Alpine: multiple openjdk8 packages: security update to 8.131.11-r2 (deprecated)

critical Tenable Self-Hosted Container Security Plugin ID 400863

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). The
supported version that is affected is Java SE: 8u131; Java SE Embedded: 8u131. Easily exploitable
vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise
Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the
attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact
additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE
Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed
Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that
comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to
Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an
administrator). (CVE-2017-10111)

- Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: 2D).
Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131;
JRockit: R28.3.14. Easily exploitable vulnerability allows unauthenticated attacker with network access
via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this
vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of
Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web
Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the
specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as
through a web service. (CVE-2017-10053)

- Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Security). Supported versions that
are affected are Java SE: 6u151, 7u141 and 8u131. Difficult to exploit vulnerability allows
unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful
attacks require human interaction from a person other than the attacker. Successful attacks of this
vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments,
typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load
and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for
security. This vulnerability does not apply to Java deployments, typically in servers, that load and run
only trusted code (e.g., code installed by an administrator). (CVE-2017-10067)

- Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot).
Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131.
Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple
protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a
person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may
significantly impact additional products. Successful attacks of this vulnerability can result in takeover
of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients
running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code
(e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability
does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code
installed by an administrator). (CVE-2017-10074)

- Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Scripting). The supported version
that is affected is Java SE: 8u131. Easily exploitable vulnerability allows low privileged attacker with
network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can
result in unauthorized creation, deletion or modification access to critical data or all Java SE
accessible data as well as unauthorized access to critical data or complete access to all Java SE
accessible data. Note: This vulnerability can be exploited through sandboxed Java Web Start applications
and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component
without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web
service. (CVE-2017-10078)

See Also

https://git.alpinelinux.org/aports/commit/?id=85cf3a23470c07ce4a6152ef5b21be366d14d684

https://git.alpinelinux.org/aports/commit/?id=da31d76c19084dd733dbf58544ac4c7dac84b95a

Plugin Details

Severity: Critical

ID: 400863

Version: Revision 1.22

Type: Local

Published: 8/16/2023

Updated: 1/17/2024

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7.3

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2017-10111

CVSS v3

Risk Factor: Critical

Base Score: 9.6

Temporal Score: 8.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 7/21/2017

Vulnerability Publication Date: 7/18/2017

Reference Information

CVE: CVE-2017-10053, CVE-2017-10067, CVE-2017-10074, CVE-2017-10078, CVE-2017-10081, CVE-2017-10087, CVE-2017-10089, CVE-2017-10090, CVE-2017-10096, CVE-2017-10101, CVE-2017-10102, CVE-2017-10107, CVE-2017-10108, CVE-2017-10109, CVE-2017-10110, CVE-2017-10111, CVE-2017-10115, CVE-2017-10116, CVE-2017-10118, CVE-2017-10135, CVE-2017-10176, CVE-2017-10193, CVE-2017-10198

BID: 99643, 99659, 99670, 99674, 99703, 99706, 99707, 99712, 99719, 99731, 99734, 99752, 99756, 99774, 99782, 99788, 99818, 99839, 99842, 99846, 99847, 99853, 99854