Detections
Analytics

Oracle Linux 8 / 9 : java-11-openjdk (ELSA-2024-4567)

high Nessus Plugin ID 202634

Synopsis

The remote Oracle Linux host is missing one or more security updates.

Description

The remote Oracle Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-4567 advisory.

 [11.0.24.0.8-2.0.1]
 - Add Oracle vendor bug URL [Orabug: 34340155]

 [1:11.0.24.0.8-1]
 - Update to jdk-11.0.24+8 (GA)
 - Update release notes to 11.0.24+8
 - Adjusted DTLS & RPATH NEWS entries to match OpenJDK 17 & 21 release notes
 - Switch to GA mode for release
 - Fix Provides to reflect up to date component versions
 - Add zlib build required or bundled version (1.3.1), depending on system_libs setting
 - Resolves: RHEL-45202
 - ** This tarball is embargoed until 2024-07-16 @ 1pm PT. **

 [1:11.0.23.0.9-2]
 - Fix 11.0.22 release date in NEWS

 [1:11.0.23.0.9-1]
 - Update to jdk-11.0.23+9 (GA)
 - Update release notes to 11.0.23+9
 - Switch to GA mode for release
 - Require tzdata 2024a due to upstream inclusion of JDK-8322725
 - Only require tzdata 2023d for now as 2024a is unavailable in buildroot
 - ** This tarball is embargoed until 2024-04-16 @ 1pm PT. **
 - Resolves: RHEL-30920

 [1:11.0.23.0.1-0.1.ea]
 - Update to jdk-11.0.23+1 (EA)
 - Update release notes to 11.0.23+1
 - Switch to EA mode

 [1:11.0.22.0.7-1]
 - Update to jdk-11.0.22+7 (GA)
 - Sync the copy of the portable specfile with the latest update
 - Drop local copy of JDK-8312489 which is now included upstream
 - ** This tarball is embargoed until 2024-01-16 @ 1pm PT. **
 - Resolves: RHEL-20991

 [1:11.0.21.0.9-2]
 - Update to jdk-11.0.21+9 (GA)
 - Sync the copy of the portable specfile with the latest update
 - Re-generate FIPS patch against 11.0.21+1 following backport of JDK-8155246
 - Re-generate SHA3 patch following backport of JDK-8242151
 - Bump libpng version to 1.6.39 following JDK-8305815
 - Bump HarfBuzz version to 7.2.0 following JDK-8307301
 - Bump freetype version to 2.13.0 following JDK-8306881
 - Update generate_tarball.sh to be closer to upstream vanilla script inc. no more ECC removal
 - Update bug URL for RHEL to point to the Red Hat customer portal
 - Change top_level_dir_name to use the VCS tag, matching new upstream release style tarball
 - Apply all patches using -p1
 - Drop local backport of JDK-8243210 which is upstream from 11.0.21+2
 - Add missing JFR alternative ghost
 - Move jcmd to the headless package
 - ** This tarball is embargoed until 2023-10-17 @ 1pm PT. **
 - Resolves: RHEL-12214
 - Resolves: RHEL-13526
 - Resolves: RHEL-13529
 - Resolves: RHEL-13532
 - Resolves: RHEL-13536
 - Resolves: RHEL-13539

 [1:11.0.20.1.1-2]
 - Bump release number so we are newer than 9.0
 - Related: rhbz#2236590

 [1:11.0.20.1.1-1]
 - Update to jdk-11.0.20.1+1 (GA)
 - Add backport of JDK-8312489 already upstream in 11.0.22 (see OPENJDK-2095)
 - Add backport of JDK-8243210 already upstream in 11.0.21 (see RH2229269)
 - Update openjdk_news script to specify subdirectory last
 - Add missing discover_trees script required by openjdk_news
 - Resolves: rhbz#2236590

 [1:11.0.20.0.8-3]
 - Fix tzdata requirement copy-and-paste error that led to two BuildRequires and no Requires
 - Resolves: rhbz#2224420

 [1:11.0.20.0.8-2]
 - Bump release number so we are newer than 9.0
 - Related: rhbz#2221106

