ISHACK AI BOT

Oracle Linux: CVE-2024-21011: ELSA-2024-1825:java-17-openjdk security update (MODERATE) (Multiple Advisories) Severity 3 CVSS (AV:N/AC:H/Au:N/C:N/I:N/A:P) Published 04/16/2024 Created 05/22/2024 Added 04/17/2024 Modified 01/07/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). A flaw was found in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. Solution(s) oracle-linux-upgrade-java-11-openjdk oracle-linux-upgrade-java-11-openjdk-demo oracle-linux-upgrade-java-11-openjdk-demo-fastdebug oracle-linux-upgrade-java-11-openjdk-demo-slowdebug oracle-linux-upgrade-java-11-openjdk-devel oracle-linux-upgrade-java-11-openjdk-devel-fastdebug oracle-linux-upgrade-java-11-openjdk-devel-slowdebug oracle-linux-upgrade-java-11-openjdk-fastdebug oracle-linux-upgrade-java-11-openjdk-headless oracle-linux-upgrade-java-11-openjdk-headless-fastdebug oracle-linux-upgrade-java-11-openjdk-headless-slowdebug oracle-linux-upgrade-java-11-openjdk-javadoc oracle-linux-upgrade-java-11-openjdk-javadoc-zip oracle-linux-upgrade-java-11-openjdk-jmods oracle-linux-upgrade-java-11-openjdk-jmods-fastdebug oracle-linux-upgrade-java-11-openjdk-jmods-slowdebug oracle-linux-upgrade-java-11-openjdk-slowdebug oracle-linux-upgrade-java-11-openjdk-src oracle-linux-upgrade-java-11-openjdk-src-fastdebug oracle-linux-upgrade-java-11-openjdk-src-slowdebug oracle-linux-upgrade-java-11-openjdk-static-libs oracle-linux-upgrade-java-11-openjdk-static-libs-fastdebug oracle-linux-upgrade-java-11-openjdk-static-libs-slowdebug oracle-linux-upgrade-java-17-openjdk oracle-linux-upgrade-java-17-openjdk-demo oracle-linux-upgrade-java-17-openjdk-demo-fastdebug oracle-linux-upgrade-java-17-openjdk-demo-slowdebug oracle-linux-upgrade-java-17-openjdk-devel oracle-linux-upgrade-java-17-openjdk-devel-fastdebug oracle-linux-upgrade-java-17-openjdk-devel-slowdebug oracle-linux-upgrade-java-17-openjdk-fastdebug oracle-linux-upgrade-java-17-openjdk-headless oracle-linux-upgrade-java-17-openjdk-headless-fastdebug oracle-linux-upgrade-java-17-openjdk-headless-slowdebug oracle-linux-upgrade-java-17-openjdk-javadoc oracle-linux-upgrade-java-17-openjdk-javadoc-zip oracle-linux-upgrade-java-17-openjdk-jmods oracle-linux-upgrade-java-17-openjdk-jmods-fastdebug oracle-linux-upgrade-java-17-openjdk-jmods-slowdebug oracle-linux-upgrade-java-17-openjdk-slowdebug oracle-linux-upgrade-java-17-openjdk-src oracle-linux-upgrade-java-17-openjdk-src-fastdebug oracle-linux-upgrade-java-17-openjdk-src-slowdebug oracle-linux-upgrade-java-17-openjdk-static-libs oracle-linux-upgrade-java-17-openjdk-static-libs-fastdebug oracle-linux-upgrade-java-17-openjdk-static-libs-slowdebug oracle-linux-upgrade-java-1-8-0-openjdk oracle-linux-upgrade-java-1-8-0-openjdk-accessibility oracle-linux-upgrade-java-1-8-0-openjdk-accessibility-fastdebug oracle-linux-upgrade-java-1-8-0-openjdk-accessibility-slowdebug oracle-linux-upgrade-java-1-8-0-openjdk-demo oracle-linux-upgrade-java-1-8-0-openjdk-demo-fastdebug oracle-linux-upgrade-java-1-8-0-openjdk-demo-slowdebug oracle-linux-upgrade-java-1-8-0-openjdk-devel oracle-linux-upgrade-java-1-8-0-openjdk-devel-fastdebug oracle-linux-upgrade-java-1-8-0-openjdk-devel-slowdebug oracle-linux-upgrade-java-1-8-0-openjdk-fastdebug oracle-linux-upgrade-java-1-8-0-openjdk-headless oracle-linux-upgrade-java-1-8-0-openjdk-headless-fastdebug oracle-linux-upgrade-java-1-8-0-openjdk-headless-slowdebug oracle-linux-upgrade-java-1-8-0-openjdk-javadoc oracle-linux-upgrade-java-1-8-0-openjdk-javadoc-zip oracle-linux-upgrade-java-1-8-0-openjdk-slowdebug oracle-linux-upgrade-java-1-8-0-openjdk-src oracle-linux-upgrade-java-1-8-0-openjdk-src-fastdebug oracle-linux-upgrade-java-1-8-0-openjdk-src-slowdebug oracle-linux-upgrade-java-21-openjdk oracle-linux-upgrade-java-21-openjdk-demo oracle-linux-upgrade-java-21-openjdk-demo-fastdebug oracle-linux-upgrade-java-21-openjdk-demo-slowdebug oracle-linux-upgrade-java-21-openjdk-devel oracle-linux-upgrade-java-21-openjdk-devel-fastdebug oracle-linux-upgrade-java-21-openjdk-devel-slowdebug oracle-linux-upgrade-java-21-openjdk-fastdebug oracle-linux-upgrade-java-21-openjdk-headless oracle-linux-upgrade-java-21-openjdk-headless-fastdebug oracle-linux-upgrade-java-21-openjdk-headless-slowdebug oracle-linux-upgrade-java-21-openjdk-javadoc oracle-linux-upgrade-java-21-openjdk-javadoc-zip oracle-linux-upgrade-java-21-openjdk-jmods oracle-linux-upgrade-java-21-openjdk-jmods-fastdebug oracle-linux-upgrade-java-21-openjdk-jmods-slowdebug oracle-linux-upgrade-java-21-openjdk-slowdebug oracle-linux-upgrade-java-21-openjdk-src oracle-linux-upgrade-java-21-openjdk-src-fastdebug oracle-linux-upgrade-java-21-openjdk-src-slowdebug oracle-linux-upgrade-java-21-openjdk-static-libs oracle-linux-upgrade-java-21-openjdk-static-libs-fastdebug oracle-linux-upgrade-java-21-openjdk-static-libs-slowdebug References https://attackerkb.com/topics/cve-2024-21011 CVE - 2024-21011 ELSA-2024-1825 ELSA-2024-1828 ELSA-2024-1818 ELSA-2024-1817 ELSA-2024-1821 ELSA-2024-1822 View more

