Package: openjdk-8 X-Debbugs-CC: [email protected] Severity: grave Tags: security
Hi, The following vulnerabilities were published for openjdk-8. CVE-2026-21945[0]: | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition product of Oracle Java SE (component: | Security). Supported versions that are affected are Oracle Java SE: | 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; | Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM | Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows | unauthenticated attacker with network access via multiple protocols | to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM | Enterprise Edition. Successful attacks of this vulnerability can | result in unauthorized ability to cause a hang or frequently | repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM | for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability | applies to Java deployments, typically in clients running sandboxed | Java Web Start applications or sandboxed Java applets, that load and | run untrusted code (e.g., code that comes from the internet) and | rely on the Java sandbox for security. This vulnerability does not | apply to Java deployments, typically in servers, that load and run | only trusted code (e.g., code installed by an administrator). CVSS | 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). CVE-2026-21933[1]: | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition product of Oracle Java SE (component: | Networking). Supported versions that are affected are Oracle Java | SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; | Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM | Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows | unauthenticated attacker with network access via multiple protocols | to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM | Enterprise Edition. Successful attacks require human interaction | from a person other than the attacker and while the vulnerability is | in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise | Edition, attacks may significantly impact additional products (scope | change). Successful attacks of this vulnerability can result in | unauthorized update, insert or delete access to some of Oracle Java | SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition | accessible data as well as unauthorized read access to a subset of | Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise | Edition accessible data. Note: This vulnerability can be exploited | by using APIs in the specified Component, e.g., through a web | service which supplies data to the APIs. This vulnerability also | applies to Java deployments, typically in clients running sandboxed | Java Web Start applications or sandboxed Java applets, that load and | run untrusted code (e.g., code that comes from the internet) and | rely on the Java sandbox for security. CVSS 3.1 Base Score 6.1 | (Confidentiality and Integrity impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). CVE-2026-21932[2]: | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition product of Oracle Java SE (component: | AWT, JavaFX). Supported versions that are affected are Oracle Java | SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; | Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM | Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows | unauthenticated attacker with network access via multiple protocols | to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM | Enterprise Edition. Successful attacks require human interaction | from a person other than the attacker and while the vulnerability is | in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise | Edition, attacks may significantly impact additional products (scope | change). Successful attacks of this vulnerability can result in | unauthorized creation, deletion or modification access to critical | data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM | Enterprise Edition accessible data. Note: This vulnerability applies | to Java deployments, typically in clients running sandboxed Java Web | Start applications or sandboxed Java applets, that load and run | untrusted code (e.g., code that comes from the internet) and rely on | the Java sandbox for security. This vulnerability does not apply to | Java deployments, typically in servers, that load and run only | trusted code (e.g., code installed by an administrator). CVSS 3.1 | Base Score 7.4 (Integrity impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N). CVE-2026-21925[3]: | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition product of Oracle Java SE (component: | RMI). Supported versions that are affected are Oracle Java SE: | 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; | Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM | Enterprise Edition: 21.3.16. Difficult to exploit vulnerability | allows unauthenticated attacker with network access via multiple | protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, | Oracle GraalVM Enterprise Edition. Successful attacks of this | vulnerability can result in unauthorized update, insert or delete | access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition accessible data as well as unauthorized | read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, | Oracle GraalVM Enterprise Edition accessible data. Note: This | vulnerability can be exploited by using APIs in the specified | Component, e.g., through a web service which supplies data to the | APIs. This vulnerability also applies to Java deployments, typically | in clients running sandboxed Java Web Start applications or | sandboxed Java applets, that load and run untrusted code (e.g., code | that comes from the internet) and rely on the Java sandbox for | security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-21945 https://www.cve.org/CVERecord?id=CVE-2026-21945 [1] https://security-tracker.debian.org/tracker/CVE-2026-21933 https://www.cve.org/CVERecord?id=CVE-2026-21933 [2] https://security-tracker.debian.org/tracker/CVE-2026-21932 https://www.cve.org/CVERecord?id=CVE-2026-21932 [3] https://security-tracker.debian.org/tracker/CVE-2026-21925 https://www.cve.org/CVERecord?id=CVE-2026-21925 Please adjust the affected versions in the BTS as needed.
