[RHSA-2022:7050-01] Moderate: OpenJDK 8u352 Security Update for Portable Linux Builds

Thu Oct 20 14:59:01 UTC 2022

The Red Hat build of OpenJDK 8 (java-1.8.0-openjdk) is now available for
portable Linux.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

The OpenJDK 8 packages provide the OpenJDK 8 Java Runtime Environment and
the OpenJDK 8 Java Software Development Kit.

This release of the Red Hat build of OpenJDK 8 (8u352) for portable Linux
serves as a replacement for Red Hat build of OpenJDK 8 (8u342) and includes
security and bug fixes as well as enhancements. For further information,
refer to the release notes linked to in the References section.

Security Fix(es):
* OpenJDK: improper handling of long NTLM client hostnames (Networking,
8286526) (CVE-2022-21619)

* OpenJDK: excessive memory allocation in X.509 certificate parsing
(Libraries, 8286533) (CVE-2022-21626)

* OpenJDK: insufficient randomization of JNDI DNS port numbers (JNDI,
8286910) (CVE-2022-21624)

* OpenJDK: HttpServer no connection count limit (Lightweight HTTP Server,
8286918) (CVE-2022-21628)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/documentation/en-us/openjdk/8/html/installing_and_using_openjdk_8_for_rhel/assembly_installing-openjdk-8-on-red-hat-enterprise-linux_openjdk#installing-jdk11-on-rhel-using-archive_openjdk

4. Bugs fixed (https://bugzilla.redhat.com/):

2133745 - CVE-2022-21619 OpenJDK: improper handling of long NTLM client hostnames (Security, 8286526)
2133753 - CVE-2022-21626 OpenJDK: excessive memory allocation in X.509 certificate parsing (Security, 8286533)
2133765 - CVE-2022-21624 OpenJDK: insufficient randomization of JNDI DNS port numbers (JNDI, 8286910)
2133769 - CVE-2022-21628 OpenJDK: HttpServer no connection count limit (Lightweight HTTP Server, 8286918)

5. References:

https://access.redhat.com/security/cve/CVE-2022-21619
https://access.redhat.com/security/cve/CVE-2022-21624
https://access.redhat.com/security/cve/CVE-2022-21626
https://access.redhat.com/security/cve/CVE-2022-21628
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY1FiNdzjgjWX9erEAQjh9A//Y+wmqFn+nyZNgxiY6x/234XPYSL0WSyD
O2GSj68YQDlBtcn8jrPIJEFOpm7nfUGVpII57sFQP4skqM49Ift8rhaE+MIYTQ7k
dgWlABYxVJU4ptU18QbKtCWEJxdij1gm/8or/Sg385zV3+VcGRT6iPxGbWPbq8V1
R4siduc8JBlUk2jCbJM/OmLtfL0eQTxwwSvvpqqqaOgRla7cDt2NI1zzJvy9cA2q
fmgqHvhTe2o3CXtManguJBfo6mwuYHRj0z6c3iOefNY8Ia/80poDw2VPGwVb/DAP
/zu9caL6lPe8H2UKDYcj4307Uuf0U0XalTnr0Vob+jvPcyaGWBQVyxKkXMXK5b9B
sOk3bB5V0NNuajjk1CPijKSDNAM8N9U9CgzVtprUW2MNcAkcNpZbY1l5egWtRWvI
HjudZIaa6WMFfCvEfpvaiaJOtB7BGWstVisjyKvUbh2D1iaAlneFPdK6I7KZkzbT
NGXwbkLI844xANzhK3yAcn39/HYFZCu6yFDsLuhg6pFRYLqVxXIOOn5rIs45QPNL
TaRYjxxN+8vDqhNh/AfHrs2+4p5Wr9165tpjG9OZDh65VQxzroX2OSz4At6bXCVP
lNlF6HB0ofjkto8fNqnOlaJtN8yOvgaW1bibzHKTufvLY0JXcYjqWrDPU6IS9vkS
exATD5jqOYo=
=/ngT
-----END PGP SIGNATURE-----