Oracle E-Business Suite: CVE-2024-21031: Critical Patch Update Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 04/16/2024 Created 05/06/2024 Added 05/06/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Complex Maintenance, Repair, and Overhaul product of Oracle E-Business Suite (component: LOV).Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Complex Maintenance, Repair, and Overhaul.Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Complex Maintenance, Repair, and Overhaul, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Complex Maintenance, Repair, and Overhaul accessible data as well asunauthorized read access to a subset of Oracle Complex Maintenance, Repair, and Overhaul accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). Solution(s) oracle-ebs-apr-2024-cpu-12_2 References https://attackerkb.com/topics/cve-2024-21031 CVE - 2024-21031 https://support.oracle.com/epmos/faces/DocumentDisplay?id=3007752.1 https://www.oracle.com/security-alerts/cpuapr2024.html

AdoptOpenJDK: CVE-2024-21002: Vulnerability with JavaFX component Severity 1 CVSS (AV:L/AC:H/Au:N/C:N/I:P/A:N) Published 04/16/2024 Created 04/29/2024 Added 04/26/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JavaFX).Supported versions that are affected are Oracle Java SE: 8u401; Oracle GraalVM Enterprise Edition: 20.3.13 and21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 2.5 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N). Solution(s) adoptopenjdk-upgrade-latest References https://attackerkb.com/topics/cve-2024-21002 CVE - 2024-21002 https://adoptopenjdk.net/releases

