-----BEGIN PGP SIGNATURE-----
wsF5BAABCAAjFiEEAPYWTpwtIbr7xH4OWNrRIKaTkWcFAmfPu2EFAwAAAAAACgkQWNrRIKaTkWde
dg/+OOe9UAq3BLCKP6ZlZTnO6Mmgy7m8fEloKIZVCtN7cG0LuOGEWk6+QYbZR7zedxI8fUIeiU2a
abeez0LRm9wFjfAYlqKKv9TmsesS/TctdYSpUg7itiSDdsu/SZetxMFM+Q9mUbOIJLervMz5CnFS
WBBzgnM8lDWI4MO632MQVFMbjEJbeLixoyhMk424VcjKfkIBO9mqZEWR/HE9YpqnKTYEYO68NN4Z
p7ksDm1tEB3KVGPE3FCqJpKhlMh0j5k39pI7Js/C6Js47OChjZPSHwgIKQmtM/v5AoWwWV1hpXNd
a7kdRewRE0Q9KD5FjCDHAuz34ixJNn/sTtX1OK66hWwdUl0nhOBhFa2R7Ov/HlFN10BKUh7PhMek
CYcFFHebxP33uwO62cCdXd/D6qERxVr4SjSg1FrFa8rCDG3TFcH+7x8SdbBIDLW2ftXI/lT77ws6
11DMbXWZyQdLcKFWBdrTmhKcg6ey0EdLn0bMbTfyzSWD3vawCyTiUm59hwJqmD3PId3+9B6nvV5G
luoXwuHUzDpyIIJOFOd4oY0L+rXSadvqdPFv9j5L4Z/JAqLgfbCx2wCm6mcyIELD9yvzRcSDaMdU
PMoCBHJ5X8ez1gISkcaPmlEW8zKXiVC+ZnvAEk+iaSGwzN1PVgXRSGKR2HtlwLr/+Ckbqy4SPCgp
Fb0=
=bNfu
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7338-1
March 11, 2025
openjdk-17-crac vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
Summary:
Several security issues were fixed in CRaC JDK 17.
Software Description:
- openjdk-17-crac: Open Source Java implementation with Coordinated Restore
at Checkpoints
Details:
Andy Boothe discovered that the Networking component of CRaC JDK 17 did not
properly handle access under certain circumstances. An unauthenticated
attacker could possibly use this issue to cause a denial of service.
(CVE-2024-21208)
It was discovered that the Hotspot component of CRaC JDK 17 did not
properly handle vectorization under certain circumstances. An
unauthenticated attacker could possibly use this issue to access
unauthorized resources and expose sensitive information.
(CVE-2024-21210, CVE-2024-21235)
It was discovered that the Serialization component of CRaC JDK 17 did not
properly handle deserialization under certain circumstances. An
unauthenticated attacker could possibly use this issue to cause a denial
of service. (CVE-2024-21217)
It was discovered that the Hotspot component of CRaC JDK 17 did not
properly handle API access under certain circumstances. An unauthenticated
attacker could possibly use this issue to access unauthorized resources
and expose sensitive information. (CVE-2025-21502)
In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.
Please see the following for more information:
https://openjdk.org/groups/vulnerability/advisories/2024-10-15
https://openjdk.org/groups/vulnerability/advisories/2025-01-21
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
openjdk-17-crac-jdk 17.0.14+7-0ubuntu1~24.10
openjdk-17-crac-jdk-headless 17.0.14+7-0ubuntu1~24.10
openjdk-17-crac-jre 17.0.14+7-0ubuntu1~24.10
openjdk-17-crac-jre-headless 17.0.14+7-0ubuntu1~24.10
openjdk-17-crac-jre-zero 17.0.14+7-0ubuntu1~24.10
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart Java
applications to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7338-1
CVE-2024-21208, CVE-2024-21210, CVE-2024-21217, CVE-2024-21235,
CVE-2025-21502
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-17-crac/17.0.14+7-0ubuntu1~24.10
No comments:
Post a Comment