Amazon Linux AMI update for java-21-amazon-corretto



Risk Low
Patch available YES
Number of vulnerabilities 4
CVE-ID CVE-2024-21011
CVE-2024-21012
CVE-2024-21068
CVE-2024-21094
CWE-ID CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software
Amazon Linux AMI
Operating systems & Components / Operating system

Vendor Amazon Web Services

Security Bulletin

This security bulletin contains information about 4 vulnerabilities.

1) Improper input validation

EUVDB-ID: #VU88666

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-21011

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Update the affected packages:

aarch64:
    java-21-amazon-corretto-21.0.3+9-1.amzn2023.1.aarch64
    java-21-amazon-corretto-devel-21.0.3+9-1.amzn2023.1.aarch64
    java-21-amazon-corretto-headless-21.0.3+9-1.amzn2023.1.aarch64
    java-21-amazon-corretto-javadoc-21.0.3+9-1.amzn2023.1.aarch64
    java-21-amazon-corretto-jmods-21.0.3+9-1.amzn2023.1.aarch64

src:
    java-21-amazon-corretto-21.0.3+9-1.amzn2023.1.src

x86_64:
    java-21-amazon-corretto-21.0.3+9-1.amzn2023.1.x86_64
    java-21-amazon-corretto-devel-21.0.3+9-1.amzn2023.1.x86_64
    java-21-amazon-corretto-headless-21.0.3+9-1.amzn2023.1.x86_64
    java-21-amazon-corretto-javadoc-21.0.3+9-1.amzn2023.1.x86_64
    java-21-amazon-corretto-jmods-21.0.3+9-1.amzn2023.1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3 External links

http://alas.aws.amazon.com/AL2023/ALAS-2024-598.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper input validation

EUVDB-ID: #VU88669

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-21012

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Networking component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

Mitigation

Update the affected packages:

aarch64:
    java-21-amazon-corretto-21.0.3+9-1.amzn2023.1.aarch64
    java-21-amazon-corretto-devel-21.0.3+9-1.amzn2023.1.aarch64
    java-21-amazon-corretto-headless-21.0.3+9-1.amzn2023.1.aarch64
    java-21-amazon-corretto-javadoc-21.0.3+9-1.amzn2023.1.aarch64
    java-21-amazon-corretto-jmods-21.0.3+9-1.amzn2023.1.aarch64

src:
    java-21-amazon-corretto-21.0.3+9-1.amzn2023.1.src

x86_64:
    java-21-amazon-corretto-21.0.3+9-1.amzn2023.1.x86_64
    java-21-amazon-corretto-devel-21.0.3+9-1.amzn2023.1.x86_64
    java-21-amazon-corretto-headless-21.0.3+9-1.amzn2023.1.x86_64
    java-21-amazon-corretto-javadoc-21.0.3+9-1.amzn2023.1.x86_64
    java-21-amazon-corretto-jmods-21.0.3+9-1.amzn2023.1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3 External links

http://alas.aws.amazon.com/AL2023/ALAS-2024-598.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improper input validation

EUVDB-ID: #VU88667

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-21068

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

Mitigation

Update the affected packages:

aarch64:
    java-21-amazon-corretto-21.0.3+9-1.amzn2023.1.aarch64
    java-21-amazon-corretto-devel-21.0.3+9-1.amzn2023.1.aarch64
    java-21-amazon-corretto-headless-21.0.3+9-1.amzn2023.1.aarch64
    java-21-amazon-corretto-javadoc-21.0.3+9-1.amzn2023.1.aarch64
    java-21-amazon-corretto-jmods-21.0.3+9-1.amzn2023.1.aarch64

src:
    java-21-amazon-corretto-21.0.3+9-1.amzn2023.1.src

x86_64:
    java-21-amazon-corretto-21.0.3+9-1.amzn2023.1.x86_64
    java-21-amazon-corretto-devel-21.0.3+9-1.amzn2023.1.x86_64
    java-21-amazon-corretto-headless-21.0.3+9-1.amzn2023.1.x86_64
    java-21-amazon-corretto-javadoc-21.0.3+9-1.amzn2023.1.x86_64
    java-21-amazon-corretto-jmods-21.0.3+9-1.amzn2023.1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3 External links

http://alas.aws.amazon.com/AL2023/ALAS-2024-598.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Improper input validation

EUVDB-ID: #VU88668

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-21094

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

Mitigation

Update the affected packages:

aarch64:
    java-21-amazon-corretto-21.0.3+9-1.amzn2023.1.aarch64
    java-21-amazon-corretto-devel-21.0.3+9-1.amzn2023.1.aarch64
    java-21-amazon-corretto-headless-21.0.3+9-1.amzn2023.1.aarch64
    java-21-amazon-corretto-javadoc-21.0.3+9-1.amzn2023.1.aarch64
    java-21-amazon-corretto-jmods-21.0.3+9-1.amzn2023.1.aarch64

src:
    java-21-amazon-corretto-21.0.3+9-1.amzn2023.1.src

x86_64:
    java-21-amazon-corretto-21.0.3+9-1.amzn2023.1.x86_64
    java-21-amazon-corretto-devel-21.0.3+9-1.amzn2023.1.x86_64
    java-21-amazon-corretto-headless-21.0.3+9-1.amzn2023.1.x86_64
    java-21-amazon-corretto-javadoc-21.0.3+9-1.amzn2023.1.x86_64
    java-21-amazon-corretto-jmods-21.0.3+9-1.amzn2023.1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3 External links

http://alas.aws.amazon.com/AL2023/ALAS-2024-598.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###