The version of java-1.8.0-openjdk installed on the remote host is prior to 1.8.0.412.b08-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2540 advisory.

    Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: JavaFX).  Supported versions that are affected are Oracle Java SE: 8u401; Oracle GraalVM     Enterprise Edition: 20.3.13 and  21.3.9. Difficult to exploit vulnerability allows unauthenticated     attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition executes     to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks require human     interaction from a person other than the attacker. Successful attacks of this vulnerability can result in     unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition     accessible data. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not     apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed     by an administrator). CVSS 3.1 Base Score 2.5 (Integrity impacts).  CVSS Vector:
    (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N). (CVE-2024-21002)

    Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: JavaFX).  Supported versions that are affected are Oracle Java SE: 8u401; Oracle GraalVM     Enterprise Edition: 20.3.13 and  21.3.9. Difficult to exploit vulnerability allows unauthenticated     attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM     Enterprise Edition.  Successful attacks require human interaction from a person other than the attacker.
    Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to     some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability     applies to Java deployments, typically in clients running sandboxed Java Web Start applications or     sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and     rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in     servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base     Score 3.1 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).
    (CVE-2024-21003)

    Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: JavaFX).  Supported versions that are affected are Oracle Java SE: 8u401; Oracle GraalVM     Enterprise Edition: 20.3.13 and  21.3.9. Difficult to exploit vulnerability allows unauthenticated     attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition executes     to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks require human     interaction from a person other than the attacker. Successful attacks of this vulnerability can result in     unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition     accessible data. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not     apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed     by an administrator). CVSS 3.1 Base Score 2.5 (Integrity impacts).  CVSS Vector:
    (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N). (CVE-2024-21004)

    Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: JavaFX).  Supported versions that are affected are Oracle Java SE: 8u401; Oracle GraalVM     Enterprise Edition: 20.3.13 and  21.3.9. Difficult to exploit vulnerability allows unauthenticated     attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM     Enterprise Edition.  Successful attacks require human interaction from a person other than the attacker.
    Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to     some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability     applies to Java deployments, typically in clients running sandboxed Java Web Start applications or     sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and     rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in     servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base     Score 3.1 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).
    (CVE-2024-21005)

    Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of     Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u401,     8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22;   Oracle GraalVM     Enterprise Edition: 20.3.13 and  21.3.9. Difficult to exploit vulnerability allows unauthenticated     attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK,     Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized     ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK,     Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the     specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also     applies to Java deployments, typically in clients running sandboxed Java Web Start applications or     sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and     rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts).  CVSS Vector:
    (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2024-21011)

    Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of     Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u401-perf,     11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2 and  22; Oracle GraalVM Enterprise     Edition: 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access     via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise     Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete     access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible     data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a     web service which supplies data to the APIs. This vulnerability also applies to Java deployments,     typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load     and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for     security. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector:
    (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2024-21068)

    Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Concurrency).  Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf,     11.0.22; Oracle GraalVM Enterprise Edition: 20.3.13 and  21.3.9. Difficult to exploit vulnerability allows     unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle     GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability     to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition.
    Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web     service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in     clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run     untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS     3.1 Base Score 3.7 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
    (CVE-2024-21085)

    Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of     Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u401,     8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM     Enterprise Edition: 20.3.13 and  21.3.9. Difficult to exploit vulnerability allows unauthenticated     attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK,     Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized     update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM     Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the     specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also     applies to Java deployments, typically in clients running sandboxed Java Web Start applications or     sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and     rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector:
    (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2024-21094)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Amazon Linux 2 : java-1.8.0-openjdk (ALAS-2024-2540)

low Nessus Plugin ID 197114

Version 1.3

Version 1.2

Version 1.1

Version 1.0

Version 1.3 May 30, 2025, 3:10 PM CVSS metrics ("CVSSv3 score" set to 3.7) CVSS metrics ("CVSSv3 vector" set to "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N") CVSSv3 score source (changed from "CVE-2024-21002" to none) Plugin Feed: 202505301510
Version 1.2 May 23, 2025, 2:01 AM CVSS metrics ("CVSSv3 score" set to 2.5) CVSS metrics ("CVSSv3 vector" set to "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N") CVSSv3 score source (set to "CVE-2024-21002") Plugin Feed: 202505230201
Version 1.1 Dec 12, 2024, 9:55 AM CVSS metrics ("Cvssv4 score" set to 0.0) CVSSv2 severity (based on None, severity decreased from "High" to "Low") Detection (updated detection logic) Plugin metadata Plugin Feed: 202412120955
Version 1.0 May 16, 2024, 12:59 AM New Plugin Feed: 202405160059