Amazon Linux AMI 2: CVE-2024-3864: Security patch for firefox (ALASFIREFOX-2024-024) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/16/2024 Created 05/01/2024 Added 05/01/2024 Modified 05/01/2024 Description Memory safety bug present in Firefox 124, Firefox ESR 115.9, and Thunderbird 115.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10. Solution(s) amazon-linux-ami-2-upgrade-firefox amazon-linux-ami-2-upgrade-firefox-debuginfo References https://attackerkb.com/topics/cve-2024-3864 AL2/ALASFIREFOX-2024-024 CVE - 2024-3864

Amazon Linux AMI 2: CVE-2024-3857: Security patch for firefox (ALASFIREFOX-2024-024) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/16/2024 Created 05/01/2024 Added 05/01/2024 Modified 05/01/2024 Description The JIT created incorrect code for arguments in certain cases. This led to potential use-after-free crashes during garbage collection. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10. Solution(s) amazon-linux-ami-2-upgrade-firefox amazon-linux-ami-2-upgrade-firefox-debuginfo References https://attackerkb.com/topics/cve-2024-3857 AL2/ALASFIREFOX-2024-024 CVE - 2024-3857

SUSE: CVE-2024-3864: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/16/2024 Created 04/17/2024 Added 04/17/2024 Modified 10/11/2024 Description Memory safety bug present in Firefox 124, Firefox ESR 115.9, and Thunderbird 115.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10. Solution(s) suse-upgrade-mozillafirefox suse-upgrade-mozillafirefox-branding-upstream suse-upgrade-mozillafirefox-devel suse-upgrade-mozillafirefox-translations-common suse-upgrade-mozillafirefox-translations-other suse-upgrade-mozillathunderbird suse-upgrade-mozillathunderbird-translations-common suse-upgrade-mozillathunderbird-translations-other References https://attackerkb.com/topics/cve-2024-3864 CVE - 2024-3864

SUSE: CVE-2024-3854: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/16/2024 Created 04/17/2024 Added 04/17/2024 Modified 10/11/2024 Description In some code patterns the JIT incorrectly optimized switch statements and generated code with out-of-bounds-reads. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10. Solution(s) suse-upgrade-mozillafirefox suse-upgrade-mozillafirefox-branding-upstream suse-upgrade-mozillafirefox-devel suse-upgrade-mozillafirefox-translations-common suse-upgrade-mozillafirefox-translations-other suse-upgrade-mozillathunderbird suse-upgrade-mozillathunderbird-translations-common suse-upgrade-mozillathunderbird-translations-other References https://attackerkb.com/topics/cve-2024-3854 CVE - 2024-3854

SUSE: CVE-2024-3861: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/16/2024 Created 04/17/2024 Added 04/17/2024 Modified 10/11/2024 Description If an AlignedBuffer were assigned to itself, the subsequent self-move could result in an incorrect reference count and later use-after-free. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10. Solution(s) suse-upgrade-mozillafirefox suse-upgrade-mozillafirefox-branding-upstream suse-upgrade-mozillafirefox-devel suse-upgrade-mozillafirefox-translations-common suse-upgrade-mozillafirefox-translations-other suse-upgrade-mozillathunderbird suse-upgrade-mozillathunderbird-translations-common suse-upgrade-mozillathunderbird-translations-other References https://attackerkb.com/topics/cve-2024-3861 CVE - 2024-3861

Oracle E-Business Suite: CVE-2024-21077: Critical Patch Update Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 04/16/2024 Created 05/06/2024 Added 05/06/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Trade Management product of Oracle E-Business Suite (component: GL Accounts LOV).Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Trade Management.Successful attacks of this vulnerability can result inunauthorized access to critical data or complete access to all Oracle Trade Management accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Solution(s) oracle-ebs-apr-2024-cpu-12_2 References https://attackerkb.com/topics/cve-2024-21077 CVE - 2024-21077 https://support.oracle.com/epmos/faces/DocumentDisplay?id=3007752.1 https://www.oracle.com/security-alerts/cpuapr2024.html

