(RHSA-2022:7053) Moderate: OpenJDK 17.0.5 Security Update for Portable Linux Builds

2022-10-2010:23:37

access.redhat.com

openjdk

security update

portable linux builds

red hat

cve-2022-21619

cve-2022-21626

cve-2022-21624

cve-2022-21628

cve-2022-39399

cve-2022-21618

cvss score

networking

lightweight http server

jndi

libraries

http/2

buffer overflow

memory allocation

sni caching

connection limit

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

0.002

Percentile

59.5%

JSON

The OpenJDK 17 packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit.

This release of the Red Hat build of OpenJDK 17 (17.0.5) for portable Linux
serves as a replacement for the Red Hat build of OpenJDK 17 (17.0.4) and
includes security and bug fixes, and enhancements. For further information,
refer to the release notes linked to in the References section.

Security Fix(es):

OpenJDK: improper handling of long NTLM client hostnames (Networking, 8286526) (CVE-2022-21619)
OpenJDK: excessive memory allocation in X.509 certificate parsing (Libraries, 8286533) (CVE-2022-21626)
OpenJDK: insufficient randomization of JNDI DNS port numbers (JNDI, 8286910) (CVE-2022-21624)
OpenJDK: HttpServer no connection count limit (Lightweight HTTP Server, 8286918) (CVE-2022-21628)
OpenJDK: missing SNI caching in HTTP/2 (Networking, 8289366) (CVE-2022-39399)
OpenJDK: improper MultiByte conversion can lead to buffer overflow (JGSS, 8286077) (CVE-2022-21618)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.