RedHat: RHSA-2022-0165:03 Moderate: OpenJDK 17.0.2 security update for
Summary
The OpenJDK 17 packages provide the OpenJDK 17 Java Runtime Environment and
the OpenJDK 17 Java Software Development Kit.
This release of the Red Hat build of OpenJDK 17 (17.0.2) for portable Linux
serves as a replacement for the Red Hat build of OpenJDK 17 (17.0.1) and
includes security and bug fixes, and enhancements. For further information,
refer to the release notes linked to in the References section.
Security Fix(es):
* OpenJDK: Unexpected exception thrown in regex Pattern (Libraries,
8268813) (CVE-2022-21283)
* OpenJDK: Incomplete checks of StringBuffer and StringBuilder during
deserialization (Libraries, 8270392) (CVE-2022-21293)
* OpenJDK: Incorrect IdentityHashMap size checks during deserialization
(Libraries, 8270416) (CVE-2022-21294)
* OpenJDK: Insufficient URI checks in the XSLT TransformerImpl (JAXP,
8270492) (CVE-2022-21282)
* OpenJDK: Incorrect access checks in XMLEntityManager (JAXP, 8270498)
(CVE-2022-21296)
* OpenJDK: Infinite loop related to incorrect handling of newlines in
XMLEntityScanner (JAXP, 8270646) (CVE-2022-21299)
* OpenJDK: Incorrect reading of TIFF files in TIFFNullDecompressor
(ImageIO, 8270952) (CVE-2022-21277)
* OpenJDK: Excessive memory allocation in BMPImageReader (ImageIO, 8273756)
(CVE-2022-21360)
* OpenJDK: Integer overflow in BMPImageReader (ImageIO, 8273838)
(CVE-2022-21365)
* OpenJDK: Excessive memory allocation in TIFF*Decompressor (ImageIO,
8274096) (CVE-2022-21366)
* OpenJDK: Incomplete deserialization class filtering in ObjectInputStream
(Serialization, 8264934) (CVE-2022-21248)
* OpenJDK: Incorrect marking of writeable fields (Hotspot, 8270386)
(CVE-2022-21291)
* OpenJDK: Array indexing issues in LIRGenerator (Hotspot, 8272014)
(CVE-2022-21305)
* OpenJDK: Excessive resource use when reading JAR manifest attributes
(Libraries, 8272026) (CVE-2022-21340)
* OpenJDK: Insufficient checks when deserializing exceptions in
ObjectInputStream (Serialization, 8272236) (CVE-2022-21341)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Summary
Solution
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/documentation/en-us/openjdk/17/html/installing_and_using_openjdk_17_for_windows/index
References
https://access.redhat.com/security/cve/CVE-2022-21248 https://access.redhat.com/security/cve/CVE-2022-21277 https://access.redhat.com/security/cve/CVE-2022-21282 https://access.redhat.com/security/cve/CVE-2022-21283 https://access.redhat.com/security/cve/CVE-2022-21291 https://access.redhat.com/security/cve/CVE-2022-21293 https://access.redhat.com/security/cve/CVE-2022-21294 https://access.redhat.com/security/cve/CVE-2022-21296 https://access.redhat.com/security/cve/CVE-2022-21299 https://access.redhat.com/security/cve/CVE-2022-21305 https://access.redhat.com/security/cve/CVE-2022-21340 https://access.redhat.com/security/cve/CVE-2022-21341 https://access.redhat.com/security/cve/CVE-2022-21360 https://access.redhat.com/security/cve/CVE-2022-21365 https://access.redhat.com/security/cve/CVE-2022-21366 https://access.redhat.com/security/updates/classification/#moderate
Package List
Topic
The Red Hat build of OpenJDK 17 (java-17-openjdk) is now available forWindows.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Topic
Relevant Releases Architectures
Bugs Fixed
2041400 - CVE-2022-21283 OpenJDK: Unexpected exception thrown in regex Pattern (Libraries, 8268813)
2041417 - CVE-2022-21293 OpenJDK: Incomplete checks of StringBuffer and StringBuilder during deserialization (Libraries, 8270392)
2041427 - CVE-2022-21294 OpenJDK: Incorrect IdentityHashMap size checks during deserialization (Libraries, 8270416)
2041435 - CVE-2022-21282 OpenJDK: Insufficient URI checks in the XSLT TransformerImpl (JAXP, 8270492)
2041439 - CVE-2022-21296 OpenJDK: Incorrect access checks in XMLEntityManager (JAXP, 8270498)
2041472 - CVE-2022-21299 OpenJDK: Infinite loop related to incorrect handling of newlines in XMLEntityScanner (JAXP, 8270646)
2041479 - CVE-2022-21277 OpenJDK: Incorrect reading of TIFF files in TIFFNullDecompressor (ImageIO, 8270952)
2041491 - CVE-2022-21360 OpenJDK: Excessive memory allocation in BMPImageReader (ImageIO, 8273756)
2041785 - CVE-2022-21365 OpenJDK: Integer overflow in BMPImageReader (ImageIO, 8273838)
2041789 - CVE-2022-21366 OpenJDK: Excessive memory allocation in TIFF*Decompressor (ImageIO, 8274096)
2041801 - CVE-2022-21248 OpenJDK: Incomplete deserialization class filtering in ObjectInputStream (Serialization, 8264934)
2041831 - CVE-2022-21291 OpenJDK: Incorrect marking of writeable fields (Hotspot, 8270386)
2041878 - CVE-2022-21305 OpenJDK: Array indexing issues in LIRGenerator (Hotspot, 8272014)
2041884 - CVE-2022-21340 OpenJDK: Excessive resource use when reading JAR manifest attributes (Libraries, 8272026)
2041897 - CVE-2022-21341 OpenJDK: Insufficient checks when deserializing exceptions in ObjectInputStream (Serialization, 8272236)