Oracle E-Business Suite: CVE-2024-21020: Critical Patch Update Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 04/16/2024 Created 05/06/2024 Added 05/06/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Complex Maintenance, Repair, and Overhaul product of Oracle E-Business Suite (component: LOV).Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Complex Maintenance, Repair, and Overhaul.Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Complex Maintenance, Repair, and Overhaul, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Complex Maintenance, Repair, and Overhaul accessible data as well asunauthorized read access to a subset of Oracle Complex Maintenance, Repair, and Overhaul accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). Solution(s) oracle-ebs-apr-2024-cpu-12_2 References https://attackerkb.com/topics/cve-2024-21020 CVE - 2024-21020 https://support.oracle.com/epmos/faces/DocumentDisplay?id=3007752.1 https://www.oracle.com/security-alerts/cpuapr2024.html

Oracle E-Business Suite: CVE-2024-21037: Critical Patch Update Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 04/16/2024 Created 05/06/2024 Added 05/06/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Complex Maintenance, Repair, and Overhaul product of Oracle E-Business Suite (component: LOV).Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Complex Maintenance, Repair, and Overhaul.Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Complex Maintenance, Repair, and Overhaul, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Complex Maintenance, Repair, and Overhaul accessible data as well asunauthorized read access to a subset of Oracle Complex Maintenance, Repair, and Overhaul accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). Solution(s) oracle-ebs-apr-2024-cpu-12_2 References https://attackerkb.com/topics/cve-2024-21037 CVE - 2024-21037 https://support.oracle.com/epmos/faces/DocumentDisplay?id=3007752.1 https://www.oracle.com/security-alerts/cpuapr2024.html

Oracle E-Business Suite: CVE-2024-21039: Critical Patch Update Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 04/16/2024 Created 05/06/2024 Added 05/06/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Complex Maintenance, Repair, and Overhaul product of Oracle E-Business Suite (component: LOV).Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Complex Maintenance, Repair, and Overhaul.Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Complex Maintenance, Repair, and Overhaul, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Complex Maintenance, Repair, and Overhaul accessible data as well asunauthorized read access to a subset of Oracle Complex Maintenance, Repair, and Overhaul accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). Solution(s) oracle-ebs-apr-2024-cpu-12_2 References https://attackerkb.com/topics/cve-2024-21039 CVE - 2024-21039 https://support.oracle.com/epmos/faces/DocumentDisplay?id=3007752.1 https://www.oracle.com/security-alerts/cpuapr2024.html

SUSE: CVE-2024-21085: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/16/2024 Created 04/29/2024 Added 04/29/2024 Modified 06/19/2024 Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Concurrency).Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22; Oracle GraalVM Enterprise Edition: 20.3.13 and21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). Solution(s) suse-upgrade-java-11-openjdk suse-upgrade-java-11-openjdk-demo suse-upgrade-java-11-openjdk-devel suse-upgrade-java-11-openjdk-headless suse-upgrade-java-11-openjdk-javadoc suse-upgrade-java-11-openjdk-jmods suse-upgrade-java-11-openjdk-src suse-upgrade-java-1_8_0-ibm suse-upgrade-java-1_8_0-ibm-32bit suse-upgrade-java-1_8_0-ibm-alsa suse-upgrade-java-1_8_0-ibm-demo suse-upgrade-java-1_8_0-ibm-devel suse-upgrade-java-1_8_0-ibm-devel-32bit suse-upgrade-java-1_8_0-ibm-plugin suse-upgrade-java-1_8_0-ibm-src suse-upgrade-java-1_8_0-openj9 suse-upgrade-java-1_8_0-openj9-accessibility suse-upgrade-java-1_8_0-openj9-demo suse-upgrade-java-1_8_0-openj9-devel suse-upgrade-java-1_8_0-openj9-headless suse-upgrade-java-1_8_0-openj9-javadoc suse-upgrade-java-1_8_0-openj9-src suse-upgrade-java-1_8_0-openjdk suse-upgrade-java-1_8_0-openjdk-accessibility suse-upgrade-java-1_8_0-openjdk-demo suse-upgrade-java-1_8_0-openjdk-devel suse-upgrade-java-1_8_0-openjdk-headless suse-upgrade-java-1_8_0-openjdk-javadoc suse-upgrade-java-1_8_0-openjdk-src References https://attackerkb.com/topics/cve-2024-21085 CVE - 2024-21085

