Amazon Linux AMI update for java-11-amazon-corretto
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 9 |
| CVE-ID | CVE-2024-20918 CVE-2024-20919 CVE-2024-20921 CVE-2024-20922 CVE-2024-20923 CVE-2024-20925 CVE-2024-20926 CVE-2024-20945 CVE-2024-20952 |
| CWE-ID | CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Amazon Linux AMI Operating systems & Components / Operating system |
| Vendor | Amazon Web Services |
Security Bulletin
This security bulletin contains information about 9 vulnerabilities.
1) Improper input validation
EUVDB-ID: #VU85468
Risk: Medium
CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-20918
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
java-11-amazon-corretto-11.0.22+7-1.amzn2023.aarch64
java-11-amazon-corretto-devel-11.0.22+7-1.amzn2023.aarch64
java-11-amazon-corretto-headless-11.0.22+7-1.amzn2023.aarch64
java-11-amazon-corretto-javadoc-11.0.22+7-1.amzn2023.aarch64
java-11-amazon-corretto-jmods-11.0.22+7-1.amzn2023.aarch64
src:
java-11-amazon-corretto-11.0.22+7-1.amzn2023.src
x86_64:
java-11-amazon-corretto-headless-11.0.22+7-1.amzn2023.x86_64
java-11-amazon-corretto-javadoc-11.0.22+7-1.amzn2023.x86_64
java-11-amazon-corretto-jmods-11.0.22+7-1.amzn2023.x86_64
java-11-amazon-corretto-11.0.22+7-1.amzn2023.x86_64
java-11-amazon-corretto-devel-11.0.22+7-1.amzn2023.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttp://alas.aws.amazon.com/AL2023/ALAS-2024-484.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper input validation
EUVDB-ID: #VU85470
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-20919
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
java-11-amazon-corretto-11.0.22+7-1.amzn2023.aarch64
java-11-amazon-corretto-devel-11.0.22+7-1.amzn2023.aarch64
java-11-amazon-corretto-headless-11.0.22+7-1.amzn2023.aarch64
java-11-amazon-corretto-javadoc-11.0.22+7-1.amzn2023.aarch64
java-11-amazon-corretto-jmods-11.0.22+7-1.amzn2023.aarch64
src:
java-11-amazon-corretto-11.0.22+7-1.amzn2023.src
x86_64:
java-11-amazon-corretto-headless-11.0.22+7-1.amzn2023.x86_64
java-11-amazon-corretto-javadoc-11.0.22+7-1.amzn2023.x86_64
java-11-amazon-corretto-jmods-11.0.22+7-1.amzn2023.x86_64
java-11-amazon-corretto-11.0.22+7-1.amzn2023.x86_64
java-11-amazon-corretto-devel-11.0.22+7-1.amzn2023.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttp://alas.aws.amazon.com/AL2023/ALAS-2024-484.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper input validation
EUVDB-ID: #VU85471
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-20921
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
java-11-amazon-corretto-11.0.22+7-1.amzn2023.aarch64
java-11-amazon-corretto-devel-11.0.22+7-1.amzn2023.aarch64
java-11-amazon-corretto-headless-11.0.22+7-1.amzn2023.aarch64
java-11-amazon-corretto-javadoc-11.0.22+7-1.amzn2023.aarch64
java-11-amazon-corretto-jmods-11.0.22+7-1.amzn2023.aarch64
src:
java-11-amazon-corretto-11.0.22+7-1.amzn2023.src
x86_64:
java-11-amazon-corretto-headless-11.0.22+7-1.amzn2023.x86_64
java-11-amazon-corretto-javadoc-11.0.22+7-1.amzn2023.x86_64
java-11-amazon-corretto-jmods-11.0.22+7-1.amzn2023.x86_64
java-11-amazon-corretto-11.0.22+7-1.amzn2023.x86_64
java-11-amazon-corretto-devel-11.0.22+7-1.amzn2023.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttp://alas.aws.amazon.com/AL2023/ALAS-2024-484.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Improper input validation
EUVDB-ID: #VU85477
Risk: Low
CVSSv4.0: 0.2 [CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-20922
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the JavaFX component in Oracle GraalVM Enterprise Edition. A local non-authenticated attacker can exploit this vulnerability to manipulate data.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
java-11-amazon-corretto-11.0.22+7-1.amzn2023.aarch64
java-11-amazon-corretto-devel-11.0.22+7-1.amzn2023.aarch64
java-11-amazon-corretto-headless-11.0.22+7-1.amzn2023.aarch64
java-11-amazon-corretto-javadoc-11.0.22+7-1.amzn2023.aarch64
java-11-amazon-corretto-jmods-11.0.22+7-1.amzn2023.aarch64
src:
java-11-amazon-corretto-11.0.22+7-1.amzn2023.src
x86_64:
java-11-amazon-corretto-headless-11.0.22+7-1.amzn2023.x86_64
java-11-amazon-corretto-javadoc-11.0.22+7-1.amzn2023.x86_64
java-11-amazon-corretto-jmods-11.0.22+7-1.amzn2023.x86_64
java-11-amazon-corretto-11.0.22+7-1.amzn2023.x86_64
java-11-amazon-corretto-devel-11.0.22+7-1.amzn2023.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttp://alas.aws.amazon.com/AL2023/ALAS-2024-484.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Improper input validation
EUVDB-ID: #VU85475
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-20923
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the JavaFX component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
java-11-amazon-corretto-11.0.22+7-1.amzn2023.aarch64
java-11-amazon-corretto-devel-11.0.22+7-1.amzn2023.aarch64
java-11-amazon-corretto-headless-11.0.22+7-1.amzn2023.aarch64
java-11-amazon-corretto-javadoc-11.0.22+7-1.amzn2023.aarch64
