==========================================================================
\nUbuntu Security Notice USN-5313-1
\nMarch 07, 2022<\/p>\n
openjdk-lts, openjdk-17 vulnerabilities
\n==========================================================================<\/p>\n
A security issue affects these releases of Ubuntu and its derivatives:<\/p>\n
– Ubuntu 21.10
\n– Ubuntu 20.04 LTS
\n– Ubuntu 18.04 LTS<\/p>\n
Summary:<\/p>\n
Several security issues were fixed in OpenJDK.<\/p>\n
Software Description:
\n– openjdk-17: Open Source Java implementation
\n– openjdk-lts: Open Source Java implementation<\/p>\n
Details:<\/p>\n
It was discovered that OpenJDK incorrectly handled deserialization filters.
\nAn attacker could possibly use this issue to insert, delete or obtain
\nsensitive information. (CVE-2022-21248)<\/p>\n
It was discovered that OpenJDK incorrectly read uncompressed TIFF files.
\nAn attacker could possibly use this issue to cause a denial of service via
\na specially crafted TIFF file. (CVE-2022-21277)<\/p>\n
Jonni Passki discovered that OpenJDK incorrectly verified access
\nrestrictions when performing URI resolution. An attacker could possibly
\nuse this issue to obtain sensitive information. (CVE-2022-21282)<\/p>\n
It was discovered that OpenJDK incorrectly handled certain regular
\nexpressions in the Pattern class implementation. An attacker could
\npossibly use this issue to cause a denial of service. (CVE-2022-21283)<\/p>\n
It was discovered that OpenJDK incorrectly handled specially crafted Java
\nclass files. An attacker could possibly use this issue to cause a denial
\nof service. (CVE-2022-21291)<\/p>\n
Markus Loewe discovered that OpenJDK incorrectly validated attributes
\nduring object deserialization. An attacker could possibly use this issue
\nto cause a denial of service. (CVE-2022-21293, CVE-2022-21294)<\/p>\n
Dan Rabe discovered that OpenJDK incorrectly verified access permissions
\nin the JAXP component. An attacker could possibly use this to specially
\ncraft an XML file to obtain sensitive information. (CVE-2022-21296)<\/p>\n
It was discovered that OpenJDK incorrectly handled XML entities. An
\nattacker could use this to specially craft an XML file that, when parsed,
\nwould possibly cause a denial of service. (CVE-2022-21299)<\/p>\n
Zhiqiang Zang discovered that OpenJDK incorrectly handled array indexes.
\nAn attacker could possibly use this issue to obtain sensitive information.
\n(CVE-2022-21305)<\/p>\n
It was discovered that OpenJDK incorrectly read very long attributes
\nvalues in JAR file manifests. An attacker could possibly use this to
\nspecially craft JAR file to cause a denial of service. (CVE-2022-21340)<\/p>\n
It was discovered that OpenJDK incorrectly validated input from serialized
\nstreams. An attacker cold possibly use this issue to bypass sandbox
\nrestrictions. (CVE-2022-21341)<\/p>\n
Fabian Meumertzheim discovered that OpenJDK incorrectly handled certain
\nspecially crafted BMP or TIFF files. An attacker could possibly use this
\nto cause a denial of service. (CVE-2022-21360, CVE-2022-21366)<\/p>\n
It was discovered that an integer overflow could be triggered in OpenJDK
\nBMPImageReader class implementation. An attacker could possibly use this
\nto specially craft a BMP file to cause a denial of service.
