Source: openjdk-8 X-Debbugs-CC: [email protected] Severity: grave Tags: security
Hi, The following vulnerabilities were published for openjdk-8. CVE-2025-53057[0]: | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition product of Oracle Java SE (component: | Security). Supported versions that are affected are Oracle Java SE: | 8u461, 8u461-perf, 11.0.28, 17.0.16, 21.0.8, 25; Oracle GraalVM for | JDK: 17.0.16 and 21.0.8; Oracle GraalVM Enterprise Edition: | 21.3.15. Difficult to exploit vulnerability allows unauthenticated | attacker with network access via multiple protocols to compromise | Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise | Edition. Successful attacks of this vulnerability can result in | unauthorized creation, deletion or modification access to critical | data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM | Enterprise Edition accessible data. Note: This vulnerability can be | exploited by using APIs in the specified Component, e.g., through a | web service which supplies data to the APIs. This vulnerability also | applies to Java deployments, typically in clients running sandboxed | Java Web Start applications or sandboxed Java applets, that load and | run untrusted code (e.g., code that comes from the internet) and | rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 | (Integrity impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N). CVE-2025-53066[1]: | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition product of Oracle Java SE (component: | JAXP). Supported versions that are affected are Oracle Java SE: | 8u461, 8u461-perf, 11.0.28, 17.0.16, 21.0.8, 25; Oracle GraalVM for | JDK: 17.0.16 and 21.0.8; Oracle GraalVM Enterprise Edition: | 21.3.15. Easily exploitable vulnerability allows unauthenticated | attacker with network access via multiple protocols to compromise | Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise | Edition. Successful attacks of this vulnerability can result in | unauthorized access to critical data or complete access to all | Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise | Edition accessible data. Note: This vulnerability can be exploited | by using APIs in the specified Component, e.g., through a web | service which supplies data to the APIs. This vulnerability also | applies to Java deployments, typically in clients running sandboxed | Java Web Start applications or sandboxed Java applets, that load and | run untrusted code (e.g., code that comes from the internet) and | rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 | (Confidentiality impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-53057 https://www.cve.org/CVERecord?id=CVE-2025-53057 [1] https://security-tracker.debian.org/tracker/CVE-2025-53066 https://www.cve.org/CVERecord?id=CVE-2025-53066 Please adjust the affected versions in the BTS as needed.