SUSE: CVE-2024-21094: SUSE Linux Security Advisory Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 04/16/2024 Created 04/29/2024 Added 04/29/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Solution(s) suse-upgrade-java-11-openjdk suse-upgrade-java-11-openjdk-demo suse-upgrade-java-11-openjdk-devel suse-upgrade-java-11-openjdk-headless suse-upgrade-java-11-openjdk-javadoc suse-upgrade-java-11-openjdk-jmods suse-upgrade-java-11-openjdk-src suse-upgrade-java-17-openjdk suse-upgrade-java-17-openjdk-demo suse-upgrade-java-17-openjdk-devel suse-upgrade-java-17-openjdk-headless suse-upgrade-java-17-openjdk-javadoc suse-upgrade-java-17-openjdk-jmods suse-upgrade-java-17-openjdk-src suse-upgrade-java-1_8_0-ibm suse-upgrade-java-1_8_0-ibm-32bit suse-upgrade-java-1_8_0-ibm-alsa suse-upgrade-java-1_8_0-ibm-demo suse-upgrade-java-1_8_0-ibm-devel suse-upgrade-java-1_8_0-ibm-devel-32bit suse-upgrade-java-1_8_0-ibm-plugin suse-upgrade-java-1_8_0-ibm-src suse-upgrade-java-1_8_0-openj9 suse-upgrade-java-1_8_0-openj9-accessibility suse-upgrade-java-1_8_0-openj9-demo suse-upgrade-java-1_8_0-openj9-devel suse-upgrade-java-1_8_0-openj9-headless suse-upgrade-java-1_8_0-openj9-javadoc suse-upgrade-java-1_8_0-openj9-src suse-upgrade-java-1_8_0-openjdk suse-upgrade-java-1_8_0-openjdk-accessibility suse-upgrade-java-1_8_0-openjdk-demo suse-upgrade-java-1_8_0-openjdk-devel suse-upgrade-java-1_8_0-openjdk-headless suse-upgrade-java-1_8_0-openjdk-javadoc suse-upgrade-java-1_8_0-openjdk-src References https://attackerkb.com/topics/cve-2024-21094 CVE - 2024-21094

