Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 941689 (CVE-2024-21208, CVE-2024-21210, CVE-2024-21217, CVE-2024-21235) - dev-java/openjdk{,-jre-bin,-bin}-{8.422_p05,11.0.24_p8, 17.0.12_p7, 21.0.4_p7, 23_p37}: multiple vulnerabilities
Summary: dev-java/openjdk{,-jre-bin,-bin}-{8.422_p05,11.0.24_p8, 17.0.12_p7, 21.0.4_p7...
Status: RESOLVED FIXED
Alias: CVE-2024-21208, CVE-2024-21210, CVE-2024-21217, CVE-2024-21235
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://openjdk.org/groups/vulnerabil...
Whiteboard: B1 [glsa+]
Keywords: PullRequest
Depends on: 941692 941776 942036
Blocks:
  Show dependency tree
 
Reported: 2024-10-17 10:23 UTC by Volkmar W. Pogatzki
Modified: 2024-12-07 10:37 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Volkmar W. Pogatzki 2024-10-17 10:23:29 UTC
CVE-2024-21235

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).


CVE-2024-21208

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).


CVE-2024-21210

Vulnerability in Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4 and 23. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).


CVE-2024-21217

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
Comment 1 Larry the Git Cow gentoo-dev 2024-10-18 16:40:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=573c108dad7eb226081ff19241c89a77db909ced

commit 573c108dad7eb226081ff19241c89a77db909ced
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2024-10-18 16:03:56 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2024-10-18 16:40:28 +0000

    dev-java/openjdk: drop 17.0.12_p7
    
    Bug: https://bugs.gentoo.org/941689
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/openjdk/Manifest                  |   1 -
 dev-java/openjdk/openjdk-17.0.12_p7.ebuild | 325 -----------------------------
 2 files changed, 326 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c56cbd0d9ce6e2071bf3f8bab9eb5112128ff1c7

commit c56cbd0d9ce6e2071bf3f8bab9eb5112128ff1c7
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2024-10-18 16:03:22 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2024-10-18 16:40:28 +0000

    dev-java/openjdk: drop 11.0.24_p8
    
    Bug: https://bugs.gentoo.org/941689
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/openjdk/Manifest                  |   1 -
 dev-java/openjdk/openjdk-11.0.24_p8.ebuild | 316 -----------------------------
 2 files changed, 317 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ff0144c66454460d46fccee79dd793fea46b8304

commit ff0144c66454460d46fccee79dd793fea46b8304
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2024-10-18 16:02:34 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2024-10-18 16:40:28 +0000

    dev-java/openjdk: drop 8.422_p05
    
    Bug: https://bugs.gentoo.org/941689
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/openjdk/Manifest                 |   1 -
 dev-java/openjdk/openjdk-8.422_p05.ebuild | 283 ------------------------------
 2 files changed, 284 deletions(-)
Comment 2 Larry the Git Cow gentoo-dev 2024-10-18 17:09:40 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6b571b1450a9febe6b01213bcd876d16cf5f15a0

commit 6b571b1450a9febe6b01213bcd876d16cf5f15a0
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2024-10-18 16:40:34 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2024-10-18 17:09:35 +0000

    dev-java/openjdk-jre-bin: drop 21.0.3_p9
    
    Bug: https://bugs.gentoo.org/941689
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/39033
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/openjdk-jre-bin/Manifest                  |  1 -
 .../openjdk-jre-bin-21.0.3_p9.ebuild               | 83 ----------------------
 2 files changed, 84 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d453380f7223f10b6c837340acd0c986faa84b53

commit d453380f7223f10b6c837340acd0c986faa84b53
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2024-10-18 16:36:15 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2024-10-18 17:09:34 +0000

    dev-java/openjdk-jre-bin: add 8.432_p06
    
    Bug: https://bugs.gentoo.org/941689
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/openjdk-jre-bin/Manifest                  |  1 +
 .../openjdk-jre-bin-8.432_p06.ebuild               | 82 ++++++++++++++++++++++
 2 files changed, 83 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7c7b37368c34af991209ccb3ea798166bca80539

commit 7c7b37368c34af991209ccb3ea798166bca80539
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2024-10-18 06:37:42 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2024-10-18 17:09:33 +0000

    dev-java/openjdk-jre-bin: add 11.0.25_p9
    
    Bug: https://bugs.gentoo.org/941689
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/openjdk-jre-bin/Manifest                  |  1 +
 .../openjdk-jre-bin-11.0.25_p9.ebuild              | 83 ++++++++++++++++++++++
 2 files changed, 84 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d483dea35c0e332809895f7d1779028974fdcc67

commit d483dea35c0e332809895f7d1779028974fdcc67
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2024-10-18 06:36:54 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2024-10-18 17:09:31 +0000

