Lucene search

UbuntuUSN-5719-1

HistoryNov 09, 2022 - 12:00 a.m.

OpenJDK vulnerabilities

2022-11-0900:00:00

ubuntu.com

ubuntu

openjdk

security

cve-2022-21619

cve-2022-21624

cve-2022-21628

cve-2022-21626

cve-2022-39399

cve-2022-21618

long client hostnames

randomized dns port

denial of service

x.509 certificates

cached server connections

byte conversions

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

AI Score

6.5

Confidence

High

EPSS

0.002

Percentile

59.5%

JSON

Releases

Ubuntu 22.10
Ubuntu 22.04 LTS
Ubuntu 20.04 LTS
Ubuntu 18.04 ESM
Ubuntu 16.04 ESM

Packages

openjdk-17 - Open Source Java implementation
openjdk-19 - Open Source Java implementation
openjdk-8 - Open Source Java implementation
openjdk-lts - Open Source Java implementation

Details

It was discovered that OpenJDK incorrectly handled long client hostnames.
An attacker could possibly use this issue to cause the corruption of
sensitive information. (CVE-2022-21619)

It was discovered that OpenJDK incorrectly randomized DNS port numbers. A
remote attacker could possibly use this issue to perform spoofing attacks.
(CVE-2022-21624)

It was discovered that OpenJDK did not limit the number of connections
accepted from HTTP clients. An attacker could possibly use this issue to
cause a denial of service. (CVE-2022-21628)

It was discovered that OpenJDK incorrectly handled X.509 certificates. An
attacker could possibly use this issue to cause a denial of service. This
issue only affected OpenJDK 8 and OpenJDK 11. (CVE-2022-21626)

It was discovered that OpenJDK incorrectly handled cached server
connections. An attacker could possibly use this issue to perform spoofing
attacks. This issue only affected OpenJDK 11, OpenJDK 17 and OpenJDK 19.
(CVE-2022-39399)

It was discovered that OpenJDK incorrectly handled byte conversions. An
attacker could possibly use this issue to obtain sensitive information.
This issue only affected OpenJDK 11, OpenJDK 17 and OpenJDK 19.
(CVE-2022-21618)

OSVersionArchitecturePackageVersionFilename
Ubuntu22.10noarchopenjdk-8-jre-headless< 8u352-ga-1~22.10UNKNOWN
Ubuntu22.10noarchopenjdk-8-dbg< 8u352-ga-1~22.10UNKNOWN
Ubuntu22.10noarchopenjdk-8-demo< 8u352-ga-1~22.10UNKNOWN
Ubuntu22.10noarchopenjdk-8-doc< 8u352-ga-1~22.10UNKNOWN
Ubuntu22.10noarchopenjdk-8-jdk< 8u352-ga-1~22.10UNKNOWN
Ubuntu22.10noarchopenjdk-8-jdk-headless< 8u352-ga-1~22.10UNKNOWN
Ubuntu22.10noarchopenjdk-8-jre< 8u352-ga-1~22.10UNKNOWN
Ubuntu22.10noarchopenjdk-8-jre-zero< 8u352-ga-1~22.10UNKNOWN
Ubuntu22.10noarchopenjdk-8-source< 8u352-ga-1~22.10UNKNOWN
Ubuntu22.10noarchopenjdk-11-jre-headless< 11.0.17+8-1ubuntu2UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Ubuntu	22.10	noarch	openjdk-8-jre-headless	< 8u352-ga-1~22.10	UNKNOWN
Ubuntu	22.10	noarch	openjdk-8-dbg	< 8u352-ga-1~22.10	UNKNOWN
Ubuntu	22.10	noarch	openjdk-8-demo	< 8u352-ga-1~22.10	UNKNOWN
Ubuntu	22.10	noarch	openjdk-8-doc	< 8u352-ga-1~22.10	UNKNOWN
Ubuntu	22.10	noarch	openjdk-8-jdk	< 8u352-ga-1~22.10	UNKNOWN
Ubuntu	22.10	noarch	openjdk-8-jdk-headless	< 8u352-ga-1~22.10	UNKNOWN
Ubuntu	22.10	noarch	openjdk-8-jre	< 8u352-ga-1~22.10	UNKNOWN
Ubuntu	22.10	noarch	openjdk-8-jre-zero	< 8u352-ga-1~22.10	UNKNOWN
Ubuntu	22.10	noarch	openjdk-8-source	< 8u352-ga-1~22.10	UNKNOWN
Ubuntu	22.10	noarch	openjdk-11-jre-headless	< 11.0.17+8-1ubuntu2	UNKNOWN