SUSE: CVE-2024-25742: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/16/2024 Created 04/17/2024 Added 04/17/2024 Modified 05/20/2024 Description In the Linux kernel before 6.9, an untrusted hypervisor can inject virtual interrupt 29 (#VC) at any point in time and can trigger its handler. This affects AMD SEV-SNP and AMD SEV-ES. Solution(s) suse-upgrade-cluster-md-kmp-64kb suse-upgrade-cluster-md-kmp-azure suse-upgrade-cluster-md-kmp-default suse-upgrade-cluster-md-kmp-rt suse-upgrade-dlm-kmp-64kb suse-upgrade-dlm-kmp-azure suse-upgrade-dlm-kmp-default suse-upgrade-dlm-kmp-rt suse-upgrade-dtb-allwinner suse-upgrade-dtb-altera suse-upgrade-dtb-amazon suse-upgrade-dtb-amd suse-upgrade-dtb-amlogic suse-upgrade-dtb-apm suse-upgrade-dtb-apple suse-upgrade-dtb-arm suse-upgrade-dtb-broadcom suse-upgrade-dtb-cavium suse-upgrade-dtb-exynos suse-upgrade-dtb-freescale suse-upgrade-dtb-hisilicon suse-upgrade-dtb-lg suse-upgrade-dtb-marvell suse-upgrade-dtb-mediatek suse-upgrade-dtb-nvidia suse-upgrade-dtb-qcom suse-upgrade-dtb-renesas suse-upgrade-dtb-rockchip suse-upgrade-dtb-socionext suse-upgrade-dtb-sprd suse-upgrade-dtb-xilinx suse-upgrade-gfs2-kmp-64kb suse-upgrade-gfs2-kmp-azure suse-upgrade-gfs2-kmp-default suse-upgrade-gfs2-kmp-rt suse-upgrade-kernel-64kb suse-upgrade-kernel-64kb-devel suse-upgrade-kernel-64kb-extra suse-upgrade-kernel-64kb-livepatch-devel suse-upgrade-kernel-64kb-optional suse-upgrade-kernel-azure suse-upgrade-kernel-azure-devel suse-upgrade-kernel-azure-extra suse-upgrade-kernel-azure-livepatch-devel suse-upgrade-kernel-azure-optional suse-upgrade-kernel-azure-vdso suse-upgrade-kernel-debug suse-upgrade-kernel-debug-devel suse-upgrade-kernel-debug-livepatch-devel suse-upgrade-kernel-debug-vdso suse-upgrade-kernel-default suse-upgrade-kernel-default-base suse-upgrade-kernel-default-base-rebuild suse-upgrade-kernel-default-devel suse-upgrade-kernel-default-extra suse-upgrade-kernel-default-livepatch suse-upgrade-kernel-default-livepatch-devel suse-upgrade-kernel-default-optional suse-upgrade-kernel-default-vdso suse-upgrade-kernel-devel suse-upgrade-kernel-devel-azure suse-upgrade-kernel-devel-rt suse-upgrade-kernel-docs suse-upgrade-kernel-docs-html suse-upgrade-kernel-kvmsmall suse-upgrade-kernel-kvmsmall-devel suse-upgrade-kernel-kvmsmall-livepatch-devel suse-upgrade-kernel-kvmsmall-vdso suse-upgrade-kernel-macros suse-upgrade-kernel-obs-build suse-upgrade-kernel-obs-qa suse-upgrade-kernel-rt suse-upgrade-kernel-rt-devel suse-upgrade-kernel-rt-extra suse-upgrade-kernel-rt-livepatch suse-upgrade-kernel-rt-livepatch-devel suse-upgrade-kernel-rt-optional suse-upgrade-kernel-rt-vdso suse-upgrade-kernel-rt_debug suse-upgrade-kernel-rt_debug-devel suse-upgrade-kernel-rt_debug-livepatch-devel suse-upgrade-kernel-rt_debug-vdso suse-upgrade-kernel-source suse-upgrade-kernel-source-azure suse-upgrade-kernel-source-rt suse-upgrade-kernel-source-vanilla suse-upgrade-kernel-syms suse-upgrade-kernel-syms-azure suse-upgrade-kernel-syms-rt suse-upgrade-kernel-zfcpdump suse-upgrade-kselftests-kmp-64kb suse-upgrade-kselftests-kmp-azure suse-upgrade-kselftests-kmp-default suse-upgrade-kselftests-kmp-rt suse-upgrade-ocfs2-kmp-64kb suse-upgrade-ocfs2-kmp-azure suse-upgrade-ocfs2-kmp-default suse-upgrade-ocfs2-kmp-rt suse-upgrade-reiserfs-kmp-64kb suse-upgrade-reiserfs-kmp-azure suse-upgrade-reiserfs-kmp-default suse-upgrade-reiserfs-kmp-rt References https://attackerkb.com/topics/cve-2024-25742 CVE - 2024-25742

SUSE: CVE-2024-21012: SUSE Linux Security Advisory Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 04/16/2024 Created 04/29/2024 Added 04/29/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).Supported versions that are affected are Oracle Java SE: 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Solution(s) suse-upgrade-java-11-openjdk suse-upgrade-java-11-openjdk-demo suse-upgrade-java-11-openjdk-devel suse-upgrade-java-11-openjdk-headless suse-upgrade-java-11-openjdk-javadoc suse-upgrade-java-11-openjdk-jmods suse-upgrade-java-11-openjdk-src suse-upgrade-java-17-openjdk suse-upgrade-java-17-openjdk-demo suse-upgrade-java-17-openjdk-devel suse-upgrade-java-17-openjdk-headless suse-upgrade-java-17-openjdk-javadoc suse-upgrade-java-17-openjdk-jmods suse-upgrade-java-17-openjdk-src suse-upgrade-java-1_8_0-ibm suse-upgrade-java-1_8_0-ibm-32bit suse-upgrade-java-1_8_0-ibm-alsa suse-upgrade-java-1_8_0-ibm-demo suse-upgrade-java-1_8_0-ibm-devel suse-upgrade-java-1_8_0-ibm-devel-32bit suse-upgrade-java-1_8_0-ibm-plugin suse-upgrade-java-1_8_0-ibm-src References https://attackerkb.com/topics/cve-2024-21012 CVE - 2024-21012

