Fedora 36 : java-latest-openjdk (2022-e8698f2e5e)

medium Nessus Plugin ID 169139

Language:

Synopsis

The remote Fedora host is missing one or more security updates.

Description

The remote Fedora 36 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2022-e8698f2e5e advisory.

# New in release OpenJDK 19.0.1 (2022-10-18)

* [Full release notes](https://builds.shipilev.net/backports-monitor/release-notes-19.0.1.html)

## CVEs Fixed
- CVE-2022-21618
- CVE-2022-21619
- CVE-2022-21624
- CVE-2022-21628
- CVE-2022-39399

## Security Fixes
- JDK-8282252: Improve BigInteger/Decimal validation
- JDK-8285662: Better permission resolution
- JDK-8286077: Wider MultiByte conversions
- JDK-8286511: Improve macro allocation
- JDK-8286519: Better memory handling
- JDK-8286526: Improve NTLM support
- JDK-8286910: Improve JNDI lookups
- JDK-8286918: Better HttpServer service
- JDK-8287446: Enhance icon presentations
- JDK-8288508: Enhance ECDSA usage
- JDK-8289366: Improve HTTP/2 client usage
- JDK-8289853: Update HarfBuzz to 4.4.1
- JDK-8290334: Update FreeType to 2.12.1

## Major Changes

### [JDK-8292654](https://bugs.openjdk.org/browse/JDK-8292654): G1 Remembered set memory footprint regression after [JDK-8286115](https://bugs.openjdk.org/browse/JDK-8286115) JDK-8286115 changed ergonomic sizing of a component of the remembered sets in G1. This change causes increased native memory usage of the Hotspot VM for applications that create large remembered sets with the G1 collector.

In an internal benchmark total GC component native memory usage rose by almost 10% (from 1.2GB to 1.3GB).

This issue can be worked around by passing double the value of `G1RemSetArrayOfCardsEntries` as printed by running the application with `-XX:+PrintFlagsFinal -XX:+UnlockExperimentalVMOptions` to your application.

E.g. pass `-XX:+UnlockExperimentalVMOptions -XX:G1RemSetArrayOfCardsEntries=128` if a previous run showed a value of `64` for `G1RemSetArrayOfCardsEntries` in the output of `-XX:+PrintFlagsFinal`.

## [JDK-8292579](https://bugs.openjdk.org/browse/JDK-8292579): Update Timezone Data to 2022c

This version includes changes from 2022b that merged multiple regions that have the same timestamp data post-1970 into a single time zone database. All time zone IDs remain the same but the merged time zones will point to a shared zone database.

As a result, pre-1970 data may not be compatible with earlier JDK versions. The affected zones are ```Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik, Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo, Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe, Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei, Pacific/Wake, Pacific/Wallis, Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland, Pacific/Ponape, Pacific/Truk, and Pacific/Yap```.

For more details, refer to the announcement of [2022b](https://mm.icann.org/pipermail/tz- announce/2022-August/000071.html)


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected 1:java-latest-openjdk package.

See Also

https://bodhi.fedoraproject.org/updates/FEDORA-2022-e8698f2e5e

Plugin Details

Severity: Medium

ID: 169139

File Name: fedora_2022-e8698f2e5e.nasl

Version: 1.2

Type: local

Agent: unix

Published: 12/22/2022

Updated: 11/14/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.2

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2022-21618

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:fedoraproject:fedora:36, p-cpe:/a:fedoraproject:fedora:java-latest-openjdk

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/28/2022

Vulnerability Publication Date: 10/17/2022

Reference Information

CVE: CVE-2022-21618, CVE-2022-21619, CVE-2022-21624, CVE-2022-21628, CVE-2022-39399