Oracle Linux 8 / 9 : java-17-openjdk (ELSA-2024-8124)

high Nessus Plugin ID 209304

Synopsis

The remote Oracle Linux host is missing one or more security updates.

Description

The remote Oracle Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-8124 advisory.

[17.0.13.0.11-3.0.1]
- Add Oracle vendor bug URL [Orabug: 34340155]

[1:17.0.13.0.11-3]
- Correct version suffix in 'Update to jdk-17.0.13+11 (GA)' changelog entry
- Related: RHEL-58781

[1:17.0.13.0.11-2]
- Update to jdk-17.0.13+11 (GA)
- Update .gitignore to ignore openjdk-17.0.13+11.tar.xz
- Sync java-17-openjdk-portable.specfile from openjdk-portable-rhel-8
- Set buildver to 11
- Set is_ga to 1
- Update sources to openjdk-17.0.13+11.tar.xz
- Resolves: RHEL-58781
- ** This tarball is embargoed until 2024-10-15 @ 1pm PT. **

[1:17.0.13.0.10-0.2.ea]
- Vary portablesuffix depending on whether we are on RHEL ('el8') or CentOS ('el9')
- Set rpmrelease to 2
- Related: RHEL-58781

[1:17.0.13.0.10-0.1.ea]
- Update to jdk-17.0.13+10 (EA)
- Update .gitignore to ignore openjdk-17.0.13+10-ea.tar.xz
- Sync java-17-openjdk-portable.specfile from openjdk-portable-centos-9
- Set buildver to 10
- Update sources to openjdk-17.0.13+10-ea.tar.xz
- Related: RHEL-58781

[1:17.0.13.0.9-0.1.ea]
- Update to jdk-17.0.13+9 (EA)
- Update .gitignore to ignore openjdk-17.0.13+9-ea.tar.xz
- Sync java-17-openjdk-portable.specfile from openjdk-portable-centos-9
- Set buildver to 9
- Set rpmrelease to 1
- Set portablerelease to 1
- Update sources to openjdk-17.0.13+9-ea.tar.xz
- Related: RHEL-58781

[1:17.0.13.0.1-0.4.ea]
- Set rpmrelease to 4
- Set portablerelease to 2
- Related: RHEL-58781

[1:17.0.13.0.1-0.3.ea]
- Synchronize java-17-openjdk-portable.specfile
- Set rpmrelease to 3
- Related: RHEL-58781

[1:17.0.13.0.1-0.2.ea]
- Update to jdk-17.0.13+1 (EA)
- Update .gitignore to ignore openjdk-17.0.13+1-ea.tar.xz
- Synchronize java-17-openjdk-portable.specfile
- Set updatever to 13
- Set buildver to 1
- Set is_ga to 0
- Update sources to openjdk-17.0.13+1-ea.tar.xz
- Related: RHEL-58781
- Remove 0001-8332174-Remove-2-unpaired-RLO-Unicode-characters-in-.patch
- Remove unicode section from rpminspect.yml, fixed instead by https://gitlab.cee.redhat.com/osci/rpminspect-data-redhat/-/merge_requests/180 (OPENJDK-2904)
- Related: RHEL-58781

[1:17.0.12.0.7-3]
- Sync java-17-openjdk-portable.specfile from openjdk-portable-rhel-8
- Set rpmrelease to 3
- Set portablerelease to 4

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://linux.oracle.com/errata/ELSA-2024-8124.html

Plugin Details

Severity: High

ID: 209304

File Name: oraclelinux_ELSA-2024-8124.nasl

Version: 1.1

Type: local

Agent: unix

Published: 10/18/2024

Updated: 10/18/2024

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v2

Risk Factor: Medium

Base Score: 6.2

Temporal Score: 4.9

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:N/A:C

CVSS Score Source: CVE-2023-48161

CVSS v3

Risk Factor: High

Base Score: 7.1

Temporal Score: 6.4

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:oracle:linux:8, p-cpe:/a:oracle:linux:java-17-openjdk-static-libs-slowdebug, p-cpe:/a:oracle:linux:java-17-openjdk-headless, p-cpe:/a:oracle:linux:java-17-openjdk-headless-slowdebug, cpe:/a:oracle:linux:9::appstream, cpe:/o:oracle:linux:9, p-cpe:/a:oracle:linux:java-17-openjdk-headless-fastdebug, p-cpe:/a:oracle:linux:java-17-openjdk-slowdebug, p-cpe:/a:oracle:linux:java-17-openjdk-devel-slowdebug, p-cpe:/a:oracle:linux:java-17-openjdk-jmods-fastdebug, p-cpe:/a:oracle:linux:java-17-openjdk-static-libs, p-cpe:/a:oracle:linux:java-17-openjdk-devel-fastdebug, p-cpe:/a:oracle:linux:java-17-openjdk-static-libs-fastdebug, p-cpe:/a:oracle:linux:java-17-openjdk-demo, p-cpe:/a:oracle:linux:java-17-openjdk-fastdebug, p-cpe:/a:oracle:linux:java-17-openjdk-src-slowdebug, p-cpe:/a:oracle:linux:java-17-openjdk-devel, p-cpe:/a:oracle:linux:java-17-openjdk-demo-fastdebug, p-cpe:/a:oracle:linux:java-17-openjdk-jmods-slowdebug, p-cpe:/a:oracle:linux:java-17-openjdk-demo-slowdebug, p-cpe:/a:oracle:linux:java-17-openjdk-src, p-cpe:/a:oracle:linux:java-17-openjdk-javadoc, p-cpe:/a:oracle:linux:java-17-openjdk-jmods, p-cpe:/a:oracle:linux:java-17-openjdk-src-fastdebug, cpe:/a:oracle:linux:9::codeready_builder, p-cpe:/a:oracle:linux:java-17-openjdk-javadoc-zip, p-cpe:/a:oracle:linux:java-17-openjdk, cpe:/a:oracle:linux:8::appstream, cpe:/a:oracle:linux:8::codeready_builder

Required KB Items: Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list, Host/local_checks_enabled

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/18/2024

Vulnerability Publication Date: 11/22/2023

Reference Information

CVE: CVE-2023-48161, CVE-2024-21208, CVE-2024-21210, CVE-2024-21217, CVE-2024-21235