\n(CVE-2022-21365)<\/p>\n
Update instructions:<\/p>\n
The problem can be corrected by updating your system to the following
\npackage versions:<\/p>\n
Ubuntu 21.10:
\nopenjdk-11-jdk 11.0.14+9-0ubuntu2~22.10
\nopenjdk-11-jre 11.0.14+9-0ubuntu2~22.10
\nopenjdk-11-jre-headless 11.0.14+9-0ubuntu2~22.10
\nopenjdk-11-jre-zero 11.0.14+9-0ubuntu2~22.10
\nopenjdk-17-jdk 17.0.2+8-1~22.10
\nopenjdk-17-jre 17.0.2+8-1~22.10
\nopenjdk-17-jre-headless 17.0.2+8-1~22.10
\nopenjdk-17-jre-zero 17.0.2+8-1~22.10<\/p>\n
Ubuntu 20.04 LTS:
\nopenjdk-11-jdk 11.0.14+9-0ubuntu2~20.04
\nopenjdk-11-jre 11.0.14+9-0ubuntu2~20.04
\nopenjdk-11-jre-headless 11.0.14+9-0ubuntu2~20.04
\nopenjdk-11-jre-zero 11.0.14+9-0ubuntu2~20.04
\nopenjdk-17-jdk 17.0.2+8-1~20.04
\nopenjdk-17-jre 17.0.2+8-1~20.04
\nopenjdk-17-jre-headless 17.0.2+8-1~20.04
\nopenjdk-17-jre-zero 17.0.2+8-1~20.04<\/p>\n
Ubuntu 18.04 LTS:
\nopenjdk-11-jdk 11.0.14+9-0ubuntu2~18.04
\nopenjdk-11-jre 11.0.14+9-0ubuntu2~18.04
\nopenjdk-11-jre-headless 11.0.14+9-0ubuntu2~18.04
\nopenjdk-11-jre-zero 11.0.14+9-0ubuntu2~18.04
\nopenjdk-17-jdk 17.0.2+8-1~18.04
\nopenjdk-17-jre 17.0.2+8-1~18.04
\nopenjdk-17-jre-headless 17.0.2+8-1~18.04
\nopenjdk-17-jre-zero 17.0.2+8-1~18.04<\/p>\n
This update uses a new upstream release, which includes additional bug
\nfixes. After a standard system update you need to restart any Java
\napplications or applets to make all the necessary changes.<\/p>\n
References:
\nhttps:\/\/ubuntu.com\/security\/notices\/USN-5313-1
\nCVE-2022-21248, CVE-2022-21277, CVE-2022-21282, CVE-2022-21283,
\nCVE-2022-21291, CVE-2022-21293, CVE-2022-21294, CVE-2022-21296,
\nCVE-2022-21299, CVE-2022-21305, CVE-2022-21340, CVE-2022-21341,
\nCVE-2022-21360, CVE-2022-21365, CVE-2022-21366<\/p>\n
Package Information:
\nhttps:\/\/launchpad.net\/ubuntu\/+source\/openjdk-17\/17.0.2+8-1~22.10
\nhttps:\/\/launchpad.net\/ubuntu\/+source\/openjdk-lts\/11.0.14+9-0ubuntu2~22.10
\nhttps:\/\/launchpad.net\/ubuntu\/+source\/openjdk-17\/17.0.2+8-1~20.04
\nhttps:\/\/launchpad.net\/ubuntu\/+source\/openjdk-lts\/11.0.14+9-0ubuntu2~20.04
\nhttps:\/\/launchpad.net\/ubuntu\/+source\/openjdk-17\/17.0.2+8-1~18.04
\nhttps:\/\/launchpad.net\/ubuntu\/+source\/openjdk-lts\/11.0.14+9-0ubuntu2~18.04<\/p>\n","protected":false},"excerpt":{"rendered":"
========================================================================== Ubuntu Security Notice USN-5313-1 March 07, 2022 openjdk-lts, openjdk-17 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: – Ubuntu 21.10 – Ubuntu 20.04 LTS – Ubuntu 18.04 LTS Summary: Several security issues were fixed in OpenJDK. Software Description: – openjdk-17: Open Source Java implementation – openjdk-lts: Open Source Java …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-21386","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21386","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=21386"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21386\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=21386"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=21386"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=21386"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}