Opened 6 weeks ago
Last modified 10 days ago
#19508 assigned enhancement
jdk-22.0.1
Reported by: | Xi Ruoyao | Owned by: | Douglas R. Reno |
---|---|---|---|
Priority: | elevated | Milestone: | 12.2 |
Component: | BOOK | Version: | git |
Severity: | normal | Keywords: | |
Cc: |
Description
New major version.
Just seen the release note at https://mail.openjdk.org/pipermail/jdk-dev/2024-March/008827.html. I've not found a download link yet.
Change History (8)
comment:1 by , 6 weeks ago
comment:2 by , 5 weeks ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
follow-up: 4 comment:3 by , 2 weeks ago
Priority: | normal → high |
---|---|
Summary: | jdk-22 → jdk-22.0.1 (wait for Tuesday) |
Oracle Java SE Executive Summary This Critical Patch Update contains 13 new security patches for Oracle Java SE. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Java SE is 7.5. The Oracle Java SE products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are: Oracle GraalVM Enterprise Edition, versions 20.3.13, 21.3.9 Oracle GraalVM for JDK, versions 17.0.10, 21.0.2, 22 Oracle Java SE, versions 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22
comment:4 by , 12 days ago
Replying to Douglas R. Reno:
Oracle Java SE Executive Summary This Critical Patch Update contains 13 new security patches for Oracle Java SE. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Java SE is 7.5. The Oracle Java SE products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are: Oracle GraalVM Enterprise Edition, versions 20.3.13, 21.3.9 Oracle GraalVM for JDK, versions 17.0.10, 21.0.2, 22 Oracle Java SE, versions 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22
Is that also true for OpenJDKs?
comment:6 by , 10 days ago
Priority: | high → elevated |
---|
The source is now available, though we're going to go with jdk-22.0.1+0 for a regression fix
The highest severity issues only impact Oracle GraalVM, so we're only affected by...
CVE-2024-21011 (Hotspot), Network exploitable with no user interaction or privileges required, looks to be a denial of service vulnerability
CVE-2024-21068 (Hotspot), Network exploitable with no user interaction or privileges required, looks to be an unauthorized information reading/modification vulnerability
CVE-2024-21094 (Hotspot), Network exploitable with no user interaction or privileges required, looks to be an unauthorized information reading/modification vulnerability
CVE-2024-21012 (Networking), Network exploitable with no user interaction or privileges required, looks to be an unauthorized information reading/modification vulnerability
comment:7 by , 10 days ago
Note though that these are all remotely exploitable with no authentication or user interaction required
comment:8 by , 10 days ago
Summary: | jdk-22.0.1 (wait for Tuesday) → jdk-22.0.1 |
---|
The tag for the source has been published