Oracle Linux 8 / 9 : java-17-openjdk (ELSA-2024-4568)

high Nessus Plugin ID 202630

Synopsis

The remote Oracle Linux host is missing one or more security updates.

Description

The remote Oracle Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-4568 advisory.

[1:17.0.12.0.7-2.0.1]
- Add Oracle vendor bug URL

[1:17.0.12.0.7-2]
- Update to jdk-17.0.12+7 (GA)
- Update .gitignore to ignore openjdk-17.0.12+7.tar.xz
- Sync java-17-openjdk-portable.specfile
- Set buildver to 7
- Set portablerelease 1
- Set is_ga to 1
- Update sources to openjdk-17.0.12+7.tar.xz
- Resolves: RHEL-46641
- Resolves: RHEL-47019
- ** This tarball is embargoed until 2024-07-16 @ 1pm PT. **

[1:17.0.12.0.6-0.1.ea]
- Add debuginfo section to rpminspect.yaml (OPENJDK-2904)
- Add unicode section to rpminspect.yaml (OPENJDK-2904)

[1:17.0.12.0.6-0.1.ea]
- Add upstream patch that removes illegal RLO Unicode characters (JDK-8332174)
- Sync the copy of the portable specfile with the latest update

[1:17.0.12.0.6-0.1.ea]
- Delete fips-17u-d63771ea660.patch
- Add fips-17u-e893be00150.patch
- Update fipsver to e893be00150

[1:17.0.12.0.6-0.1.ea]
- generate_source_tarball.sh: Use tar exclude options for VCS files
- generate_source_tarball.sh: Improve VCS exclusion

[1:17.0.12.0.6-0.1.ea]
- generate_source_tarball.sh: Update examples in header for clarity
- generate_source_tarball.sh: Cleanup message issued when checkout already exists
- generate_source_tarball.sh: Create directory in TMPDIR when using WITH_TEMP
- generate_source_tarball.sh: Only add --depth=1 on non-local repositories
- icedtea_sync.sh: Reinstate from rhel-8.9.0 branch
- Move maintenance scripts to a scripts subdirectory
- discover_trees.sh: Set compile-command and indentation instructions for Emacs
- discover_trees.sh: shellcheck: Do not use -o (SC2166)
- discover_trees.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268)
- discover_trees.sh: shellcheck: Double-quote variable references (SC2086)
- generate_source_tarball.sh: Add authorship
- icedtea_sync.sh: Set compile-command and indentation instructions for Emacs
- icedtea_sync.sh: shellcheck: Double-quote variable references (SC2086)
- icedtea_sync.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268)
- openjdk_news.sh: Set compile-command and indentation instructions for Emacs
- openjdk_news.sh: shellcheck: Double-quote variable references (SC2086)
- openjdk_news.sh: shellcheck: Remove x-prefixes since we use Bash (SC2268)
- openjdk_news.sh: shellcheck: Remove deprecated egrep usage (SC2196)
- generate_source_tarball.sh: Output values of new options WITH_TEMP and OPENJDK_LATEST
- generate_source_tarball.sh: Double-quote DEPTH reference (SC2086)
- generate_source_tarball.sh: Avoid empty DEPTH reference while still appeasing shellcheck

[1:17.0.12.0.6-0.1.ea]
- Update to jdk-17.0.12+6 (EA)
- Add openjdk-17.0.12+6-ea.tar.xz to .gitignore
- Set updatever to 12
- Set buildver to 6
- Set rpmrelease to 1
- Set is_ga to 0
- Update sources to openjdk-17.0.12+6-ea.tar.xz
- Require tzdata-java 2024a at runtime and for build (JDK-8325150)
- Update lcms2 bundled provides to 2.16.0
- Add zlib 1.3.1 bundled provides and zlib-devel build requirement (OPENJDK-3065)
- Label as error a designator mismatch
- Change a fix-me comment to a note instead
- Sync generate_source_tarball.sh from Fedora rawhide

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://linux.oracle.com/errata/ELSA-2024-4568.html

Plugin Details

Severity: High

ID: 202630

File Name: oraclelinux_ELSA-2024-4568.nasl

Version: 1.1

Type: local

Agent: unix

Published: 7/18/2024

Updated: 7/18/2024

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.2

CVSS v2

Risk Factor: High

Base Score: 7.1

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:N

CVSS Score Source: CVE-2024-21147

CVSS v3

Risk Factor: High

Base Score: 7.4

Temporal Score: 6.4

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:oracle:linux:8, p-cpe:/a:oracle:linux:java-17-openjdk-static-libs-slowdebug, p-cpe:/a:oracle:linux:java-17-openjdk-headless, p-cpe:/a:oracle:linux:java-17-openjdk-headless-slowdebug, cpe:/a:oracle:linux:9::appstream, cpe:/o:oracle:linux:9, p-cpe:/a:oracle:linux:java-17-openjdk-devel, p-cpe:/a:oracle:linux:java-17-openjdk-demo-fastdebug, p-cpe:/a:oracle:linux:java-17-openjdk-jmods-slowdebug, p-cpe:/a:oracle:linux:java-17-openjdk-demo-slowdebug, p-cpe:/a:oracle:linux:java-17-openjdk-src, p-cpe:/a:oracle:linux:java-17-openjdk-javadoc, p-cpe:/a:oracle:linux:java-17-openjdk-jmods, p-cpe:/a:oracle:linux:java-17-openjdk-src-fastdebug, cpe:/a:oracle:linux:9::codeready_builder, p-cpe:/a:oracle:linux:java-17-openjdk-javadoc-zip, p-cpe:/a:oracle:linux:java-17-openjdk, cpe:/a:oracle:linux:8::appstream, cpe:/a:oracle:linux:8::codeready_builder, p-cpe:/a:oracle:linux:java-17-openjdk-headless-fastdebug, p-cpe:/a:oracle:linux:java-17-openjdk-slowdebug, p-cpe:/a:oracle:linux:java-17-openjdk-devel-slowdebug, p-cpe:/a:oracle:linux:java-17-openjdk-jmods-fastdebug, p-cpe:/a:oracle:linux:java-17-openjdk-static-libs, p-cpe:/a:oracle:linux:java-17-openjdk-devel-fastdebug, p-cpe:/a:oracle:linux:java-17-openjdk-static-libs-fastdebug, p-cpe:/a:oracle:linux:java-17-openjdk-demo, p-cpe:/a:oracle:linux:java-17-openjdk-fastdebug, p-cpe:/a:oracle:linux:java-17-openjdk-src-slowdebug

Required KB Items: Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list, Host/local_checks_enabled

Exploit Ease: No known exploits are available

Patch Publication Date: 7/18/2024

Vulnerability Publication Date: 7/16/2024

Reference Information

CVE: CVE-2024-21131, CVE-2024-21138, CVE-2024-21140, CVE-2024-21145, CVE-2024-21147