Ubuntu Addresses Multiple OpenJDK 8 Vulnerabilities
Several vulnerabilities have recently been identified in OpenJDK 8, which could potentially lead to denial of service, information disclosure, arbitrary code execution, or even the bypassing of Java sandbox restrictions. In response, Canonical has released security fixes for multiple versions of OpenJDK, including OpenJDK 21, OpenJDK 17, OpenJDK 11, and OpenJDK 8 on affected Ubuntu releases.
This article explores the details of these vulnerabilities and offers guidance on securing your Linux systems.
OpenJDK 8 Vulnerabilities Fixed
CVE-2024-21131
This vulnerability discovered in OpenJDK is related to the Hotspot component, which was found to improperly handle bounds when dealing with certain UTF-8 strings. This flaw can lead to a buffer overflow and could allow an attacker to cause a denial of service or execute arbitrary code on the affected systems.
CVE-2024-21138
Another vulnerability in the Hotspot component involves the possibility of triggering an infinite loop. If an automated system is tricked into processing excessively large symbols, it could result in the system entering a continuous loop, causing a denial of service.
CVE-2024-21140
The Hotspot component also contains a flaw related to inadequate range check elimination. This vulnerability could allow an attacker to cause a denial of service, execute arbitrary code, or bypass Java sandbox restrictions.
CVE-2024021144
The Concurrency component of OpenJDK was found to incorrectly perform header validation in the Pack200 archive format. This vulnerability could be exploited by an attacker to cause a denial of service.
CVE-2024-21145
Sergery Bylokhov identified a vulnerability in OpenJDK related to improper memory management when handling 2D images. This flaw could allow an attacker to obtain sensitive information from the system.
CVE-2024-21147
Another issue related to range check elimination in the Hotspot component was also discovered. This vulnerability, similar to CVE-2024-21140, could allow an attacker to cause a denial of service, execute arbitrary code, or bypass Java sandbox restrictions.
Securing Your Ubuntu Systems
To address these vulnerabilities, it is essential to update your systems to the latest package versions of OpenJDK 8. Canonical has provided security for various Ubuntu releases, including:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 ESM
For systems running Ubuntu 18.04, which has reached the end of its supported life, security fixes are only available through Extended Security Maintenance (ESM) with an Ubuntu Pro subscription. However, there is an alternative option for organizations looking to extend the security life of their Ubuntu 18.04 systems without incurring high costs.
TuxCare’s Extended Lifecycle Support (ELS) for Ubuntu 18.04 offers a more affordable solution, providing up to five additional years of vendor-grade security patches. This service covers over 140 packages, including the Linux kernel, OpenJDK, Apache, PHP, glibc, OpenSSL, OpenSSH, and Python packages, among others. With ELS, you get enough time to plan a safe migration while maintaining the security of your operating system.
Source: USN-6929-1