Several OpenJDK Vulnerabilities Fixed
2024-2-27 17:0:13 Author: securityboulevard.com(查看原文) 阅读量:7 收藏

Recently, several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in side channel attacks, leaking of sensitive data to log files, denial of service, or bypass of sandbox restrictions. The affected versions include 21.0.1, 17.0.9, 11.0.21, 8u392, and earlier.

In this article, we will explore the details of these vulnerabilities and understand their impact on the Java deployments.

High-Severity OpenJDK Vulnerabilities

CVE-2024-20918 (CVSS 3 Severity Score: 7.4 High)

This flaw enables an unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. Successful exploitation could lead to unauthorized access to critical data and the ability to modify or delete data. This vulnerability is exploitable through APIs in the specified components, such as via web services, and affects Java deployments, particularly in sandboxed environments running untrusted code from the internet.

CVE-2024-20926 (CVSS 3 Severity Score: 5.9 Medium)

This OpenJDK vulnerability also grants network-based attackers access to Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition, potentially allowing unauthorized data access. It exploits APIs, like web services, and impacts Java deployments, especially in sandboxed environments running untrusted internet code, relying on Java sandbox for security.

CVE-2024-20932 (CVSS 3 Severity Score: 7.5 High)

This vulnerability, easily exploitable via multiple protocols, allows unauthenticated attackers to compromise Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. Exploiting it can lead to unauthorized access to critical data and unauthorized modifications. It affects Java deployments, especially in sandboxed environments like Java Web Start applications or Java applets running untrusted code. It doesn’t impact Java deployments limited to running trusted code, such as those on servers.

CVE-2024-20952 (CVSS 3 Severity Score: 7.4 High)

This vulnerability, challenging to exploit, enables an unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. It can lead to unauthorized access, creation, deletion, or modification of critical data. Notably, it affects Java deployments in clients running sandboxed Java Web Start applications or applets loading untrusted code. It doesn’t impact Java deployments on servers running only trusted code.

Medium-Severity OpenJDK Vulnerabilities

CVE-2024-20919 (CVSS 3 Severity Score: 5.9 Medium)

This vulnerability allows unauthenticated attackers with network access to potentially compromise Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. Exploiting it could lead to unauthorized data access or full control over the affected systems. This risk extends to Java deployments, particularly in sandboxed environments running untrusted code.

CVE-2024-20921 (CVSS 3 Severity Score: 5.9 Medium)

It allows unauthenticated attackers to compromise Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition, potentially granting unauthorized access to critical data. It can be exploited via APIs and affects Java deployments, particularly in sandboxed environments running untrusted internet-sourced code.

CVE-2024-20945 (CVSS 3 Severity Score: 4.7 Medium)

This vulnerability, challenging to exploit, allows a low-privileged attacker with infrastructure login access to compromise Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. Successful exploitation can lead to unauthorized access to critical data or complete data access. It can be exploited through APIs within the component, such as via a web service supplying data. This vulnerability also affects Java deployments, especially in sandboxed environments like Java Web Start applications or Java applets running untrusted code.

Conclusion

The OpenJDK security group has addressed these vulnerabilities in the new releases. It is recommended to upgrade the existing installations as soon as possible. TuxCare’s SecureChain for Java provides an access to a single trusted repository of vulnerability-free Java packages and libraries to keep your applications secure.

The Debian security team also issued patches for these OpenJDK vulnerabilities, addressing them in openjdk-11 and openjdk-17 packages. It is advised to upgrade your openjdk-11 and openjdk-17 packages in Debian to mitigate the associated risks. To automate security patching on your Linux servers, you can leverage TuxCare’s KernelCare Enterprise live patching solution. It deploys all vulnerability patches without having to reboot the server. Learn more about live patching and how it helps to manage vulnerabilities.

Sources: OpenJDK Vulnerability Advisory, National Vulnerability Database.

The post Several OpenJDK Vulnerabilities Fixed appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Rohan Timalsina. Read the original post at: https://tuxcare.com/blog/several-openjdk-vulnerabilities-fixed/


文章来源: https://securityboulevard.com/2024/02/several-openjdk-vulnerabilities-fixed/
如有侵权请联系:admin#unsafe.sh