- Issued:
- 2024-01-17
- Updated:
- 2024-01-25
RHSA-2024:0240 - Security Advisory
Synopsis
Important: OpenJDK 17.0.10 security update
Type/Severity
Security Advisory: Important
Topic
An update is now available for OpenJDK.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The OpenJDK 17 packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit.
This release of the Red Hat build of OpenJDK 17 (17.0.10) for portable Linux serves as a replacement for the Red Hat build of OpenJDK 17 (17.0.9) and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.
Security Fix(es):
- OpenJDK: array out-of-bounds access due to missing range check in C1 compiler (8314468) (CVE-2024-20918)
- OpenJDK: incorrect handling of ZIP files with duplicate entries (8276123) (CVE-2024-20932)
- OpenJDK: RSA padding issue and timing side-channel attack against TLS (8317547) (CVE-2024-20952)
- OpenJDK: JVM class file verifier flaw allows unverified bytecode execution (8314295) (CVE-2024-20919)
- OpenJDK: range check loop optimization issue (8314307) (CVE-2024-20921)
- OpenJDK: logging of digital signature private keys (8316976) (CVE-2024-20945)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
2024-01-22 ADDENDUM
The Linux binaries currently available replace those released on the 17th of January 2024.
Red Hat builds OpenJDK on a number of systems with different buildroots requirements, and typically releases the binaries built on RHEL 7 on the Customer Portal for maximum compatibility.
Red Hat discovered a problem during the latest release where we accidentally uploaded binaries that were built using a buildroot derived from RHEL 8.8 for all versions of OpenJDK. This caused some incompatibilities with older versions, because RHEL 8.8 has a newer glibc, among other libraries.
To determine if you are running the incorrect version on a RHEL 7 system, run 'java -version'. If the command fails immediately, you might need to update to this release.
The following are the names of the distributions built incorrectly (please note the absence of 'el' in the filename):
java-17-openjdk-17.0.10.0.7-1.portable.jdk.x86_64.tar.xz
java-17-openjdk-17.0.10.0.7-1.portable.jre.x86_64.tar.xz
The following are the names of the corrected distributions:
java-17-openjdk-17.0.10.0.7-1.portable.jdk.el.x86_64.tar.xz
java-17-openjdk-17.0.10.0.7-1.portable.jre.el.x86_64.tar.xz
Please note, even if these binaries are built on RHEL 7 for backward compatibility, not all versions of the Red Hat build of OpenJDK are supported on RHEL 7. Please check the OpenJDK Life Cycle and Support Policy page for more information:
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
Affected Products
- OpenJDK Java (for Middleware) 1 x86_64
Fixes
- BZ - 2257720 - CVE-2024-20932 OpenJDK: incorrect handling of ZIP files with duplicate entries (8276123)
- BZ - 2257728 - CVE-2024-20918 OpenJDK: array out-of-bounds access due to missing range check in C1 compiler (8314468)
- BZ - 2257837 - CVE-2024-20952 OpenJDK: RSA padding issue and timing side-channel attack against TLS (8317547)
- BZ - 2257853 - CVE-2024-20919 OpenJDK: JVM class file verifier flaw allows unverified bytecode execution (8314295)
- BZ - 2257859 - CVE-2024-20921 OpenJDK: range check loop optimization issue (8314307)
- BZ - 2257874 - CVE-2024-20945 OpenJDK: logging of digital signature private keys (8316976)
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
