Opened 21 months ago
Closed 21 months ago
#16822 closed enhancement (fixed)
Update to OpenJDK-18.0.2 to fix CVE-2022-34169, CVE-2022-21541, and CVE-2022-21540
| Reported by: | Douglas R. Reno | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | high | Milestone: | 11.2 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
There is a new security vulnerability in OpenJDK that allows for corruption of Java class files and for arbitrary code execution. It occurs in the Apache Xalan Java XSLT Library which is bundled directly into the OpenJDK interpreter.
No future releases of Xalan are expected, but the OpenJDK folks do have it patched upstream:
https://github.com/openjdk/jdk/commit/41ef2b249073450172e11163a4d05762364b1297
The problem is an integer truncation issue that occurs when processing malicious XSLT stylesheets.
Looking over at https://openjdk.org/groups/vulnerability/advisories/2022-07-19, it looks like this and two other security vulnerabilities have been addressed. This vulnerability has been rated at 7.5, while CVE-2022-21541 has been rated 5.9 and CVE-2022-21540 has been rated 5.3.
https://jdk.java.net/18/ shows that 18.0.2 has been released
Change History (9)
comment:1 by , 21 months ago
| Summary: | Update to OpenJDK-18.0.2 to fix CVE-2022-34169 → Update to OpenJDK-18.0.2 to fix CVE-2022-34169, CVE-2022-21541, and CVE-2022-21540 |
|---|
comment:2 by , 21 months ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:3 by , 21 months ago
comment:4 by , 21 months ago
ant -diagnostics can show which version of Java is in use:
java.vm.version : 18.0.2+8 java.version : 18.0.2 java.runtime.version : 18.0.2+8
comment:5 by , 21 months ago
cyrus-sasl had it's java support removed in cyrus-sasl-2.1.28 (#16160). Removed the mention of that from the book
comment:6 by , 21 months ago
The x86_64 binary is complete and has been tested, including with the new Libreoffice.
I will resume work on the i686 binary in the morning.
comment:7 by , 21 months ago
I'm almost done with this, just finishing up the binary so I can begin testing it.
Once this is complete, I will file pending security advisories and resume work on other tickets. Trying not to overlap things too much here.
comment:8 by , 21 months ago
Everything except for the i686 binary done at 7c6b211f0e32b9315d3d70df22c4ce02f85b90c9
That will be done later today or tomorrow.
comment:9 by , 21 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
i686 binary done at 66f6b74ec5aaf6d9fbf4b8245304e5b2a140c688
Closing now, will file security advisory once I'm done with WebKit.
For subversion, the java bindings must be installed to properly run the tests. I also discovered a race condition which I resolved by adding -j1 to the 'make javahl' command.