Alerts This Week
Warning Icon 1 758
Alerts This Week
Warning Icon 1 758

Ubuntu 23.10 USN-6528-1 High: OpenJDK 8 DoS and Memory Issues

ubuntu
Calendar Grey November 29, 2023
Dist Ubuntu Esm H88
Ubuntu Security Announcement USN-6529-3 addresses issues in OpenJDK 11, focusing on potential denial of service and memory leaks.
Several security issues were fixed in OpenJDK.

Summary

Several security issues were fixed in OpenJDK.

Software Description:

- openjdk-8: Open Source Java implementation

Details:

It was discovered that the HotSpot VM implementation in OpenJDK did not

properly validate bytecode blocks in certain situations. An attacker could

possibly use this to cause a denial of service. (CVE-2022-40433)

Carter Kozak discovered that OpenJDK, when compiling with AVX-512

instruction support enabled, could produce code that resulted in memory

corruption in certain situations. An attacker targeting applications built

in this way could possibly use this to cause a denial of service or execute

arbitrary code. In Ubuntu, OpenJDK defaults to not using AVX-512

instructions. (CVE-2023-22025)

It was discovered that the CORBA implementation in OpenJDK did not properly

perform deserialization of IOR string objects. An attacker could possibly

use this to bypass Java sandbox restrictions. (CVE-2023-22067)

It was discovered that OpenJDK did not properly perform P...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10:
  openjdk-8-jdk                   8u392-ga-1~23.10
  openjdk-8-jdk-headless          8u392-ga-1~23.10
  openjdk-8-jre                   8u392-ga-1~23.10
  openjdk-8-jre-headless          8u392-ga-1~23.10
  openjdk-8-jre-zero              8u392-ga-1~23.10

Ubuntu 23.04:
  openjdk-8-jdk                   8u392-ga-1~23.04
  openjdk-8-jdk-headless          8u392-ga-1~23.04
  openjdk-8-jre                   8u392-ga-1~23.04
  openjdk-8-jre-headless          8u392-ga-1~23.04
  openjdk-8-jre-zero              8u392-ga-1~23.04

Ubuntu 22.04 LTS:
  openjdk-8-jdk                   8u392-ga-1~22.04
  openjdk-8-jdk-headless          8u392-ga-1~22.04
  openjdk-8-jre                   8u392-ga-1~22.04
  openjdk-8-jre-headless          8u392-ga-1~22.04
  openjdk-8-jre-zero              8u392-ga-1~22.04

Ubuntu 20.04 LTS:
  openjdk-8-jdk                   8u392-ga-1~20.04
  openjdk-8-jdk-headless          8u392-ga-1~20.04
  openjdk-8-jre                   8u392-ga-1~20.04
  openjdk-8-jre-headless          8u392-ga-1~20.04
  openjdk-8-jre-zero              8u392-ga-1~20.04

Ubuntu 18.04 LTS (Available with Ubuntu Pro):
  openjdk-8-jdk                   8u392-ga-1~18.04
  openjdk-8-jdk-headless          8u392-ga-1~18.04
  openjdk-8-jre                   8u392-ga-1~18.04
  openjdk-8-jre-headless          8u392-ga-1~18.04
  openjdk-8-jre-zero              8u392-ga-1~18.04

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
  openjdk-8-jdk                   8u392-ga-1~16.04
  openjdk-8-jdk-headless          8u392-ga-1~16.04
  openjdk-8-jre                   8u392-ga-1~16.04
  openjdk-8-jre-headless          8u392-ga-1~16.04
  openjdk-8-jre-jamvm             8u392-ga-1~16.04
  openjdk-8-jre-zero              8u392-ga-1~16.04

This update uses a new upstream release, which includes additional
bug fixes. After a standard system update you need to restart any
Java applications to make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-6528-1

CVE-2022-40433, CVE-2023-22025, CVE-2023-22067, CVE-2023-22081

Ubuntu Security Notice USN-6528-1

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here