.04.1
openjdk-11-jre 11.0.19+7~us1-0ubuntu1~18.04.1
openjdk-11-jre-headless 11.0.19+7~us1-0ubuntu1~18.04.1
openjdk-11-jre-zero 11.0.19+7~us1-0ubuntu1~18.04.1
openjdk-17-jdk 17.0.7+7~us1-0ubuntu1~18.04
openjdk-17-jre 17.0.7+7~us1-0ubuntu1~18.04
openjdk-17-jre-headless 17.0.7+7~us1-0ubuntu1~18.04
openjdk-17-jre-zero 17.0.7+7~us1-0ubuntu1~18.04
openjdk-8-jdk 8u372-ga~us1-0ubuntu1~18.04
openjdk-8-jre 8u372-ga~us1-0ubuntu1~18.04
openjdk-8-jre-headless 8u372-ga~us1-0ubuntu1~18.04
openjdk-8-jre-zero 8u372-ga~us1-0ubuntu1~18.04
Ubuntu 16.04 ESM:
openjdk-8-jdk 8u372-ga~us1-0ubuntu1~16.04
openjdk-8-jre 8u372-ga~us1-0ubuntu1~16.04
openjdk-8-jre-headless 8u372-ga~us1-0ubuntu1~16.04
openjdk-8-jre-zero 8u372-ga~us1-0ubuntu1~16.04
This update uses a new upstream release, which includes additional
bug fixes. After a standard system update you need to restart any
Java applications or applets to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6077-1
CVE-2023-21930, CVE-2023-21937, CVE-2023-21938, CVE-2023-21939,
CVE-2023-21954, CVE-2023-21967, CVE-2023-21968
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-17/17.0.7+7~us1-0ubuntu1~23.04
https://launchpad.net/ubuntu/+source/openjdk-20/20.0.1+9~us1-0ubuntu1~23.04
https://launchpad.net/ubuntu/+source/openjdk-8/8u372-ga~us1-0ubuntu1~23.04
https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.19+7~us1-0ubuntu1~23.04
https://launchpad.net/ubuntu/+source/openjdk-17/17.0.7+7~us1-0ubuntu1~22.10.2
https://launchpad.net/ubuntu/+source/openjdk-20/20.0.1+9~us1-0ubuntu1~22.10
https://launchpad.net/ubuntu/+source/openjdk-8/8u372-ga~us1-0ubuntu1~22.10
https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.19+7~us1-0ubuntu1~22.10.1
https://launchpad.net/ubuntu/+source/openjdk-17/17.0.7+7~us1-0ubuntu1~22.04.2
https://launchpad.net/ubuntu/+source/openjdk-8/8u372-ga~us1-0ubuntu1~22.04
https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.19+7~us1-0ubuntu1~22.04.1
https://launchpad.net/ubuntu/+source/openjdk-17/17.0.7+7~us1-0ubuntu1~20.04
https://launchpad.net/ubuntu/+source/openjdk-8/8u372-ga~us1-0ubuntu1~20.04
https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.19+7~us1-0ubuntu1~20.04.1
https://launchpad.net/ubuntu/+source/openjdk-17/17.0.7+7~us1-0ubuntu1~18.04
https://launchpad.net/ubuntu/+source/openjdk-8/8u372-ga~us1-0ubuntu1~18.04
https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.19+7~us1-0ubuntu1~18.04.1