Detections
Analytics

Oracle Linux 8 : java-21-openjdk (ELSA-2023-6887)

low Nessus Plugin ID 186112

Language:

Synopsis

The remote Oracle Linux host is missing one or more security updates.

Description

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-6887 advisory.

 [1:21.0.1.0.12-2.0.1]
 - Add Oracle vendor bug URL

 [1:21.0.1.0.12-2]
 - Switch to using portable binaries built on RHEL 7
 - Sync the copy of the portable specfile with the RHEL 7 version
 - Related: RHEL-12997

 [1:21.0.1.0.12-1]
 - Update to jdk-21.0.1.0+12 (GA)
 - Update release notes to 21.0.1.0+12
 - Sync the copy of the portable specfile with the latest update
 - Update openjdk_news script to specify subdirectory last
 - Add missing discover_trees script required by openjdk_news
 - Synchronise bundled versions with 21u sources (FreeType, LCMS, HarfBuzz, libpng)
 - Sync generate_tarball.sh with 11u & 17u version
 - Update bug URL for RHEL to point to the Red Hat customer portal
 - Fix upstream release URL for OpenJDK source
 - Following JDK-8005165, class data sharing can be enabled on all JIT architectures
 - Use tapsets from the misc tarball
 - Introduce 'prelease' for the portable release versioning, to handle EA builds
 - Make sure root installation directory is created first
 - Use in-place substitution for all but the first of the tapset changes
 - Synchronise runtime and buildtime tzdata requirements
 - Remove ghosts for binaries not in java-21-openjdk (pack200, rmid, unpack200)
 - Add missing jfr, jpackage and jwebserver alternative ghosts
 - Move jcmd to the headless package
 - Revert alt-java binary location to being within the JDK tree
 - Resolves: RHEL-12997
 - Resolves: RHEL-14954
 - Resolves: RHEL-14962
 - Resolves: RHEL-14958
 - Related: RHEL-14946
 - Resolves: RHEL-14959
 - Resolves: RHEL-14948

 [1:21.0.1.0.12-1]
 - Exclude classes_nocoops.jsa on i686 and arm32
 - Related: RHEL-14946

 [1:21.0.1.0.12-1]
 - Fix packaging of CDS archives
 - Resolves: RHEL-14946

 [1:21.0.0.0.35-2]
 - Update documentation (README.md)
 - Replace alt-java patch with a binary separate from the JDK
 - Drop stale patches that are of little use any more:
 - * nss.cfg has been disabled since early PKCS11 work and long superseded by FIPS work
 - * No accessibility subpackage to warrant RH1648242 & RH1648644 patches any more
 - * No use of system libjpeg turbo to warrant RH649512 patch any more
 - Replace RH1684077 pcsc-lite-libs patch with better JDK-8009550 fix being upstreamed
 - Adapt alt-java test to new binary where there is always a set_speculation function
 - Related: RHEL-12997

 [1:21.0.0.0.35-1]
 - Update to jdk-21.0.0+35
 - Update system crypto policy & FIPS patch from new fips-21u tree
 - Update generate_tarball.sh to sync with upstream vanilla script inc. no more ECC removal
 - Drop fakefeaturever now it is no longer needed
 - Change top_level_dir_name to use the VCS tag, matching new upstream release style tarball
 - Use upstream release URL for OpenJDK source
 - Re-enable tzdata tests now we are on the latest JDK and things are back in sync
 - Install jaxp.properties introduced by JDK-8303530
 - Install lible.so introduced by JDK-8306983
 - Related: RHEL-12997

 [1:21.0.0.0.35-1]
 - Replace smoke test files used in the staticlibs test, as fdlibm was removed by JDK-8303798
 - Related: RHEL-12997

 [1:20.0.0.0.36-1]
 - Update to jdk-20.0.2+9
 - Update release notes to 20.0.2+9
 - Update system crypto policy & FIPS patch from new fips-20u tree
 - Update generate_tarball.sh ICEDTEA_VERSION
 - Update CLDR reference data following update to 42 (Rocky Mountain-Normalzeit => Rocky-Mountain- Normalzeit)
 - Related: RHEL-12997

 [1:20.0.0.0.36-1]
 - Dropped JDK-8295447, JDK-8296239 & JDK-8299439 patches now upstream
 - Adapted rh1750419-redhat_alt_java.patch
 - Related: RHEL-12997

