Lucene search

K
ubuntuUbuntuUSN-5546-2
HistoryAug 04, 2022 - 12:00 a.m.

OpenJDK 8 vulnerabilities

2022-08-0400:00:00
ubuntu.com
88
openjdk
ubuntu 16.04 esm
vulnerabilities
ecdsa
xpath
denial of service
object identifiers
bypass validation
parsed uri
hotspot component
xalan
integer truncation

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

8.3

Confidence

Low

EPSS

0.004

Percentile

75.5%

Releases

  • Ubuntu 16.04 ESM

Packages

  • openjdk-8 - Open Source Java implementation

Details

USN-5546-1 fixed vulnerabilities in OpenJDK.
This update provides the corresponding updates for Ubuntu 16.04 ESM.

Original advisory details:

Neil Madden discovered that OpenJDK did not properly verify ECDSA
signatures. A remote attacker could possibly use this issue to insert,
edit or obtain sensitive information. This issue only affected OpenJDK
17 and OpenJDK 18. (CVE-2022-21449)

It was discovered that OpenJDK incorrectly limited memory when compiling a
specially crafted XPath expression. An attacker could possibly use this
issue to cause a denial of service. This issue was fixed in OpenJDK 8 and
OpenJDK 18. USN-5388-1 and USN-5388-2 addressed this issue in OpenJDK 11
and OpenJDK 17. (CVE-2022-21426)

It was discovered that OpenJDK incorrectly handled converting certain
object arguments into their textual representations. An attacker could
possibly use this issue to cause a denial of service. This issue was
fixed in OpenJDK 8 and OpenJDK 18. USN-5388-1 and USN-5388-2 addressed
this issue in OpenJDK 11 and OpenJDK 17. (CVE-2022-21434)

It was discovered that OpenJDK incorrectly validated the encoded length of
certain object identifiers. An attacker could possibly use this issue to
cause a denial of service. This issue was fixed in OpenJDK 8 and OpenJDK 18.
USN-5388-1 and USN-5388-2 addressed this issue in OpenJDK 11 and OpenJDK 17.
(CVE-2022-21443)

It was discovered that OpenJDK incorrectly validated certain paths. An
attacker could possibly use this issue to bypass the secure validation
feature and expose sensitive information in XML files. This issue was
fixed in OpenJDK 8 and OpenJDK 18. USN-5388-1 and USN-5388-2 addressed this
issue in OpenJDK 11 and OpenJDK 17. (CVE-2022-21476)

It was discovered that OpenJDK incorrectly parsed certain URI strings. An
attacker could possibly use this issue to make applications accept
invalid of malformed URI strings. This issue was fixed in OpenJDK 8 and
OpenJDK 18. USN-5388-1 and USN-5388-2 addressed this issue in OpenJDK 11
and OpenJDK 17. (CVE-2022-21496)

It was discovered that OpenJDK incorrectly generated class code in the
Hotspot component. An attacker could possibly use this issue to obtain
sensitive information. (CVE-2022-21540)

It was dicovered that OpenJDK incorrectly restricted access to the
invokeBasic() method in the Hotspot component. An attacker could possibly
use this issue to insert, edit or obtain sensitive information.
(CVE-2022-21541)

It was discovered that OpenJDK incorrectly computed exponentials. An
attacker could possibly use this issue to insert, edit or obtain sensitive
information. This issue only affected OpenJDK 17.
(CVE-2022-21549)

It was discovered that OpenJDK includes a copy of Xalan that incorrectly
handled integer truncation. An attacker could possibly use this issue to
execute arbitrary code. (CVE-2022-34169)

OSVersionArchitecturePackageVersionFilename
Ubuntu16.04noarchopenjdk-8-jdk< 8u342-b07-0ubuntu1~16.04UNKNOWN
Ubuntu16.04noarchopenjdk-8-dbg< 8u292-b10-0ubuntu1~16.04.1UNKNOWN
Ubuntu16.04noarchopenjdk-8-demo< 8u292-b10-0ubuntu1~16.04.1UNKNOWN
Ubuntu16.04noarchopenjdk-8-demo-dbgsym< 8u292-b10-0ubuntu1~16.04.1UNKNOWN
Ubuntu16.04noarchopenjdk-8-doc< 8u292-b10-0ubuntu1~16.04.1UNKNOWN
Ubuntu16.04noarchopenjdk-8-jdk< 8u292-b10-0ubuntu1~16.04.1UNKNOWN
Ubuntu16.04noarchopenjdk-8-jdk-headless< 8u292-b10-0ubuntu1~16.04.1UNKNOWN
Ubuntu16.04noarchopenjdk-8-jre< 8u292-b10-0ubuntu1~16.04.1UNKNOWN
Ubuntu16.04noarchopenjdk-8-jre-dbgsym< 8u292-b10-0ubuntu1~16.04.1UNKNOWN
Ubuntu16.04noarchopenjdk-8-jre-headless< 8u292-b10-0ubuntu1~16.04.1UNKNOWN
Rows per page:
1-10 of 171

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

8.3

Confidence

Low

EPSS

0.004

Percentile

75.5%