(RHSA-2023:1885) Important: OpenJDK 17.0.7 Security Update for Windows Builds

2023-04-1919:34:14

access.redhat.com

openjdk

17.0.7

security update

windows builds

tls handshake

swing html parsing

garbage collector

certificate validation issue

processbuilder

uri-to-path conversion

CVSS3

7.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

0.002

Percentile

53.6%

JSON

The OpenJDK 17 packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit.

This release of the Red Hat build of OpenJDK 17 (17.0.7) for Windows serves as a replacement for the Red Hat build of OpenJDK 17 (17.0.6) and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.

Security Fix(es):

OpenJDK: improper connection handling during TLS handshake (8294474) (CVE-2023-21930)
OpenJDK: Swing HTML parsing issue (8296832) (CVE-2023-21939)
OpenJDK: incorrect enqueue of references in garbage collector (8298191) (CVE-2023-21954)
OpenJDK: certificate validation issue in TLS session negotiation (8298310) (CVE-2023-21967)
OpenJDK: missing string checks for NULL characters (8296622) (CVE-2023-21937)
OpenJDK: incorrect handling of NULL characters in ProcessBuilder (8295304) (CVE-2023-21938)
OpenJDK: missing check for slash characters in URI-to-path conversion (8298667) (CVE-2023-21968)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.