Detections
Analytics
Amazon Corretto Java 11.x < 11.0.26.4.1 Vulnerability
high Nessus Plugin ID 214445
Synopsis
Amazon Corretto is affected a vulnerability.Description
The version of Amazon Corretto installed on the remote host is 11 prior to 11.0.26.4.1. It is, therefore, affected by a vulnerability as referenced in the corretto-11-2025-Jan-21 advisory.- Versions of the package fastecdsa before 2.3.2 are vulnerable to Use of Uninitialized Variable on the stack, via the curvemath_mul function in src/curveMath.c, due to being used and interpreted as user- defined type. Depending on the variable's actual value it could be arbitrary free(), arbitrary realloc(), null pointer dereference and other. Since the stack can be controlled by the attacker, the vulnerability could be used to corrupt allocator structure, leading to possible heap exploitation. The attacker could cause denial of service by exploiting this vulnerability. (CVE-2024-21502)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Update to Amazon Corretto Java 11.0.26.4.1 or laterPlugin Details
Severity: High
ID: 214445
File Name: amazon_corretto_11_0_26_4_1.nasl
Version: 1.1
Type: local
Agent: windows, macosx, unix
Family: Misc.
Published: 1/21/2025
Updated: 1/21/2025
Configuration: Enable thorough checks
Supported Sensors: Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Low
Score: 3.6
CVSS v2
Risk Factor: High
Base Score: 7.8
Temporal Score: 5.8
Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSS Score Source: CVE-2024-21502
CVSS v3
Risk Factor: High
Base Score: 7.5
Temporal Score: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:amazon:corretto
Required KB Items: installed_sw/Java
Exploit Ease: No known exploits are available
Patch Publication Date: 1/21/2025
Vulnerability Publication Date: 2/24/2024
Reference Information
CVE: CVE-2024-21502