SUSE: CVE-2024-21011: SUSE Linux Security Advisory Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:P) Published 04/16/2024 Created 04/29/2024 Added 04/29/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). Solution(s) suse-upgrade-java-11-openjdk suse-upgrade-java-11-openjdk-demo suse-upgrade-java-11-openjdk-devel suse-upgrade-java-11-openjdk-headless suse-upgrade-java-11-openjdk-javadoc suse-upgrade-java-11-openjdk-jmods suse-upgrade-java-11-openjdk-src suse-upgrade-java-17-openjdk suse-upgrade-java-17-openjdk-demo suse-upgrade-java-17-openjdk-devel suse-upgrade-java-17-openjdk-headless suse-upgrade-java-17-openjdk-javadoc suse-upgrade-java-17-openjdk-jmods suse-upgrade-java-17-openjdk-src suse-upgrade-java-1_8_0-ibm suse-upgrade-java-1_8_0-ibm-32bit suse-upgrade-java-1_8_0-ibm-alsa suse-upgrade-java-1_8_0-ibm-demo suse-upgrade-java-1_8_0-ibm-devel suse-upgrade-java-1_8_0-ibm-devel-32bit suse-upgrade-java-1_8_0-ibm-plugin suse-upgrade-java-1_8_0-ibm-src suse-upgrade-java-1_8_0-openj9 suse-upgrade-java-1_8_0-openj9-accessibility suse-upgrade-java-1_8_0-openj9-demo suse-upgrade-java-1_8_0-openj9-devel suse-upgrade-java-1_8_0-openj9-headless suse-upgrade-java-1_8_0-openj9-javadoc suse-upgrade-java-1_8_0-openj9-src suse-upgrade-java-1_8_0-openjdk suse-upgrade-java-1_8_0-openjdk-accessibility suse-upgrade-java-1_8_0-openjdk-demo suse-upgrade-java-1_8_0-openjdk-devel suse-upgrade-java-1_8_0-openjdk-headless suse-upgrade-java-1_8_0-openjdk-javadoc suse-upgrade-java-1_8_0-openjdk-src References https://attackerkb.com/topics/cve-2024-21011 CVE - 2024-21011

SUSE: CVE-2024-1135: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/16/2024 Created 04/29/2024 Added 04/29/2024 Modified 10/11/2024 Description Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks including cache poisoning, session manipulation, and data exposure. Solution(s) suse-upgrade-python-gunicorn-doc suse-upgrade-python3-gunicorn suse-upgrade-python311-gunicorn References https://attackerkb.com/topics/cve-2024-1135 CVE - 2024-1135

CentOS Linux: CVE-2024-3852: Important: firefox security update (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/16/2024 Created 04/19/2024 Added 04/19/2024 Modified 04/29/2024 Description GetBoundName could return the wrong version of an object when JIT optimizations were applied. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10. Solution(s) centos-upgrade-firefox centos-upgrade-firefox-debuginfo centos-upgrade-thunderbird centos-upgrade-thunderbird-debuginfo References CVE-2024-3852

Oracle Linux: CVE-2024-3302: ELSA-2024-1939:thunderbird security update (LOW) (Multiple Advisories) Severity 3 CVSS (AV:N/AC:H/Au:N/C:N/I:N/A:P) Published 04/16/2024 Created 05/22/2024 Added 04/22/2024 Modified 01/07/2025 Description There was no limit to the number of HTTP/2 CONTINUATION frames that would be processed. A server could abuse this to create an Out of Memory condition in the browser. This vulnerability affects Firefox &lt; 125, Firefox ESR &lt; 115.10, and Thunderbird &lt; 115.10. The Mozilla Foundation Security Advisory describes this flaw as: There was no limit to the number of HTTP/2 CONTINUATION frames that would be processed. A server could abuse this to create an Out of Memory condition in the browser. Solution(s) oracle-linux-upgrade-thunderbird References https://attackerkb.com/topics/cve-2024-3302 CVE - 2024-3302 ELSA-2024-1939 ELSA-2024-1935 ELSA-2024-1940

