Ubuntu update for openjdk-8



Risk Medium
Patch available YES
Number of vulnerabilities 20
CVE-ID CVE-2024-21208
CVE-2024-21210
CVE-2024-21235
CVE-2024-21217
CVE-2024-21131
CVE-2024-21138
CVE-2024-21140
CVE-2024-21144
CVE-2024-21145
CVE-2024-21147
CVE-2024-21011
CVE-2024-21068
CVE-2024-21085
CVE-2024-21094
CVE-2024-20918
CVE-2024-20919
CVE-2024-20921
CVE-2024-20926
CVE-2024-20945
CVE-2024-20952
CWE-ID CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software
Ubuntu
Operating systems & Components / Operating system

openjdk-8-jre-zero (Ubuntu package)
Operating systems & Components / Operating system package or component

openjdk-8-jre-headless (Ubuntu package)
Operating systems & Components / Operating system package or component

openjdk-8-jre (Ubuntu package)
Operating systems & Components / Operating system package or component

openjdk-8-jdk-headless (Ubuntu package)
Operating systems & Components / Operating system package or component

openjdk-8-jdk (Ubuntu package)
Operating systems & Components / Operating system package or component

openjdk-8-jre-jamvm (Ubuntu package)
Operating systems & Components / Operating system package or component

Vendor Canonical Ltd.

Security Bulletin

This security bulletin contains information about 20 vulnerabilities.

1) Improper input validation

EUVDB-ID: #VU98647

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-21208

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Networking component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Update the affected package openjdk-8 to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 24.10

openjdk-8-jre-zero (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-headless (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jdk-headless (Ubuntu package): before Ubuntu Pro

openjdk-8-jdk (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-jamvm (Ubuntu package): before Ubuntu Pro

CPE2.3 External links

http://ubuntu.com/security/notices/USN-7096-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper input validation

EUVDB-ID: #VU98645

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-21210

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Hotspot component in Oracle Java SE. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

Mitigation

Update the affected package openjdk-8 to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 24.10

openjdk-8-jre-zero (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-headless (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jdk-headless (Ubuntu package): before Ubuntu Pro

openjdk-8-jdk (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-jamvm (Ubuntu package): before Ubuntu Pro

CPE2.3 External links

http://ubuntu.com/security/notices/USN-7096-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improper input validation

EUVDB-ID: #VU98644

Risk: Medium

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-21235

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.

Mitigation

Update the affected package openjdk-8 to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 24.10

openjdk-8-jre-zero (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-headless (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jdk-headless (Ubuntu package): before Ubuntu Pro

openjdk-8-jdk (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-jamvm (Ubuntu package): before Ubuntu Pro

CPE2.3 External links

http://ubuntu.com/security/notices/USN-7096-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Improper input validation

EUVDB-ID: #VU98648

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-21217

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Serialization component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Update the affected package openjdk-8 to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 24.10

openjdk-8-jre-zero (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-headless (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jdk-headless (Ubuntu package): before Ubuntu Pro

openjdk-8-jdk (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-jamvm (Ubuntu package): before Ubuntu Pro

CPE2.3 External links

http://ubuntu.com/security/notices/USN-7096-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Improper input validation

EUVDB-ID: #VU94559

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-21131

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

Mitigation

Update the affected package openjdk-8 to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 24.10

openjdk-8-jre-zero (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-headless (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jdk-headless (Ubuntu package): before Ubuntu Pro

openjdk-8-jdk (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-jamvm (Ubuntu package): before Ubuntu Pro

CPE2.3 External links

http://ubuntu.com/security/notices/USN-7096-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Improper input validation

EUVDB-ID: #VU94560

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-21138

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Update the affected package openjdk-8 to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 24.10

openjdk-8-jre-zero (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-headless (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jdk-headless (Ubuntu package): before Ubuntu Pro

openjdk-8-jdk (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-jamvm (Ubuntu package): before Ubuntu Pro

CPE2.3 External links

http://ubuntu.com/security/notices/USN-7096-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Improper input validation

EUVDB-ID: #VU94557

Risk: Medium

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-21140

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.

Mitigation

Update the affected package openjdk-8 to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 24.10

openjdk-8-jre-zero (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-headless (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jdk-headless (Ubuntu package): before Ubuntu Pro

openjdk-8-jdk (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-jamvm (Ubuntu package): before Ubuntu Pro

CPE2.3 External links

http://ubuntu.com/security/notices/USN-7096-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Improper input validation

EUVDB-ID: #VU94558

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-21144

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Concurrency component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Update the affected package openjdk-8 to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 24.10

openjdk-8-jre-zero (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-headless (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jdk-headless (Ubuntu package): before Ubuntu Pro

openjdk-8-jdk (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-jamvm (Ubuntu package): before Ubuntu Pro

CPE2.3 External links

http://ubuntu.com/security/notices/USN-7096-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Improper input validation

EUVDB-ID: #VU94556

Risk: Medium

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-21145

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the 2D component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.

Mitigation

Update the affected package openjdk-8 to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 24.10

openjdk-8-jre-zero (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-headless (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jdk-headless (Ubuntu package): before Ubuntu Pro

openjdk-8-jdk (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-jamvm (Ubuntu package): before Ubuntu Pro

CPE2.3 External links

http://ubuntu.com/security/notices/USN-7096-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Improper input validation

EUVDB-ID: #VU94555

Risk: Medium

CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-21147

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.

