Bug 32545 - java-17-openjdk new security issues
Summary: java-17-openjdk new security issues
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on: 32413
Blocks: 32724
  Show dependency treegraph
 
Reported: 2023-11-21 10:22 CET by Nicolas Salguero
Modified: 2024-03-14 00:15 CET (History)
9 users (show)

See Also:
Source RPM: java-17-openjdk-17.0.8.0.7-1.mga9.src.rpm
CVE: CVE-2023-22081, CVE-2023-22025, CVE-2024-20932, CVE-2024-20918, CVE-2024-20952, CVE-2024-20919, CVE-2024-20921, CVE-2024-20945
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2023-11-21 10:22:34 CET 
+++ This bug was initially created as a clone of Bug #32413 +++

RedHat has issued several advisories:
https://access.redhat.com/errata/RHSA-2023:5752 (java-17-openjdk)

Corresponding Oracle CPUs:
https://www.oracle.com/security-alerts/cpuoct2023.html#AppendixJAVA
Nicolas Salguero 2023-11-21 10:22:49 CET

Whiteboard: (none) => MGA9TOO
Source RPM: java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk => java-17-openjdk

Nicolas Salguero 2023-11-21 10:23:07 CET

Assignee: bugsquad => java

Nicolas Salguero 2024-01-17 10:26:16 CET

Depends on: (none) => 32724

Comment 1 Nicolas Salguero 2024-03-06 10:40:03 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Certificate path validation issue during client authentication. (CVE-2023-22081)

Memory corruption issue on x86_64 with AVX-512. (CVE-2023-22025)

Incorrect handling of ZIP files with duplicate entries. (CVE-2024-20932)

Array out-of-bounds access due to missing range check in C1 compiler. (CVE-2024-20918)

RSA padding issue and timing side-channel attack against TLS. (CVE-2024-20952)

JVM class file verifier flaw allows unverified bytecode execution. (CVE-2024-20919)

Range check loop optimization issue. (CVE-2024-20921)

Logging of digital signature private keys. (CVE-2024-20945)

References:
https://www.oracle.com/security-alerts/cpuoct2023.html#AppendixJAVA
https://access.redhat.com/errata/RHSA-2023:5752
https://www.oracle.com/security-alerts/cpujan2024.html#AppendixJAVA
https://access.redhat.com/errata/RHSA-2024:0241
========================

Updated packages in core/updates_testing:
========================
java-17-openjdk-17.0.10.0.7-1.mga9
java-17-openjdk-demo-17.0.10.0.7-1.mga9
java-17-openjdk-demo-fastdebug-17.0.10.0.7-1.mga9
java-17-openjdk-demo-slowdebug-17.0.10.0.7-1.mga9
java-17-openjdk-devel-17.0.10.0.7-1.mga9
java-17-openjdk-devel-fastdebug-17.0.10.0.7-1.mga9
java-17-openjdk-devel-slowdebug-17.0.10.0.7-1.mga9
java-17-openjdk-fastdebug-17.0.10.0.7-1.mga9
java-17-openjdk-headless-17.0.10.0.7-1.mga9
java-17-openjdk-headless-fastdebug-17.0.10.0.7-1.mga9
java-17-openjdk-headless-slowdebug-17.0.10.0.7-1.mga9
java-17-openjdk-javadoc-17.0.10.0.7-1.mga9
java-17-openjdk-javadoc-zip-17.0.10.0.7-1.mga9
java-17-openjdk-jmods-17.0.10.0.7-1.mga9
java-17-openjdk-jmods-fastdebug-17.0.10.0.7-1.mga9
java-17-openjdk-jmods-slowdebug-17.0.10.0.7-1.mga9
java-17-openjdk-slowdebug-17.0.10.0.7-1.mga9
java-17-openjdk-src-17.0.10.0.7-1.mga9
java-17-openjdk-src-fastdebug-17.0.10.0.7-1.mga9
java-17-openjdk-src-slowdebug-17.0.10.0.7-1.mga9
java-17-openjdk-static-libs-17.0.10.0.7-1.mga9
java-17-openjdk-static-libs-fastdebug-17.0.10.0.7-1.mga9
java-17-openjdk-static-libs-slowdebug-17.0.10.0.7-1.mga9

from SRPM:
java-17-openjdk-17.0.10.0.7-1.mga9.src.rpm

Blocks: (none) => 32724
Source RPM: java-17-openjdk => java-17-openjdk-17.0.8.0.7-1.mga9.src.rpm
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Assignee: java => qa-bugs
CVE: (none) => CVE-2023-22081, CVE-2023-22025, CVE-2024-20932, CVE-2024-20918, CVE-2024-20952, CVE-2024-20919, CVE-2024-20921, CVE-2024-20945
Depends on: 32724 => (none)
Status: NEW => ASSIGNED

katnatek 2024-03-07 02:41:43 CET

Keywords: (none) => advisory

Nicolas Salguero 2024-03-07 09:24:56 CET

Severity: normal => major

PC LX 2024-03-07 11:50:03 CET

CC: (none) => mageia

Comment 2 katnatek 2024-03-09 23:56:37 CET 
RH Mageia 9 x86_64

I just have 2 packages, updated without issues

installing                                 
//home/katnatek/qa-testing/x86_64/java-17-openjdk-17.0.10.0.7-1.mga9.x86_64.rpm
//home/katnatek/qa-testing/x86_64/java-17-openjdk-headless-17.0.10.0.7-1.mga9.x86_64.rpm

Use the updated packages to run and update jdownloader , the application and its update works as expected
Comment 3 Herman Viaene 2024-03-10 11:41:06 CET 
MGA9-64 PLasma Wayland on HP Pavillion
No installation issues.
Checked that LO is refereing to this version and exercized LO Base and Calc application, all works OK
Comment 4 Len Lawrence 2024-03-12 20:23:33 CET 
mga9, x64

Most of the listed packages were missing from this system.  Installed all of them from Core Release then updated the 23 packages via qarepo and drakrpm-update without any issues.

$ strace -o low.trace libreoffice --writer
$ grep java low.trace
read(6, "/usr/lib/jvm/java-17-openjdk-17."..., 4096) = 285

Comments 2 and 3 show that it works.

Tried out the Notepad demo from /usr/lib/jvm/java-17-openjdk-17.0.10.0.7-1.mga9.x86_64/demo/jfc/Notepad/ as a HelloWorld test of one of the demo branches.
$ path
...
/usr/lib/jvm/java-17-openjdk-17.0.8.0.7-1.mga9.x86_64/jre

$ java -jar Notepad.jar
which generated a simple notepad.  Created and saved some random text to a local file.

CC: (none) => tarazed25

Len Lawrence 2024-03-13 13:19:27 CET

Whiteboard: (none) => MGA9-64-OK

Comment 5 Len Lawrence 2024-03-13 17:29:34 CET 
Another oops!
The path had not been updated when the demo test was done so the code was run against the previous version of the codebase ... which had just been replaced.
Fixed .bashrc and logged in again.
$ path
.....
/usr/lib/jvm/java-17-openjdk-17.0.10.0.7-1.mga9.x86_64/jre
Opened the notebook application and added a line, saved the file and exited.  Checked the addition by opening the file again in the notebook.  All is well.
Comment 6 Thomas Andrews 2024-03-13 23:39:54 CET 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 7 Mageia Robot 2024-03-14 00:15:48 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0056.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.