Fedora 37 : java-latest-openjdk (2022-d0ed59bee7)

medium Nessus Plugin ID 211024

Synopsis

The remote Fedora host is missing one or more security updates.

Description

The remote Fedora 37 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2022-d0ed59bee7 advisory.

# New in release OpenJDK 19.0.1 (2022-10-18)

* [Full release notes](https://builds.shipilev.net/backports-monitor/release-notes-19.0.1.html)
* This update depends on [FEDORA-2022-d0fc6f0dd4](https://bodhi.fedoraproject.org/updates/FEDORA-2022-d0fc6f0dd4)

## CVEs Fixed
- CVE-2022-21618
- CVE-2022-21619
- CVE-2022-21624
- CVE-2022-21628
- CVE-2022-39399

## Security Fixes
- JDK-8282252: Improve BigInteger/Decimal validation
- JDK-8285662: Better permission resolution
- JDK-8286077: Wider MultiByte conversions
- JDK-8286511: Improve macro allocation
- JDK-8286519: Better memory handling
- JDK-8286526: Improve NTLM support
- JDK-8286910: Improve JNDI lookups
- JDK-8286918: Better HttpServer service
- JDK-8287446: Enhance icon presentations
- JDK-8288508: Enhance ECDSA usage
- JDK-8289366: Improve HTTP/2 client usage
- JDK-8289853: Update HarfBuzz to 4.4.1
- JDK-8290334: Update FreeType to 2.12.1

## Major Changes

### [JDK-8292654](https://bugs.openjdk.org/browse/JDK-8292654): G1 Remembered set memory footprint regression after [JDK-8286115](https://bugs.openjdk.org/browse/JDK-8286115) JDK-8286115 changed ergonomic sizing of a component of the remembered sets in G1. This change causes increased native memory usage of the Hotspot VM for applications that create large remembered sets with the G1 collector.

In an internal benchmark total GC component native memory usage rose by almost 10% (from 1.2GB to 1.3GB).

This issue can be worked around by passing double the value of `G1RemSetArrayOfCardsEntries` as printed by running the application with `-XX:+PrintFlagsFinal -XX:+UnlockExperimentalVMOptions` to your application.

E.g. pass `-XX:+UnlockExperimentalVMOptions -XX:G1RemSetArrayOfCardsEntries=128` if a previous run showed a value of `64` for `G1RemSetArrayOfCardsEntries` in the output of `-XX:+PrintFlagsFinal`.

## [JDK-8292579](https://bugs.openjdk.org/browse/JDK-8292579): Update Timezone Data to 2022c

This version includes changes from 2022b that merged multiple regions that have the same timestamp data post-1970 into a single time zone database. All time zone IDs remain the same but the merged time zones will point to a shared zone database.

As a result, pre-1970 data may not be compatible with earlier JDK versions. The affected zones are ```Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik, Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo, Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe, Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei, Pacific/Wake, Pacific/Wallis, Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland, Pacific/Ponape, Pacific/Truk, and Pacific/Yap```.

For more details, refer to the announcement of [2022b](https://mm.icann.org/pipermail/tz- announce/2022-August/000071.html)


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected 1:java-latest-openjdk package.

See Also

https://bodhi.fedoraproject.org/updates/FEDORA-2022-d0ed59bee7

Plugin Details

Severity: Medium

ID: 211024

File Name: fedora_2022-d0ed59bee7.nasl

Version: 1.1

Type: local

Agent: unix

Published: 11/14/2024

Updated: 11/14/2024

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.2

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2022-21618

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:java-latest-openjdk, cpe:/o:fedoraproject:fedora:37

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 10/28/2022

Vulnerability Publication Date: 10/17/2022

Reference Information

CVE: CVE-2022-21618, CVE-2022-21619, CVE-2022-21624, CVE-2022-21628, CVE-2022-39399