Source: openjdk-17 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for openjdk-17. CVE-2023-21930[0]: | Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition | product of Oracle Java SE (component: JSSE). Supported versions that | are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, | 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. | Difficult to exploit vulnerability allows unauthenticated attacker | with network access via TLS to compromise Oracle Java SE, Oracle | GraalVM Enterprise Edition. Successful attacks of this vulnerability | can result in unauthorized creation, deletion or modification access | to critical data or all Oracle Java SE, Oracle GraalVM Enterprise | Edition accessible data as well as unauthorized access to critical | data or complete access to all Oracle Java SE, Oracle GraalVM | Enterprise Edition accessible data. Note: This vulnerability applies | to Java deployments, typically in clients running sandboxed Java Web | Start applications or sandboxed Java applets, that load and run | untrusted code (e.g., code that comes from the internet) and rely on | the Java sandbox for security. This vulnerability can also be | exploited by using APIs in the specified Component, e.g., through a | web service which supplies data to the APIs. CVSS 3.1 Base Score 7.4 | (Confidentiality and Integrity impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N). CVE-2023-21937[1]: | Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition | product of Oracle Java SE (component: Networking). Supported versions | that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, | 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and | 22.3.1. Difficult to exploit vulnerability allows unauthenticated | attacker with network access via multiple protocols to compromise | Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks | of this vulnerability can result in unauthorized update, insert or | delete access to some of Oracle Java SE, Oracle GraalVM Enterprise | Edition accessible data. Note: This vulnerability applies to Java | deployments, typically in clients running sandboxed Java Web Start | applications or sandboxed Java applets, that load and run untrusted | code (e.g., code that comes from the internet) and rely on the Java | sandbox for security. This vulnerability can also be exploited by | using APIs in the specified Component, e.g., through a web service | which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). CVE-2023-21938[2]: | Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition | product of Oracle Java SE (component: Libraries). Supported versions | that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, | 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and | 22.3.0. Difficult to exploit vulnerability allows unauthenticated | attacker with network access via multiple protocols to compromise | Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks | of this vulnerability can result in unauthorized update, insert or | delete access to some of Oracle Java SE, Oracle GraalVM Enterprise | Edition accessible data. Note: This vulnerability applies to Java | deployments, typically in clients running sandboxed Java Web Start | applications or sandboxed Java applets, that load and run untrusted | code (e.g., code that comes from the internet) and rely on the Java | sandbox for security. This vulnerability does not apply to Java | deployments, typically in servers, that load and run only trusted code | (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 | (Integrity impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). CVE-2023-21939[3]: | Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition | product of Oracle Java SE (component: Swing). Supported versions that | are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, | 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. | Easily exploitable vulnerability allows unauthenticated attacker with | network access via HTTP to compromise Oracle Java SE, Oracle GraalVM | Enterprise Edition. Successful attacks of this vulnerability can | result in unauthorized update, insert or delete access to some of | Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. | Note: This vulnerability applies to Java deployments, typically in | clients running sandboxed Java Web Start applications or sandboxed | Java applets, that load and run untrusted code (e.g., code that comes | from the internet) and rely on the Java sandbox for security. This | vulnerability can also be exploited by using APIs in the specified | Component, e.g., through a web service which supplies data to the | APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). CVE-2023-21954[4]: | Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition | product of Oracle Java SE (component: Hotspot). Supported versions | that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, | 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. | Difficult to exploit vulnerability allows unauthenticated attacker | with network access via multiple protocols to compromise Oracle Java | SE, Oracle GraalVM Enterprise Edition. Successful attacks of this | vulnerability can result in unauthorized access to critical data or | complete access to all Oracle Java SE, Oracle GraalVM Enterprise | Edition accessible data. Note: This vulnerability applies to Java | deployments, typically in clients running sandboxed Java Web Start | applications or sandboxed Java applets, that load and run untrusted | code (e.g., code that comes from the internet) and rely on the Java | sandbox for security. This vulnerability can also be exploited by | using APIs in the specified Component, e.g., through a web service | which supplies data to the APIs. CVSS 3.1 Base Score 5.9 | (Confidentiality impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). CVE-2023-21967[5]: | Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition | product of Oracle Java SE (component: JSSE). Supported versions that | are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, | 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. | Difficult to exploit vulnerability allows unauthenticated attacker | with network access via HTTPS to compromise Oracle Java SE, Oracle | GraalVM Enterprise Edition. Successful attacks of this vulnerability | can result in unauthorized ability to cause a hang or frequently | repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM | Enterprise Edition. Note: This vulnerability applies to Java | deployments, typically in clients running sandboxed Java Web Start | applications or sandboxed Java applets, that load and run untrusted | code (e.g., code that comes from the internet) and rely on the Java | sandbox for security. This vulnerability can also be exploited by | using APIs in the specified Component, e.g., through a web service | which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). CVE-2023-21968[6]: | Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition | product of Oracle Java SE (component: Libraries). Supported versions | that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, | 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and | 22.3.1. Difficult to exploit vulnerability allows unauthenticated | attacker with network access via multiple protocols to compromise | Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks | of this vulnerability can result in unauthorized update, insert or | delete access to some of Oracle Java SE, Oracle GraalVM Enterprise | Edition accessible data. Note: This vulnerability applies to Java | deployments, typically in clients running sandboxed Java Web Start | applications or sandboxed Java applets, that load and run untrusted | code (e.g., code that comes from the internet) and rely on the Java | sandbox for security. This vulnerability can also be exploited by | using APIs in the specified Component, e.g., through a web service | which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-21930 https://www.cve.org/CVERecord?id=CVE-2023-21930 [1] https://security-tracker.debian.org/tracker/CVE-2023-21937 https://www.cve.org/CVERecord?id=CVE-2023-21937 [2] https://security-tracker.debian.org/tracker/CVE-2023-21938 https://www.cve.org/CVERecord?id=CVE-2023-21938 [3] https://security-tracker.debian.org/tracker/CVE-2023-21939 https://www.cve.org/CVERecord?id=CVE-2023-21939 [4] https://security-tracker.debian.org/tracker/CVE-2023-21954 https://www.cve.org/CVERecord?id=CVE-2023-21954 [5] https://security-tracker.debian.org/tracker/CVE-2023-21967 https://www.cve.org/CVERecord?id=CVE-2023-21967 [6] https://security-tracker.debian.org/tracker/CVE-2023-21968 https://www.cve.org/CVERecord?id=CVE-2023-21968 Please adjust the affected versions in the BTS as needed.