Ubuntu Local Security Checks : Ubuntu: Security Advisory (USN-6077-1)

Vulnerability Search		Search 324607 CVE descriptions and 146377 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.1.12.2023.6077.1

Category: Ubuntu Local Security Checks

Title: Ubuntu: Security Advisory (USN-6077-1)

Summary: The remote host is missing an update for the 'openjdk-8, openjdk-17, openjdk-20, openjdk-lts' package(s) announced via the USN-6077-1 advisory.

Description: Summary:
The remote host is missing an update for the 'openjdk-8, openjdk-17, openjdk-20, openjdk-lts' package(s) announced via the USN-6077-1 advisory.

Vulnerability Insight:
Ben Smyth discovered that OpenJDK incorrectly handled half-duplex
connections during TLS handshake. A remote attacker could possibly use
this issue to insert, edit or obtain sensitive information.
(CVE-2023-21930)

It was discovered that OpenJDK incorrectly handled certain inputs. An
attacker could possibly use this issue to insert, edit or obtain sensitive
information. (CVE-2023-21937)

It was discovered that OpenJDK incorrectly handled command arguments. An
attacker could possibly use this issue to insert, edit or obtain sensitive
information. (CVE-2023-21938)

It was discovered that OpenJDK incorrectly validated HTML documents. An
attacker could possibly use this issue to insert, edit or obtain sensitive
information. (CVE-2023-21939)

Ramki Ramakrishna discovered that OpenJDK incorrectly handled garbage
collection. An attacker could possibly use this issue to bypass Java
sandbox restrictions. (CVE-2023-21954)

Jonathan Looney discovered that OpenJDK incorrectly handled certificate
chains during TLS session negotiation. A remote attacker could possibly
use this issue to cause a denial of service. (CVE-2023-21967)

Adam Reziouk discovered that OpenJDK incorrectly sanitized URIs. An
attacker could possibly use this issue to bypass Java sandbox
restrictions. (CVE-2023-21968)

Affected Software/OS:
'openjdk-8, openjdk-17, openjdk-20, openjdk-lts' package(s) on Ubuntu 16.04, Ubuntu 18.04, Ubuntu 20.04, Ubuntu 22.04, Ubuntu 22.10, Ubuntu 23.04.

Solution:
Please install the updated package(s).

CVSS Score:
7.1

CVSS Vector:
AV:N/AC:H/Au:N/C:C/I:C/A:N

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2023-21930
Debian Security Information: DSA-5430 (Google Search)
https://www.debian.org/security/2023/dsa-5430
Debian Security Information: DSA-5478 (Google Search)
https://www.debian.org/security/2023/dsa-5478
https://www.couchbase.com/alerts/
Oracle Advisory
https://www.oracle.com/security-alerts/cpuapr2023.html
https://lists.debian.org/debian-lts-announce/2023/09/msg00018.html
Common Vulnerability Exposure (CVE) ID: CVE-2023-21937
Common Vulnerability Exposure (CVE) ID: CVE-2023-21938
Common Vulnerability Exposure (CVE) ID: CVE-2023-21939
Common Vulnerability Exposure (CVE) ID: CVE-2023-21954
Common Vulnerability Exposure (CVE) ID: CVE-2023-21967
Common Vulnerability Exposure (CVE) ID: CVE-2023-21968

Copyright Copyright (C) 2023 Greenbone AG

This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.1.12.2023.6077.1
Category:	Ubuntu Local Security Checks
Title:	Ubuntu: Security Advisory (USN-6077-1)
Summary:	The remote host is missing an update for the 'openjdk-8, openjdk-17, openjdk-20, openjdk-lts' package(s) announced via the USN-6077-1 advisory.
Description:	Summary: The remote host is missing an update for the 'openjdk-8, openjdk-17, openjdk-20, openjdk-lts' package(s) announced via the USN-6077-1 advisory. Vulnerability Insight: Ben Smyth discovered that OpenJDK incorrectly handled half-duplex connections during TLS handshake. A remote attacker could possibly use this issue to insert, edit or obtain sensitive information. (CVE-2023-21930) It was discovered that OpenJDK incorrectly handled certain inputs. An attacker could possibly use this issue to insert, edit or obtain sensitive information. (CVE-2023-21937) It was discovered that OpenJDK incorrectly handled command arguments. An attacker could possibly use this issue to insert, edit or obtain sensitive information. (CVE-2023-21938) It was discovered that OpenJDK incorrectly validated HTML documents. An attacker could possibly use this issue to insert, edit or obtain sensitive information. (CVE-2023-21939) Ramki Ramakrishna discovered that OpenJDK incorrectly handled garbage collection. An attacker could possibly use this issue to bypass Java sandbox restrictions. (CVE-2023-21954) Jonathan Looney discovered that OpenJDK incorrectly handled certificate chains during TLS session negotiation. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2023-21967) Adam Reziouk discovered that OpenJDK incorrectly sanitized URIs. An attacker could possibly use this issue to bypass Java sandbox restrictions. (CVE-2023-21968) Affected Software/OS: 'openjdk-8, openjdk-17, openjdk-20, openjdk-lts' package(s) on Ubuntu 16.04, Ubuntu 18.04, Ubuntu 20.04, Ubuntu 22.04, Ubuntu 22.10, Ubuntu 23.04. Solution: Please install the updated package(s). CVSS Score: 7.1 CVSS Vector: AV:N/AC:H/Au:N/C:C/I:C/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2023-21930 Debian Security Information: DSA-5430 (Google Search) https://www.debian.org/security/2023/dsa-5430 Debian Security Information: DSA-5478 (Google Search) https://www.debian.org/security/2023/dsa-5478 https://www.couchbase.com/alerts/ Oracle Advisory https://www.oracle.com/security-alerts/cpuapr2023.html https://lists.debian.org/debian-lts-announce/2023/09/msg00018.html Common Vulnerability Exposure (CVE) ID: CVE-2023-21937 Common Vulnerability Exposure (CVE) ID: CVE-2023-21938 Common Vulnerability Exposure (CVE) ID: CVE-2023-21939 Common Vulnerability Exposure (CVE) ID: CVE-2023-21954 Common Vulnerability Exposure (CVE) ID: CVE-2023-21967 Common Vulnerability Exposure (CVE) ID: CVE-2023-21968
Copyright	Copyright (C) 2023 Greenbone AG