Mitigation

Update the affected package openjdk-8 to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 24.10

openjdk-8-jre-zero (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-headless (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jdk-headless (Ubuntu package): before Ubuntu Pro

openjdk-8-jdk (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-jamvm (Ubuntu package): before Ubuntu Pro

CPE2.3 External links

http://ubuntu.com/security/notices/USN-7096-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Improper input validation

EUVDB-ID: #VU88666

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-21011

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Update the affected package openjdk-8 to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 24.10

openjdk-8-jre-zero (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-headless (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jdk-headless (Ubuntu package): before Ubuntu Pro

openjdk-8-jdk (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-jamvm (Ubuntu package): before Ubuntu Pro

CPE2.3 External links

http://ubuntu.com/security/notices/USN-7096-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Improper input validation

EUVDB-ID: #VU88667

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-21068

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

Mitigation

Update the affected package openjdk-8 to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 24.10

openjdk-8-jre-zero (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-headless (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jdk-headless (Ubuntu package): before Ubuntu Pro

openjdk-8-jdk (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-jamvm (Ubuntu package): before Ubuntu Pro

CPE2.3 External links

http://ubuntu.com/security/notices/USN-7096-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Improper input validation

EUVDB-ID: #VU88665

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-21085

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Concurrency component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Update the affected package openjdk-8 to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 24.10

openjdk-8-jre-zero (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-headless (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jdk-headless (Ubuntu package): before Ubuntu Pro

openjdk-8-jdk (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-jamvm (Ubuntu package): before Ubuntu Pro

CPE2.3 External links

http://ubuntu.com/security/notices/USN-7096-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Improper input validation

EUVDB-ID: #VU88668

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-21094

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

Mitigation

Update the affected package openjdk-8 to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 24.10

openjdk-8-jre-zero (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-headless (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jdk-headless (Ubuntu package): before Ubuntu Pro

openjdk-8-jdk (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-jamvm (Ubuntu package): before Ubuntu Pro

CPE2.3 External links

http://ubuntu.com/security/notices/USN-7096-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Improper input validation

EUVDB-ID: #VU85468

Risk: Medium

CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-20918

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.

Mitigation

Update the affected package openjdk-8 to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 24.10

openjdk-8-jre-zero (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-headless (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jdk-headless (Ubuntu package): before Ubuntu Pro

openjdk-8-jdk (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-jamvm (Ubuntu package): before Ubuntu Pro

CPE2.3 External links

http://ubuntu.com/security/notices/USN-7096-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Improper input validation

EUVDB-ID: #VU85470

Risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-20919

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

Mitigation

Update the affected package openjdk-8 to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 24.10

openjdk-8-jre-zero (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-headless (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jdk-headless (Ubuntu package): before Ubuntu Pro

openjdk-8-jdk (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-jamvm (Ubuntu package): before Ubuntu Pro

CPE2.3 External links

http://ubuntu.com/security/notices/USN-7096-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Improper input validation

EUVDB-ID: #VU85471

Risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-20921

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.

Mitigation

Update the affected package openjdk-8 to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 24.10

openjdk-8-jre-zero (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-headless (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jdk-headless (Ubuntu package): before Ubuntu Pro

openjdk-8-jdk (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-jamvm (Ubuntu package): before Ubuntu Pro

CPE2.3 External links

http://ubuntu.com/security/notices/USN-7096-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Improper input validation

EUVDB-ID: #VU85472

Risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-20926

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Scripting component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.

Mitigation

Update the affected package openjdk-8 to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 24.10

openjdk-8-jre-zero (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-headless (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jdk-headless (Ubuntu package): before Ubuntu Pro

openjdk-8-jdk (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-jamvm (Ubuntu package): before Ubuntu Pro

CPE2.3 External links

http://ubuntu.com/security/notices/USN-7096-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Improper input validation

EUVDB-ID: #VU85473

Risk: Low

CVSSv4.0: 1.9 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-20945

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local authenticated user to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Security component in Oracle GraalVM Enterprise Edition. A local authenticated user can exploit this vulnerability to gain access to sensitive information.

Mitigation

Update the affected package openjdk-8 to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 24.10

openjdk-8-jre-zero (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-headless (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jdk-headless (Ubuntu package): before Ubuntu Pro

openjdk-8-jdk (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-jamvm (Ubuntu package): before Ubuntu Pro

CPE2.3 External links

http://ubuntu.com/security/notices/USN-7096-1


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Improper input validation

EUVDB-ID: #VU85469

Risk: Medium

CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-20952

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Security component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.

Mitigation

Update the affected package openjdk-8 to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 24.10

openjdk-8-jre-zero (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-headless (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jdk-headless (Ubuntu package): before Ubuntu Pro

openjdk-8-jdk (Ubuntu package): before Ubuntu Pro (Infra-only)

openjdk-8-jre-jamvm (Ubuntu package): before Ubuntu Pro

CPE2.3 External links

http://ubuntu.com/security/notices/USN-7096-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###