 [1:11.0.20.0.8-1]
 - Update to jdk-11.0.20.0+8 (GA)
 - Update release notes to 11.0.20.0+8
 - Drop local inclusion of JDK-8274864 & JDK-8305113 as they are included in 11.0.20+1
 - Bump tzdata requirement to 2023c now it is available in the buildroot
 - Bump bundled LCMS version to 2.15 as in jdk-11.0.20+1.
 - Bump bundled HarfBuzz version to 7.0.1 as in jdk-11.0.20+7
 - Use tapsets from the misc tarball
 - Introduce 'prelease' for the portable release versioning, to handle EA builds
 - Make sure root installation directory is created first
 - Use in-place substitution for all but the first of the tapset changes
 - Sync the copy of the portable specfile with the latest update
 - Add note at top of spec file about rebuilding
 - ** This tarball is embargoed until 2023-07-18 @ 1pm PT. **
 - Resolves: rhbz#2217715
 - Resolves: rhbz#2221106

 [1:11.0.19.0.7-4]
 - Include the java-11-openjdk-portable.spec file with instructions on how to rebuild.
 - Related: rhbz#2150201

 [1:11.0.19.0.7-3]
 - Revert 'Restore native build for x86 as there is no portable build'
 - Reintroduce useful cleanups from x86 reversion
 - Adjust oj_vendor_version & oj_vendor_bug_url to match the portable so test passes
 - Related: rhbz#2150201

 [1:11.0.19.0.7-2]
 - Update to jdk-11.0.19.0+7
 - Update release notes to 11.0.19.0+7
 - Require tzdata 2023c due to local inclusion of JDK-8274864 & JDK-8305113
 - Update generate_tarball.sh to add support for passing a boot JDK to the configure run
 - Add POSIX-friendly error codes to generate_tarball.sh and fix whitespace
 - Remove .jcheck and GitHub support when generating tarballs, as done in upstream release tarballs
 - Rebase FIPS support against 11.0.19+6
 - Rebase RH1750419 alt-java patch against 11.0.19+6
 - Replace local copies of JDK portable binaries with build dependencies
 - Use portable build on x86_32 now one is available
 - ** This tarball is embargoed until 2023-04-18 @ 1pm PT. **
 - Resolves: rhbz#2185182
 - Resolves: rhbz#2150201

 [1:11.0.18.0.10-4]
 - On portable architectures, replace build section with extraction of existing builds from portables
 - Rewrite ELF files so the source file path is correct and debugsources can be assembled
 - Backport SHA-3 support for PKCS11 provider
 - Sync patch set with portable build we are using by removing rh1648644-java_access_bridge_privileged_security.patch
 - Resolves: rhbz#2150201

 [1:11.0.18.0.10-3]
 - Update to jdk-11.0.18+10 (GA)
 - Update release notes to 11.0.18+10
 - Switch to GA mode for release
 - Resolves: rhbz#2160111

 [1:11.0.18.0.9-0.3.ea]
 - Update to jdk-11.0.18+9
 - Update release notes to 11.0.18+9
 - Drop local copy of JDK-8293834 now this is upstream
 - Require tzdata 2022g due to inclusion of JDK-8296108, JDK-8296715 & JDK-8297804
 - Update TestTranslations.java to test the new America/Ciudad_Juarez zone
 - Resolves: rhbz#2150197

 [1:11.0.18.0.1-0.3.ea]
 - Update to jdk-11.0.18+1
 - Update release notes to 11.0.18+1
 - Switch to EA mode for 11.0.18 pre-release builds.
 - Drop local copies of JDK-8294357 & JDK-8295173 now upstream contains tzdata 2022e
 - Drop local copy of JDK-8275535 which is finally upstream
 - Related: rhbz#2150197

 [1:11.0.17.0.8-2]
 - Update to jdk-11.0.17+8 (GA)
 - Update release notes to 11.0.17+8
 - Switch to GA mode for release
 - Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173
 - Update CLDR data with Europe/Kyiv (JDK-8293834)
 - Drop JDK-8292223 patch which we found to be unnecessary
 - Update TestTranslations.java to use public API based on TimeZoneNamesTest upstream
 - The stdc++lib, zlib & freetype options should always be set from the global, so they are not altered for staticlibs builds
 - Remove freetype sources along with zlib sources
 - Resolves: rhbz#2133695