    dev-java/openjdk-jre-bin: add 17.0.13_p11
    
    Bug: https://bugs.gentoo.org/941689
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/openjdk-jre-bin/Manifest                  |  1 +
 .../openjdk-jre-bin-17.0.13_p11.ebuild             | 83 ++++++++++++++++++++++
 2 files changed, 84 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ef4debed06dc72c50b83809cc9f0fc87015a1713

commit ef4debed06dc72c50b83809cc9f0fc87015a1713
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2024-10-18 06:35:47 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2024-10-18 17:09:31 +0000

    dev-java/openjdk-jre-bin: add 21.0.5_p11
    
    Bug: https://bugs.gentoo.org/941689
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/openjdk-jre-bin/Manifest                  |  1 +
 .../openjdk-jre-bin-21.0.5_p11.ebuild              | 83 ++++++++++++++++++++++
 2 files changed, 84 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2024-10-19 10:01:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2f483b3873006b508843dba69ac5985069fc6f9f

commit 2f483b3873006b508843dba69ac5985069fc6f9f
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2024-10-19 07:20:32 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2024-10-19 10:00:58 +0000

    dev-java/openjdk-jre-bin: drop 8.412_p08, 11.0.23_p9, 17.0.11_p9
    
    Bug: https://bugs.gentoo.org/941689
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/openjdk-jre-bin/Manifest                  |  3 -
 .../openjdk-jre-bin-11.0.23_p9.ebuild              | 83 ----------------------
 .../openjdk-jre-bin-17.0.11_p9.ebuild              | 83 ----------------------
 .../openjdk-jre-bin-8.412_p08.ebuild               | 82 ---------------------
 4 files changed, 251 deletions(-)
Comment 4 Hans de Graaff gentoo-dev Security 2024-10-21 05:50:39 UTC
The summary does not include a version number for slot 8. Was the fixed version left out there or are there no fixes for slot 8?
Comment 5 Volkmar W. Pogatzki 2024-10-21 06:36:49 UTC
Version number 8.422_p05 added.
Comment 6 Volkmar W. Pogatzki 2024-10-21 06:39:35 UTC
Several download files for all slots of openjdk-bin are presently still missing.
Comment 7 Larry the Git Cow gentoo-dev 2024-10-23 20:54:40 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2aea50a04248fc664e76f12df1ef202bbb7a09a5

commit 2aea50a04248fc664e76f12df1ef202bbb7a09a5
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2024-10-23 17:02:44 +0000
Commit:     Arthur Zamarin <arthurzam@gentoo.org>
CommitDate: 2024-10-23 20:54:13 +0000

    dev-java/openjdk-bin: drop 21.0.4_p7
    
    Bug: https://bugs.gentoo.org/941689
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org>

 dev-java/openjdk-bin/Manifest                     |   6 -
 dev-java/openjdk-bin/openjdk-bin-21.0.4_p7.ebuild | 135 ----------------------
 2 files changed, 141 deletions(-)
Comment 8 Larry the Git Cow gentoo-dev 2024-10-25 10:14:52 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2d72ea291b144bb88c208d1097377fba9866688c

commit 2d72ea291b144bb88c208d1097377fba9866688c
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2024-10-25 08:54:48 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2024-10-25 10:14:41 +0000

    dev-java/openjdk-bin: drop 8.422_p05, 11.0.24_p8, 17.0.12_p7
    
    Bug: https://bugs.gentoo.org/941689
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/38836/commits/2fd20da546c5dc586f33459bde855033b5405414
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/openjdk-bin/Manifest                      |  19 ---
 dev-java/openjdk-bin/openjdk-bin-11.0.24_p8.ebuild | 134 --------------------
 dev-java/openjdk-bin/openjdk-bin-17.0.12_p7.ebuild | 135 ---------------------
 dev-java/openjdk-bin/openjdk-bin-8.422_p05.ebuild  | 130 --------------------
 4 files changed, 418 deletions(-)
Comment 9 Volkmar W. Pogatzki 2024-10-25 10:43:50 UTC
The tree is now clean. You can proceed.
Comment 10 Larry the Git Cow gentoo-dev 2024-12-07 10:36:12 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=80e23d86e15243a81505dad719472035de9e59ff

commit 80e23d86e15243a81505dad719472035de9e59ff
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-12-07 10:36:00 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-12-07 10:36:10 +0000

    [ GLSA 202412-07 ] OpenJDK: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/912719
    Bug: https://bugs.gentoo.org/916211
    Bug: https://bugs.gentoo.org/925020
    Bug: https://bugs.gentoo.org/941689
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202412-07.xml | 104 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 104 insertions(+)