java-11-amazon-corretto-jmods-11.0.22+7-1.amzn2023.aarch64
src:
java-11-amazon-corretto-11.0.22+7-1.amzn2023.src
x86_64:
java-11-amazon-corretto-headless-11.0.22+7-1.amzn2023.x86_64
java-11-amazon-corretto-javadoc-11.0.22+7-1.amzn2023.x86_64
java-11-amazon-corretto-jmods-11.0.22+7-1.amzn2023.x86_64
java-11-amazon-corretto-11.0.22+7-1.amzn2023.x86_64
java-11-amazon-corretto-devel-11.0.22+7-1.amzn2023.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttp://alas.aws.amazon.com/AL2023/ALAS-2024-484.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Improper input validation
EUVDB-ID: #VU85476
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-20925
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the JavaFX component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
java-11-amazon-corretto-11.0.22+7-1.amzn2023.aarch64
java-11-amazon-corretto-devel-11.0.22+7-1.amzn2023.aarch64
java-11-amazon-corretto-headless-11.0.22+7-1.amzn2023.aarch64
java-11-amazon-corretto-javadoc-11.0.22+7-1.amzn2023.aarch64
java-11-amazon-corretto-jmods-11.0.22+7-1.amzn2023.aarch64
src:
java-11-amazon-corretto-11.0.22+7-1.amzn2023.src
x86_64:
java-11-amazon-corretto-headless-11.0.22+7-1.amzn2023.x86_64
java-11-amazon-corretto-javadoc-11.0.22+7-1.amzn2023.x86_64
java-11-amazon-corretto-jmods-11.0.22+7-1.amzn2023.x86_64
java-11-amazon-corretto-11.0.22+7-1.amzn2023.x86_64
java-11-amazon-corretto-devel-11.0.22+7-1.amzn2023.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttp://alas.aws.amazon.com/AL2023/ALAS-2024-484.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Improper input validation
EUVDB-ID: #VU85472
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-20926
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Scripting component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
java-11-amazon-corretto-11.0.22+7-1.amzn2023.aarch64
java-11-amazon-corretto-devel-11.0.22+7-1.amzn2023.aarch64
java-11-amazon-corretto-headless-11.0.22+7-1.amzn2023.aarch64
java-11-amazon-corretto-javadoc-11.0.22+7-1.amzn2023.aarch64
java-11-amazon-corretto-jmods-11.0.22+7-1.amzn2023.aarch64
src:
java-11-amazon-corretto-11.0.22+7-1.amzn2023.src
x86_64:
java-11-amazon-corretto-headless-11.0.22+7-1.amzn2023.x86_64
java-11-amazon-corretto-javadoc-11.0.22+7-1.amzn2023.x86_64
java-11-amazon-corretto-jmods-11.0.22+7-1.amzn2023.x86_64
java-11-amazon-corretto-11.0.22+7-1.amzn2023.x86_64
java-11-amazon-corretto-devel-11.0.22+7-1.amzn2023.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttp://alas.aws.amazon.com/AL2023/ALAS-2024-484.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Improper input validation
EUVDB-ID: #VU85473
Risk: Low
CVSSv4.0: 1.9 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-20945
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local authenticated user to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Security component in Oracle GraalVM Enterprise Edition. A local authenticated user can exploit this vulnerability to gain access to sensitive information.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
java-11-amazon-corretto-11.0.22+7-1.amzn2023.aarch64
java-11-amazon-corretto-devel-11.0.22+7-1.amzn2023.aarch64
java-11-amazon-corretto-headless-11.0.22+7-1.amzn2023.aarch64
java-11-amazon-corretto-javadoc-11.0.22+7-1.amzn2023.aarch64
java-11-amazon-corretto-jmods-11.0.22+7-1.amzn2023.aarch64
src:
java-11-amazon-corretto-11.0.22+7-1.amzn2023.src
x86_64:
java-11-amazon-corretto-headless-11.0.22+7-1.amzn2023.x86_64
java-11-amazon-corretto-javadoc-11.0.22+7-1.amzn2023.x86_64
java-11-amazon-corretto-jmods-11.0.22+7-1.amzn2023.x86_64
java-11-amazon-corretto-11.0.22+7-1.amzn2023.x86_64
java-11-amazon-corretto-devel-11.0.22+7-1.amzn2023.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttp://alas.aws.amazon.com/AL2023/ALAS-2024-484.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Improper input validation
EUVDB-ID: #VU85469
Risk: Medium
CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-20952
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The vulnerability exists due to improper input validation within the Security component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.
MitigationUpdate the affected packages:
aarch64:Vulnerable software versions
java-11-amazon-corretto-11.0.22+7-1.amzn2023.aarch64
java-11-amazon-corretto-devel-11.0.22+7-1.amzn2023.aarch64
java-11-amazon-corretto-headless-11.0.22+7-1.amzn2023.aarch64
java-11-amazon-corretto-javadoc-11.0.22+7-1.amzn2023.aarch64
java-11-amazon-corretto-jmods-11.0.22+7-1.amzn2023.aarch64
src:
java-11-amazon-corretto-11.0.22+7-1.amzn2023.src
x86_64:
java-11-amazon-corretto-headless-11.0.22+7-1.amzn2023.x86_64
java-11-amazon-corretto-javadoc-11.0.22+7-1.amzn2023.x86_64
java-11-amazon-corretto-jmods-11.0.22+7-1.amzn2023.x86_64
java-11-amazon-corretto-11.0.22+7-1.amzn2023.x86_64
java-11-amazon-corretto-devel-11.0.22+7-1.amzn2023.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttp://alas.aws.amazon.com/AL2023/ALAS-2024-484.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
