USN-5719-1: OpenJDK vulnerabilities

Releases

• Ubuntu 22.10
• Ubuntu 22.04 LTS
• Ubuntu 20.04 LTS
• Ubuntu 18.04 ESM
• Ubuntu 16.04 ESM

Packages

• openjdk-17 - Open Source Java implementation
• openjdk-19 - Open Source Java implementation
• openjdk-8 - Open Source Java implementation
• openjdk-lts - Open Source Java implementation

Details

It was discovered that OpenJDK incorrectly handled long client hostnames.
An attacker could possibly use this issue to cause the corruption of
sensitive information. (CVE-2022-21619)

It was discovered that OpenJDK incorrectly randomized DNS port numbers. A
remote attacker could possibly use this issue to perform spoofing attacks.
(CVE-2022-21624)

It was discovered that OpenJDK did not limit the number of connections
accepted from HTTP clients. An attacker could possibly use this issue to
cause a denial of service. (CVE-2022-21628)

It was discovered that OpenJDK incorrectly handled X.509 certificates. An
attacker could possibly use this issue to cause a denial of service. This
issue only affected OpenJDK 8 and OpenJDK 11. (CVE-2022-21626)

It was discovered that OpenJDK incorrectly handled cached server
connections. An attacker could possibly use this issue to perform spoofing
attacks. This issue only affected OpenJDK 11, OpenJDK 17 and OpenJDK 19.
(CVE-2022-39399)

It was discovered that OpenJDK incorrectly handled byte conversions. An
attacker could possibly use this issue to obtain sensitive information.
This issue only affected OpenJDK 11, OpenJDK 17 and OpenJDK 19.
(CVE-2022-21618)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 22.10

• openjdk-8-jre-headless - 8u352-ga-1~22.10
• openjdk-11-jre-headless - 11.0.17+8-1ubuntu2
• openjdk-11-jdk - 11.0.17+8-1ubuntu2
• openjdk-17-jre-headless - 17.0.5+8-2ubuntu1
• openjdk-17-jre - 17.0.5+8-2ubuntu1
• openjdk-17-jdk - 17.0.5+8-2ubuntu1
• openjdk-17-jre-zero - 17.0.5+8-2ubuntu1
• openjdk-8-jre-zero - 8u352-ga-1~22.10
• openjdk-19-jre - 19.0.1+10-1
• openjdk-8-jdk - 8u352-ga-1~22.10
• openjdk-11-jre-zero - 11.0.17+8-1ubuntu2
• openjdk-19-jre-zero - 19.0.1+10-1
• openjdk-8-jre - 8u352-ga-1~22.10
• openjdk-19-jre-headless - 19.0.1+10-1
• openjdk-19-jdk - 19.0.1+10-1
• openjdk-11-jre - 11.0.17+8-1ubuntu2

Ubuntu 22.04

• openjdk-8-jre-headless - 8u352-ga-1~22.04
• openjdk-11-jre-headless - 11.0.17+8-1ubuntu2~22.04
• openjdk-11-jdk - 11.0.17+8-1ubuntu2~22.04
• openjdk-17-jre-headless - 17.0.5+8-2ubuntu1~22.04
• openjdk-17-jre - 17.0.5+8-2ubuntu1~22.04
• openjdk-17-jdk - 17.0.5+8-2ubuntu1~22.04
• openjdk-17-jre-zero - 17.0.5+8-2ubuntu1~22.04
• openjdk-8-jre-zero - 8u352-ga-1~22.04
• openjdk-19-jre - 19.0.1+10-1ubuntu1~22.04
• openjdk-8-jdk - 8u352-ga-1~22.04
• openjdk-11-jre-zero - 11.0.17+8-1ubuntu2~22.04
• openjdk-19-jre-zero - 19.0.1+10-1ubuntu1~22.04
• openjdk-8-jre - 8u352-ga-1~22.04
• openjdk-19-jre-headless - 19.0.1+10-1ubuntu1~22.04
• openjdk-19-jdk - 19.0.1+10-1ubuntu1~22.04
• openjdk-11-jre - 11.0.17+8-1ubuntu2~22.04

Ubuntu 20.04

• openjdk-8-jre-headless - 8u352-ga-1~20.04
• openjdk-8-jre - 8u352-ga-1~20.04
• openjdk-11-jdk - 11.0.17+8-1ubuntu2~20.04
• openjdk-17-jre-headless - 17.0.5+8-2ubuntu1~20.04
• openjdk-17-jre - 17.0.5+8-2ubuntu1~20.04
• openjdk-17-jdk - 17.0.5+8-2ubuntu1~20.04
• openjdk-17-jre-zero - 17.0.5+8-2ubuntu1~20.04
• openjdk-8-jre-zero - 8u352-ga-1~20.04
• openjdk-8-jdk - 8u352-ga-1~20.04
• openjdk-11-jre-zero - 11.0.17+8-1ubuntu2~20.04
• openjdk-11-jre-headless - 11.0.17+8-1ubuntu2~20.04
• openjdk-11-jre - 11.0.17+8-1ubuntu2~20.04

Ubuntu 18.04

• openjdk-8-jre-headless - 8u352-ga-1~18.04
• openjdk-8-jre - 8u352-ga-1~18.04
• openjdk-11-jdk - 11.0.17+8-1ubuntu2~18.04
• openjdk-17-jre-headless - 17.0.5+8-2ubuntu1~18.04
• openjdk-17-jre - 17.0.5+8-2ubuntu1~18.04
• openjdk-17-jdk - 17.0.5+8-2ubuntu1~18.04
• openjdk-17-jre-zero - 17.0.5+8-2ubuntu1~18.04
• openjdk-8-jre-zero - 8u352-ga-1~18.04
• openjdk-8-jdk - 8u352-ga-1~18.04
• openjdk-11-jre-zero - 11.0.17+8-1ubuntu2~18.04
• openjdk-11-jre-headless - 11.0.17+8-1ubuntu2~18.04
• openjdk-11-jre - 11.0.17+8-1ubuntu2~18.04

Ubuntu 16.04

• openjdk-8-jdk - 8u352-ga-1~16.04
  Available with Ubuntu Pro
• openjdk-8-jre-headless - 8u352-ga-1~16.04
  Available with Ubuntu Pro
• openjdk-8-jre - 8u352-ga-1~16.04
  Available with Ubuntu Pro
• openjdk-8-jre-zero - 8u352-ga-1~16.04
  Available with Ubuntu Pro

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.

References

• CVE-2022-21618
• CVE-2022-21626
• CVE-2022-39399
• CVE-2022-21628
• CVE-2022-21619
• CVE-2022-21624