Login
Newsletter
Werbung
Sicherheit: Mehrere Probleme in CRaC
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in CRaC
ID: USN-7339-1
Distribution: Ubuntu
Plattformen: Ubuntu 24.10
Datum: Di, 11. März 2025, 07:07
Referenzen: https://openjdk.org/groups/vulnerability/advisories/2024-10-15
https://www.cve.org/CVERecord?id=CVE-2024-21210
https://launchpad.net/ubuntu/+source/openjdk-21-crac/21.0.6+7-0ubuntu1~24.10
https://www.cve.org/CVERecord?id=CVE-2024-21208
https://www.cve.org/CVERecord?id=CVE-2025-21502
https://www.cve.org/CVERecord?id=CVE-2024-21217
https://www.cve.org/CVERecord?id=CVE-2024-21235
https://openjdk.org/groups/vulnerability/advisories/2025-01-21
Applikationen: CRaC

Originalnachricht

 
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============5127628042345902140==
Content-Language: en-US
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="------------RPYDJNplQhyCfVKAsEXzCHQW"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------RPYDJNplQhyCfVKAsEXzCHQW
Content-Type: multipart/mixed;
 boundary="------------2VIByCsrBe3ZnvZ0qLhtDoyB";
 protected-headers="v1"
From: Evan Caville <evan.caville@canonical.com>
Reply-To: Ubuntu Security <security@ubuntu.com>
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <4ca8b088-4448-446f-965f-e7e81868cadf@canonical.com>
Subject: [USN-7339-1] CRaC JDK 21 vulnerabilities

--------------2VIByCsrBe3ZnvZ0qLhtDoyB
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: base64

==========================================================================
Ubuntu Security Notice USN-7339-1
March 11, 2025

openjdk-21-crac vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10

Summary:

Several security issues were fixed in CRaC JDK 21.

Software Description:
- openjdk-21-crac: Open Source Java implementation with Coordinated Restore 
at Checkpoints

Details:

Andy Boothe discovered that the Networking component of CRaC JDK 21 did not
properly handle access under certain circumstances. An unauthenticated
attacker could possibly use this issue to cause a denial of service.
(CVE-2024-21208)

It was discovered that the Hotspot component of CRaC JDK 21 did not
properly handle vectorization under certain circumstances. An
unauthenticated attacker could possibly use this issue to access
unauthorized resources and expose sensitive information.
(CVE-2024-21210, CVE-2024-21235)

It was discovered that the Serialization component of CRaC JDK 21 did not
properly handle deserialization under certain circumstances. An
unauthenticated attacker could possibly use this issue to cause a denial
of service. (CVE-2024-21217)

It was discovered that the Hotspot component of CRaC JDK 21 did not
properly handle API access under certain circumstances. An unauthenticated
attacker could possibly use this issue to access unauthorized resources
and expose sensitive information. (CVE-2025-21502)

In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.

Please see the following for more information:
https://openjdk.org/groups/vulnerability/advisories/2024-10-15
https://openjdk.org/groups/vulnerability/advisories/2025-01-21

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
   openjdk-21-crac-jdk             21.0.6+7-0ubuntu1~24.10
   openjdk-21-crac-jdk-headless    21.0.6+7-0ubuntu1~24.10
   openjdk-21-crac-jre             21.0.6+7-0ubuntu1~24.10
   openjdk-21-crac-jre-headless    21.0.6+7-0ubuntu1~24.10
   openjdk-21-crac-jre-zero        21.0.6+7-0ubuntu1~24.10

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart Java
applications to make all the necessary changes.

References:
   https://ubuntu.com/security/notices/USN-7339-1
   CVE-2024-21208, CVE-2024-21210, CVE-2024-21217, CVE-2024-21235,
   CVE-2025-21502

Package Information:
https://launchpad.net/ubuntu/+source/openjdk-21-crac/21.0.6+7-0ubuntu1~24.10

--------------2VIByCsrBe3ZnvZ0qLhtDoyB--

--------------RPYDJNplQhyCfVKAsEXzCHQW
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature.asc"

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEEAPYWTpwtIbr7xH4OWNrRIKaTkWcFAmfPu5gFAwAAAAAACgkQWNrRIKaTkWfs
Og/6A8/Rc8+iFZNjJQoTq+R4Ypgxk035rVFvBPHY5TZyoHhSkhkrIkn/oGIdJZ++eUQ8HvUXfhcq
VNr43l6OJXxTp5O8jAKRVp1r2CWbAFRBzLcy2+3iK3J2eqEPRLmK4OCHihQTSf11LG17xkLSO0H0
o5M03GTq/4ka+YY/J3XHU3Ef8sBoE63AzXetZzqnq/pExasLXYoxkZwSW7EV11gMdye6XQdkdqpI
V7K/i50R0S3OSgAMCsSf9ryU2LweyaUtVegO4AvcnN/j3MUC76ii5KDmy7wPPU9+4pSRSnnM2Nv0
O8svf+BO4go1W7wGwUQBEYHR3V0NL8ceFscjG2Up6Oi74arqCUuGykSZshqGxbhzZm31K+MPRzdr
z68aCejnd47h6w38jVQjOpyfxrGSvN0Rbu8a0lJQ90aDEUWB59fPD/zURXBpjCeGK0x4Q5ZOQbdA
tzd27k25x7i4RUVEvoW+3YHaGWBNOsGWC6y5ROvoveMUzUWKCN3KRxkajU3MykWcUsawTt6IXlde
Y1j6tZpeXqwV/DRfCS/j1o5cJmtCEaetsuFhT1gAjSdcVQNeyFZ85OP6v65WkJh2L3APA8UbXmtd
4g3EVEP2qRgLzJaKvFCHLxWsT6cHV9vtnfAyFKSSV3xcs/02NEGc1wsNV2mnMWTerGgfrw534AUH
RAE=
=KX7p
-----END PGP SIGNATURE-----

--------------RPYDJNplQhyCfVKAsEXzCHQW--


--===============5127628042345902140==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

Cg==

--===============5127628042345902140==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten

141
Mach­t's gut!

51
Neue Raspber­ry Pi-Va­ri­an­te mit 8 GB RAM

0
Genode 20.05 frei­ge­ge­ben

9
Sub­ver­si­on 1.14.0-LTS vor­ge­stellt

0
»Hum­ble Ci­ties: Sky­lines Bund­le« vor­ge­stellt

0
End of Life für Co­reOS Con­tai­ner Linux ver­kün­det

32
Elek­tra 0.9.2 er­schie­nen

8
Nex­tDNS ver­lässt die Be­ta-Pha­se

23
Tu­xe­do stellt Ga­mer-Note­book vor

0
Libre Gra­phics Mee­ting be­ginnt als On­li­ne-Va­ri­an­te
 
Werbung