MFSA2024-18 Firefox: Security Vulnerabilities fixed in Firefox 125 (CVE-2024-3854) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/16/2024 Created 04/17/2024 Added 04/17/2024 Modified 04/22/2024 Description In some code patterns the JIT incorrectly optimized switch statements and generated code with out-of-bounds-reads. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10. Solution(s) mozilla-firefox-upgrade-125_0 References https://attackerkb.com/topics/cve-2024-3854 CVE - 2024-3854 http://www.mozilla.org/security/announce/2024/mfsa2024-18.html

Ubuntu: (Multiple Advisories) (CVE-2024-21085): OpenJDK 8 vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/16/2024 Created 06/07/2024 Added 06/07/2024 Modified 11/12/2024 Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Concurrency).Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22; Oracle GraalVM Enterprise Edition: 20.3.13 and21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). Solution(s) ubuntu-upgrade-openjdk-11-jdk ubuntu-upgrade-openjdk-11-jdk-headless ubuntu-upgrade-openjdk-11-jre ubuntu-upgrade-openjdk-11-jre-headless ubuntu-upgrade-openjdk-11-jre-zero ubuntu-upgrade-openjdk-8-jdk ubuntu-upgrade-openjdk-8-jdk-headless ubuntu-upgrade-openjdk-8-jre ubuntu-upgrade-openjdk-8-jre-headless ubuntu-upgrade-openjdk-8-jre-jamvm ubuntu-upgrade-openjdk-8-jre-zero References https://attackerkb.com/topics/cve-2024-21085 CVE - 2024-21085 USN-6810-1 USN-6811-1 USN-7096-1

Ubuntu: (Multiple Advisories) (CVE-2024-21068): OpenJDK 8 vulnerabilities Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 04/16/2024 Created 06/07/2024 Added 06/07/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).Supported versions that are affected are Oracle Java SE: 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2 and22; Oracle GraalVM Enterprise Edition: 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Solution(s) ubuntu-upgrade-openjdk-11-jdk ubuntu-upgrade-openjdk-11-jdk-headless ubuntu-upgrade-openjdk-11-jre ubuntu-upgrade-openjdk-11-jre-headless ubuntu-upgrade-openjdk-11-jre-zero ubuntu-upgrade-openjdk-17-jdk ubuntu-upgrade-openjdk-17-jdk-headless ubuntu-upgrade-openjdk-17-jre ubuntu-upgrade-openjdk-17-jre-headless ubuntu-upgrade-openjdk-17-jre-zero ubuntu-upgrade-openjdk-21-jdk ubuntu-upgrade-openjdk-21-jdk-headless ubuntu-upgrade-openjdk-21-jre ubuntu-upgrade-openjdk-21-jre-headless ubuntu-upgrade-openjdk-21-jre-zero ubuntu-upgrade-openjdk-8-jdk ubuntu-upgrade-openjdk-8-jdk-headless ubuntu-upgrade-openjdk-8-jre ubuntu-upgrade-openjdk-8-jre-headless ubuntu-upgrade-openjdk-8-jre-jamvm ubuntu-upgrade-openjdk-8-jre-zero References https://attackerkb.com/topics/cve-2024-21068 CVE - 2024-21068 USN-6810-1 USN-6811-1 USN-6812-1 USN-6813-1 USN-7096-1

Ubuntu: USN-6823-1 (CVE-2024-21062): MySQL vulnerabilities Severity 6 CVSS (AV:N/AC:L/Au:M/C:N/I:N/A:C) Published 04/16/2024 Created 07/02/2024 Added 07/01/2024 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).Supported versions that are affected are 8.0.36 and prior and8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) ubuntu-upgrade-mysql-server-8-0 References https://attackerkb.com/topics/cve-2024-21062 CVE - 2024-21062 USN-6823-1

AdoptOpenJDK: CVE-2024-21011: Vulnerability with Hotspot component Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:P) Published 04/16/2024 Created 04/29/2024 Added 04/26/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). Solution(s) adoptopenjdk-upgrade-latest References https://attackerkb.com/topics/cve-2024-21011 CVE - 2024-21011 https://adoptopenjdk.net/releases