RHSA-2022:0321: Red Hat Security Advisory: OpenJDK 8u322 Windows builds release and security update

Skip to navigation Skip to main content

Utilities

• Subscriptions
• Downloads
• Containers
• Support Cases

Infrastructure and Management

• Red Hat Enterprise Linux
• Red Hat Virtualization
• Red Hat Identity Management
• Red Hat Directory Server
• Red Hat Certificate System
• Red Hat Satellite
• Red Hat Subscription Management
• Red Hat Update Infrastructure
• Red Hat Insights
• Red Hat Ansible Automation Platform

Cloud Computing

• Red Hat OpenShift
• Red Hat CloudForms
• Red Hat OpenStack Platform
• Red Hat OpenShift Container Platform
• Red Hat OpenShift Data Science
• Red Hat OpenShift Online
• Red Hat OpenShift Dedicated
• Red Hat Advanced Cluster Security for Kubernetes
• Red Hat Advanced Cluster Management for Kubernetes
• Red Hat Quay
• Red Hat CodeReady Workspaces
• Red Hat OpenShift Service on AWS

Storage

• Red Hat Gluster Storage
• Red Hat Hyperconverged Infrastructure
• Red Hat Ceph Storage
• Red Hat OpenShift Data Foundation

Runtimes

• Red Hat Runtimes
• Red Hat JBoss Enterprise Application Platform
• Red Hat Data Grid
• Red Hat JBoss Web Server
• Red Hat Single Sign On
• Red Hat support for Spring Boot
• Red Hat build of Node.js
• Red Hat build of Thorntail
• Red Hat build of Eclipse Vert.x
• Red Hat build of OpenJDK
• Red Hat build of Quarkus
• Red Hat CodeReady Studio

Integration and Automation

• Red Hat Process Automation
• Red Hat Process Automation Manager
• Red Hat Decision Manager

All Products

Issued:

2022-01-27

Updated:

2022-01-27

RHSA-2022:0321 - Security Advisory

• Overview
• Updated Packages

Synopsis

Moderate: OpenJDK 8u322 Windows builds release and security update

Type/Severity

Security Advisory: Moderate

Topic

The Red Hat build of OpenJDK 8 (java-1.8.0-openjdk) is now available for Windows.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The OpenJDK 8 packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

This release of the Red Hat build of OpenJDK 8 (8u322) for Windows serves as a replacement for the Red Hat build of OpenJDK 8 (8u312) and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.

Security Fix(es):

• OpenJDK: Unexpected exception thrown in regex Pattern (Libraries, 8268813) (CVE-2022-21283)
• OpenJDK: Incomplete checks of StringBuffer and StringBuilder during deserialization (Libraries, 8270392) (CVE-2022-21293)
• OpenJDK: Incorrect IdentityHashMap size checks during deserialization (Libraries, 8270416) (CVE-2022-21294)
• OpenJDK: Insufficient URI checks in the XSLT TransformerImpl (JAXP, 8270492) (CVE-2022-21282)
• OpenJDK: Incorrect access checks in XMLEntityManager (JAXP, 8270498) (CVE-2022-21296)
• OpenJDK: Infinite loop related to incorrect handling of newlines in XMLEntityScanner (JAXP, 8270646) (CVE-2022-21299)
• OpenJDK: Excessive memory allocation in BMPImageReader (ImageIO, 8273756) (CVE-2022-21360)
• OpenJDK: Integer overflow in BMPImageReader (ImageIO, 8273838) (CVE-2022-21365)
• OpenJDK: Incomplete deserialization class filtering in ObjectInputStream (Serialization, 8264934) (CVE-2022-21248)
• OpenJDK: Array indexing issues in LIRGenerator (Hotspot, 8272014) (CVE-2022-21305)
• OpenJDK: Excessive resource use when reading JAR manifest attributes (Libraries, 8272026) (CVE-2022-21340)
• OpenJDK: Insufficient checks when deserializing exceptions in ObjectInputStream (Serialization, 8272236) (CVE-2022-21341)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Affected Products

• OpenJDK Java (for Middleware) 1 x86_64

Fixes

• BZ - 2041400 - CVE-2022-21283 OpenJDK: Unexpected exception thrown in regex Pattern (Libraries, 8268813)
• BZ - 2041417 - CVE-2022-21293 OpenJDK: Incomplete checks of StringBuffer and StringBuilder during deserialization (Libraries, 8270392)
• BZ - 2041427 - CVE-2022-21294 OpenJDK: Incorrect IdentityHashMap size checks during deserialization (Libraries, 8270416)
• BZ - 2041435 - CVE-2022-21282 OpenJDK: Insufficient URI checks in the XSLT TransformerImpl (JAXP, 8270492)
• BZ - 2041439 - CVE-2022-21296 OpenJDK: Incorrect access checks in XMLEntityManager (JAXP, 8270498)
• BZ - 2041472 - CVE-2022-21299 OpenJDK: Infinite loop related to incorrect handling of newlines in XMLEntityScanner (JAXP, 8270646)
• BZ - 2041491 - CVE-2022-21360 OpenJDK: Excessive memory allocation in BMPImageReader (ImageIO, 8273756)
• BZ - 2041785 - CVE-2022-21365 OpenJDK: Integer overflow in BMPImageReader (ImageIO, 8273838)
• BZ - 2041801 - CVE-2022-21248 OpenJDK: Incomplete deserialization class filtering in ObjectInputStream (Serialization, 8264934)
• BZ - 2041878 - CVE-2022-21305 OpenJDK: Array indexing issues in LIRGenerator (Hotspot, 8272014)
• BZ - 2041884 - CVE-2022-21340 OpenJDK: Excessive resource use when reading JAR manifest attributes (Libraries, 8272026)
• BZ - 2041897 - CVE-2022-21341 OpenJDK: Insufficient checks when deserializing exceptions in ObjectInputStream (Serialization, 8272236)

CVEs

• CVE-2022-21248
• CVE-2022-21282
• CVE-2022-21283
• CVE-2022-21293
• CVE-2022-21294
• CVE-2022-21296
• CVE-2022-21299
• CVE-2022-21305
• CVE-2022-21340
• CVE-2022-21341
• CVE-2022-21360
• CVE-2022-21365

OpenJDK Java (for Middleware) 1

SRPM

x86_64

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.