USN-7338-1

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/notices/USN-7338-1

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7338-1.json

JSON Data

https://api.test.osv.dev/v1/vulns/USN-7338-1

Related

Published

2025-03-11T01:13:38.735327Z

Modified

2025-03-11T01:13:38.735327Z

Summary

openjdk-17-crac vulnerabilities

Details

Andy Boothe discovered that the Networking component of CRaC JDK 17 did not properly handle access under certain circumstances. An unauthenticated attacker could possibly use this issue to cause a denial of service. (CVE-2024-21208)

It was discovered that the Hotspot component of CRaC JDK 17 did not properly handle vectorization under certain circumstances. An unauthenticated attacker could possibly use this issue to access unauthorized resources and expose sensitive information. (CVE-2024-21210, CVE-2024-21235)

It was discovered that the Serialization component of CRaC JDK 17 did not properly handle deserialization under certain circumstances. An unauthenticated attacker could possibly use this issue to cause a denial of service. (CVE-2024-21217)

It was discovered that the Hotspot component of CRaC JDK 17 did not properly handle API access under certain circumstances. An unauthenticated attacker could possibly use this issue to access unauthorized resources and expose sensitive information. (CVE-2025-21502)

In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes.

Please see the following for more information: https://openjdk.org/groups/vulnerability/advisories/2024-10-15 https://openjdk.org/groups/vulnerability/advisories/2025-01-21

References

Affected packages

Ubuntu:24.10 / openjdk-17-crac

Package

Name: openjdk-17-crac
Purl: pkg:deb/ubuntu/openjdk-17-crac@17.0.14+7-0ubuntu1~24.10?arch=source&distro=oracular

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

17.0.14+7-0ubuntu1~24.10

Affected versions

17.*

17.0.13+0-0ubuntu1

17.0.13+0-0ubuntu2

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_version": "17.0.14+7-0ubuntu1~24.10",
            "binary_name": "openjdk-17-crac-dbg"
        },
        {
            "binary_version": "17.0.14+7-0ubuntu1~24.10",
            "binary_name": "openjdk-17-crac-demo"
        },
        {
            "binary_version": "17.0.14+7-0ubuntu1~24.10",
            "binary_name": "openjdk-17-crac-doc"
        },
        {
            "binary_version": "17.0.14+7-0ubuntu1~24.10",
            "binary_name": "openjdk-17-crac-jdk"
        },
        {
            "binary_version": "17.0.14+7-0ubuntu1~24.10",
            "binary_name": "openjdk-17-crac-jdk-headless"
        },
        {
            "binary_version": "17.0.14+7-0ubuntu1~24.10",
            "binary_name": "openjdk-17-crac-jre"
        },
        {
            "binary_version": "17.0.14+7-0ubuntu1~24.10",
            "binary_name": "openjdk-17-crac-jre-headless"
        },
        {
            "binary_version": "17.0.14+7-0ubuntu1~24.10",
            "binary_name": "openjdk-17-crac-jre-zero"
        },
        {
            "binary_version": "17.0.14+7-0ubuntu1~24.10",
            "binary_name": "openjdk-17-crac-source"
        }
    ]
}