 [1:19.0.1.0.10-1]
 - Update to jdk-19.0.2 release
 - Update release notes to 19.0.2
 - Rebase FIPS patches from fips-19u branch
 - Remove references to sample directory removed by JDK-8284999
 - Add local patch JDK-8295447 (javac NPE) which was accepted into 19u upstream but not in the GA tag
 - Add local patches for JDK-8296239 & JDK-8299439 (Croatia Euro update) which are present in 8u, 11u & 17u releases
 - Related: RHEL-12997

 [1:18.0.2.0.9-1]
 - Update to jdk-18.0.2 release
 - Support JVM variant zero following JDK-8273494 no longer installing Zero's libjvm.so in the server directory
 - Rebase FIPS patches from fips-18u branch
 - Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
 - Drop now unused fresh_libjvm, build_hotspot_first, bootjdk and buildjdkver variables, as we don't build a JDK here
 - Drop tzdata patches added for 17.0.7 which will eventually appear in the upstream tarball when we reach OpenJDK 21
 - Disable tzdata tests until we are on the latest JDK and things are back in sync
 - Use empty nss.fips.cfg until it is again available via the FIPS patch
 - Related: RHEL-12997

 [1:18.0.2.0.9-1]
 - Update to ea version of jdk18
 - Add new slave jwebserver and corresponding manpage
 - Adjust rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
 - Related: RHEL-12997

 [1:18.0.2.0.9-1]
 - Add javaver- and origin-specific javadoc and javadoczip alternatives.
 - Related: RHEL-12997

 [1:17.0.7.0.7-4]
 - Add files missed by centpkg import.
 - Related: rhbz#2192748

 [1:17.0.7.0.7-3]
 - Create java-21-openjdk package based on java-17-openjdk
 - Related: rhbz#2192748

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://linux.oracle.com/errata/ELSA-2023-6887.html

Plugin Details

Severity: Low

ID: 186112

File Name: oraclelinux_ELSA-2023-6887.nasl

Version: 1.1

Type: local

Agent: unix

Published: 11/21/2023

Updated: 10/22/2024

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 1.4

CVSS v2

Risk Factor: Low

Base Score: 2.6

Temporal Score: 1.9

Vector: CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2023-22025

CVSS v3

Risk Factor: Low

Base Score: 3.7

Temporal Score: 3.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:linux:java-21-openjdk-src-fastdebug, p-cpe:/a:oracle:linux:java-21-openjdk-devel-fastdebug, cpe:/o:oracle:linux:8, p-cpe:/a:oracle:linux:java-21-openjdk-javadoc-zip, p-cpe:/a:oracle:linux:java-21-openjdk-src, p-cpe:/a:oracle:linux:java-21-openjdk-demo, p-cpe:/a:oracle:linux:java-21-openjdk-jmods-fastdebug, p-cpe:/a:oracle:linux:java-21-openjdk-headless, p-cpe:/a:oracle:linux:java-21-openjdk-slowdebug, p-cpe:/a:oracle:linux:java-21-openjdk-jmods-slowdebug, p-cpe:/a:oracle:linux:java-21-openjdk-devel, p-cpe:/a:oracle:linux:java-21-openjdk-headless-fastdebug, cpe:/a:oracle:linux:8::appstream, p-cpe:/a:oracle:linux:java-21-openjdk-demo-fastdebug, cpe:/a:oracle:linux:8:9:appstream_base, p-cpe:/a:oracle:linux:java-21-openjdk-src-slowdebug, cpe:/a:oracle:linux:8::codeready_builder, p-cpe:/a:oracle:linux:java-21-openjdk-static-libs-slowdebug, p-cpe:/a:oracle:linux:java-21-openjdk-devel-slowdebug, p-cpe:/a:oracle:linux:java-21-openjdk-demo-slowdebug, p-cpe:/a:oracle:linux:java-21-openjdk-static-libs, p-cpe:/a:oracle:linux:java-21-openjdk-fastdebug, p-cpe:/a:oracle:linux:java-21-openjdk-static-libs-fastdebug, p-cpe:/a:oracle:linux:java-21-openjdk-javadoc, p-cpe:/a:oracle:linux:java-21-openjdk, p-cpe:/a:oracle:linux:java-21-openjdk-headless-slowdebug, p-cpe:/a:oracle:linux:java-21-openjdk-jmods

Required KB Items: Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list, Host/local_checks_enabled

Exploit Ease: No known exploits are available

Patch Publication Date: 11/18/2023

Vulnerability Publication Date: 10/17/2023

Reference Information

CVE: CVE-2023-22025, CVE-2023-22081