(RHSA-2024:0240) Important: OpenJDK 17.0.10 security update

2024-01-1714:04:05

access.redhat.com

openjdk 17

portable linux

security update

bug fixes

red hat build

cve

release notes

incompatibilities

glibc

rhel 7

backward compatibility

support policy

7.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

36.8%

JSON

The OpenJDK 17 packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit.

This release of the Red Hat build of OpenJDK 17 (17.0.10) for portable Linux serves as a replacement for the Red Hat build of OpenJDK 17 (17.0.9) and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.

Security Fix(es):

OpenJDK: array out-of-bounds access due to missing range check in C1 compiler (8314468) (CVE-2024-20918)
OpenJDK: incorrect handling of ZIP files with duplicate entries (8276123) (CVE-2024-20932)
OpenJDK: RSA padding issue and timing side-channel attack against TLS (8317547) (CVE-2024-20952)
OpenJDK: JVM class file verifier flaw allows unverified bytecode execution (8314295) (CVE-2024-20919)
OpenJDK: range check loop optimization issue (8314307) (CVE-2024-20921)
OpenJDK: logging of digital signature private keys (8316976) (CVE-2024-20945)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

2024-01-22 ADDENDUM

The Linux binaries currently available replace those released on the 17th of January 2024.

Red Hat builds OpenJDK on a number of systems with different buildroots requirements, and typically releases the binaries built on RHEL 7 on the Customer Portal for maximum compatibility.

Red Hat discovered a problem during the latest release where we accidentally uploaded binaries that were built using a buildroot derived from RHEL 8.8 for all versions of OpenJDK. This caused some incompatibilities with older versions, because RHEL 8.8 has a newer glibc, among other libraries.

To determine if you are running the incorrect version on a RHEL 7 system, run ‘java -version’. If the command fails immediately, you might need to update to this release.

The following are the names of the distributions built incorrectly (please note the absence of ‘el’ in the filename):

java-17-openjdk-17.0.10.0.7-1.portable.jdk.x86_64.tar.xz
java-17-openjdk-17.0.10.0.7-1.portable.jre.x86_64.tar.xz

The following are the names of the corrected distributions:

java-17-openjdk-17.0.10.0.7-1.portable.jdk.el.x86_64.tar.xz
java-17-openjdk-17.0.10.0.7-1.portable.jre.el.x86_64.tar.xz

Please note, even if these binaries are built on RHEL 7 for backward compatibility, not all versions of the Red Hat build of OpenJDK are supported on RHEL 7. Please check the OpenJDK Life Cycle and Support Policy page for more information:

https://access.redhat.com/articles/1299013