 [1:11.0.17.0.7-0.1.ea]
 - Update to jdk-11.0.17+7
 - Update release notes to 11.0.17+7
 - Resolves: rhbz#2130619

 [1:11.0.17.0.1-0.2.ea]
 - Update to jdk-11.0.17+1
 - Update release notes to 11.0.17+1
 - Switch to EA mode for 11.0.17 pre-release builds.
 - Bump HarfBuzz bundled version to 4.4.1 following JDK-8289853
 - Bump FreeType bundled version to 2.12.1 following JDK-8290334
 - Related: rhbz#2130619

 [1:11.0.16.1.1-3]
 - Switch to static builds, reducing system dependencies and making build more portable
 - Resolves: rhbz#2121275

 [1:11.0.16.1.1-2]
 - Update to jdk-11.0.16.1+1
 - Update release notes to 11.0.16.1+1
 - Add patch to provide translations for Europe/Kyiv added in tzdata2022b
 - Add test to ensure timezones can be translated
 - Resolves: rhbz#2119528

 [1:11.0.16.0.8-2]
 - Update to jdk-11.0.16+8
 - Update release notes to 11.0.16+8
 - Switch to GA mode for release
 - Resolves: rhbz#2106517

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://linux.oracle.com/errata/ELSA-2024-4567.html

Plugin Details

Severity: High

ID: 202634

File Name: oraclelinux_ELSA-2024-4567.nasl

Version: 1.1

Type: local

Agent: unix

Published: 7/18/2024

Updated: 7/18/2024

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v2

Risk Factor: High

Base Score: 7.1

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:N

CVSS Score Source: CVE-2024-21147

CVSS v3

Risk Factor: High

Base Score: 7.4

Temporal Score: 6.4

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:oracle:linux:8, p-cpe:/a:oracle:linux:java-11-openjdk, p-cpe:/a:oracle:linux:java-11-openjdk-demo, p-cpe:/a:oracle:linux:java-11-openjdk-devel, p-cpe:/a:oracle:linux:java-11-openjdk-headless, p-cpe:/a:oracle:linux:java-11-openjdk-javadoc, p-cpe:/a:oracle:linux:java-11-openjdk-javadoc-zip, p-cpe:/a:oracle:linux:java-11-openjdk-jmods, p-cpe:/a:oracle:linux:java-11-openjdk-src, p-cpe:/a:oracle:linux:java-11-openjdk-static-libs, p-cpe:/a:oracle:linux:java-11-openjdk-demo-fastdebug, p-cpe:/a:oracle:linux:java-11-openjdk-demo-slowdebug, p-cpe:/a:oracle:linux:java-11-openjdk-devel-fastdebug, p-cpe:/a:oracle:linux:java-11-openjdk-devel-slowdebug, p-cpe:/a:oracle:linux:java-11-openjdk-fastdebug, p-cpe:/a:oracle:linux:java-11-openjdk-headless-fastdebug, p-cpe:/a:oracle:linux:java-11-openjdk-headless-slowdebug, p-cpe:/a:oracle:linux:java-11-openjdk-jmods-fastdebug, p-cpe:/a:oracle:linux:java-11-openjdk-jmods-slowdebug, p-cpe:/a:oracle:linux:java-11-openjdk-slowdebug, p-cpe:/a:oracle:linux:java-11-openjdk-src-fastdebug, p-cpe:/a:oracle:linux:java-11-openjdk-src-slowdebug, p-cpe:/a:oracle:linux:java-11-openjdk-static-libs-fastdebug, p-cpe:/a:oracle:linux:java-11-openjdk-static-libs-slowdebug, cpe:/o:oracle:linux:9, cpe:/a:oracle:linux:8::appstream, cpe:/a:oracle:linux:9::appstream, cpe:/a:oracle:linux:9::codeready_builder, cpe:/a:oracle:linux:8::codeready_builder

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/OracleLinux

Exploit Ease: No known exploits are available

Patch Publication Date: 7/18/2024

Vulnerability Publication Date: 7/16/2024

Reference Information

CVE: CVE-2024-21131, CVE-2024-21138, CVE-2024-21140, CVE-2024-21144, CVE-2024-21145, CVE-2024-21147