Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 925020 (CVE-2024-20918, CVE-2024-20919, CVE-2024-20921, CVE-2024-20926, CVE-2024-20932, CVE-2024-20945, CVE-2024-20952)

Summary: <dev-java/openjdk{,-jre-bin,-bin}-{8.382_p05,11.0.23_p9,17.0.8.11_p1,21.0.3_p9}: multiple vulnerabilities (Oracle CPU Jan 2024)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: gentoo, java, limanski
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://openjdk.org/groups/vulnerability/advisories/2024-01-16
Whiteboard: B2 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 931783    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-02-19 23:34:50 UTC 
Oracle advisory: https://www.oracle.com/security-alerts/cpujan2024.html#AppendixJAVA

CVE-2024-20918:

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and  22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

CVE-2024-20919:

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and  22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.9 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

CVE-2024-20921:

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and  22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

CVE-2024-20926:

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Scripting).  Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21; Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and  22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

CVE-2024-20932:

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security).  Supported versions that are affected are Oracle Java SE: 17.0.9; Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 21.3.8 and  22.3.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

CVE-2024-20945:

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security).  Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and  22.3.4. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.7 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N).

CVE-2024-20952:

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security).  Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and  22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

Please bump to >8.391, >11.0.21, >17.0.9, >21.0.1.
Comment 1 Mike Limansky 2024-02-20 10:34:10 UTC 
I've checked simple bump works fine for me at least for =dev-java/openjdk-bin-17.0.10_p7 and =dev-java/openjdk-bin-8.402_p06.
Comment 2 Volkmar W. Pogatzki 2024-04-12 09:44:31 UTC 
(In reply to John Helmert III from comment #0)
> [...]
> Please bump to >8.391, >11.0.21, >17.0.9, >21.0.1.

Presently in the tree are:
8.402_p06-r1
11.0.22_p7
17.0.10_p7
21.0.2_p13
Comment 3 Hans de Graaff gentoo-dev Security 2024-05-12 05:41:07 UTC 
openjdk and openjdk-bin are fine and I've used the current stable versions in teh bug summary.

openjdk-jre-bin still needs the fixed version stable.
Comment 4 Larry the Git Cow gentoo-dev 2024-05-17 09:28:25 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d57754cd3fe53161d876a8043ec720ed7f0f1d3d

commit d57754cd3fe53161d876a8043ec720ed7f0f1d3d
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2024-05-15 21:13:52 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2024-05-17 09:28:04 +0000

    dev-java/openjdk: drop 11.0.22_p7
    
    Bug: https://bugs.gentoo.org/925020
    Bug: https://bugs.gentoo.org/916211
    Bug: https://bugs.gentoo.org/898978
    Bug: https://bugs.gentoo.org/833096
    Bug: https://bugs.gentoo.org/907680
    Bug: https://bugs.gentoo.org/677876
    Bug: https://bugs.gentoo.org/927028
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/36690
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/openjdk/Manifest                  |   1 -
 dev-java/openjdk/openjdk-11.0.22_p7.ebuild | 312 -----------------------------
 2 files changed, 313 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=91131f43943639479e42e0fd5a1ea4fbbaf4f708

commit 91131f43943639479e42e0fd5a1ea4fbbaf4f708
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2024-05-15 21:07:47 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2024-05-17 09:28:04 +0000

    dev-java/openjdk-bin: drop 11.0.22_p7
    
    Bug: https://bugs.gentoo.org/925020
    Bug: https://bugs.gentoo.org/916211
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/openjdk-bin/Manifest                      |   6 -
 dev-java/openjdk-bin/openjdk-bin-11.0.22_p7.ebuild | 135 ---------------------
 2 files changed, 141 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=83181db3d06bdb420ca8cc4bcc7135dbd6286866

commit 83181db3d06bdb420ca8cc4bcc7135dbd6286866
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2024-05-15 21:04:35 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2024-05-17 09:28:04 +0000

    dev-java/openjdk-jre-bin: drop 11.0.20.1_p1, 17.0.8.1_p1
    
    Bug: https://bugs.gentoo.org/925020
    Bug: https://bugs.gentoo.org/916211
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/openjdk-jre-bin/Manifest                  |  2 -
 .../openjdk-jre-bin-11.0.20.1_p1.ebuild            | 83 ----------------------
 .../openjdk-jre-bin-17.0.8.1_p1.ebuild             | 83 ----------------------
 3 files changed, 168 deletions(-)
Comment 5 Volkmar W. Pogatzki 2024-08-31 14:02:05 UTC 
seems no longer to depend on bug #918647
Comment 6 Larry the Git Cow gentoo-dev 2024-12-07 10:36:13 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=80e23d86e15243a81505dad719472035de9e59ff

commit 80e23d86e15243a81505dad719472035de9e59ff
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-12-07 10:36:00 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-12-07 10:36:10 +0000

    [ GLSA 202412-07 ] OpenJDK: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/912719
    Bug: https://bugs.gentoo.org/916211
    Bug: https://bugs.gentoo.org/925020
    Bug: https://bugs.gentoo.org/941689
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202412-07.xml | 104 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 104 insertions(+)