Amazon Linux AMI update for java-17-amazon-corretto

1) Improper input validation

EUVDB-ID: #VU88666

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-21011

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Update the affected packages:

aarch64:
    java-17-amazon-corretto-17.0.11+9-1.amzn2023.1.aarch64
    java-17-amazon-corretto-devel-17.0.11+9-1.amzn2023.1.aarch64
    java-17-amazon-corretto-headless-17.0.11+9-1.amzn2023.1.aarch64
    java-17-amazon-corretto-javadoc-17.0.11+9-1.amzn2023.1.aarch64
    java-17-amazon-corretto-jmods-17.0.11+9-1.amzn2023.1.aarch64

src:
    java-17-amazon-corretto-17.0.11+9-1.amzn2023.1.src

x86_64:
    java-17-amazon-corretto-17.0.11+9-1.amzn2023.1.x86_64
    java-17-amazon-corretto-devel-17.0.11+9-1.amzn2023.1.x86_64
    java-17-amazon-corretto-headless-17.0.11+9-1.amzn2023.1.x86_64
    java-17-amazon-corretto-javadoc-17.0.11+9-1.amzn2023.1.x86_64
    java-17-amazon-corretto-jmods-17.0.11+9-1.amzn2023.1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:

External links

http://alas.aws.amazon.com/AL2023/ALAS-2024-599.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper input validation

EUVDB-ID: #VU88669

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-21012

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Networking component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

Mitigation

Update the affected packages:

aarch64:
    java-17-amazon-corretto-17.0.11+9-1.amzn2023.1.aarch64
    java-17-amazon-corretto-devel-17.0.11+9-1.amzn2023.1.aarch64
    java-17-amazon-corretto-headless-17.0.11+9-1.amzn2023.1.aarch64
    java-17-amazon-corretto-javadoc-17.0.11+9-1.amzn2023.1.aarch64
    java-17-amazon-corretto-jmods-17.0.11+9-1.amzn2023.1.aarch64

src:
    java-17-amazon-corretto-17.0.11+9-1.amzn2023.1.src

x86_64:
    java-17-amazon-corretto-17.0.11+9-1.amzn2023.1.x86_64
    java-17-amazon-corretto-devel-17.0.11+9-1.amzn2023.1.x86_64
    java-17-amazon-corretto-headless-17.0.11+9-1.amzn2023.1.x86_64
    java-17-amazon-corretto-javadoc-17.0.11+9-1.amzn2023.1.x86_64
    java-17-amazon-corretto-jmods-17.0.11+9-1.amzn2023.1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:

External links

http://alas.aws.amazon.com/AL2023/ALAS-2024-599.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improper input validation

EUVDB-ID: #VU88667

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-21068

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

Mitigation

Update the affected packages:

aarch64:
    java-17-amazon-corretto-17.0.11+9-1.amzn2023.1.aarch64
    java-17-amazon-corretto-devel-17.0.11+9-1.amzn2023.1.aarch64
    java-17-amazon-corretto-headless-17.0.11+9-1.amzn2023.1.aarch64
    java-17-amazon-corretto-javadoc-17.0.11+9-1.amzn2023.1.aarch64
    java-17-amazon-corretto-jmods-17.0.11+9-1.amzn2023.1.aarch64

src:
    java-17-amazon-corretto-17.0.11+9-1.amzn2023.1.src

x86_64:
    java-17-amazon-corretto-17.0.11+9-1.amzn2023.1.x86_64
    java-17-amazon-corretto-devel-17.0.11+9-1.amzn2023.1.x86_64
    java-17-amazon-corretto-headless-17.0.11+9-1.amzn2023.1.x86_64
    java-17-amazon-corretto-javadoc-17.0.11+9-1.amzn2023.1.x86_64
    java-17-amazon-corretto-jmods-17.0.11+9-1.amzn2023.1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:

External links

http://alas.aws.amazon.com/AL2023/ALAS-2024-599.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Improper input validation

EUVDB-ID: #VU88668

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-21094

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

Mitigation

Update the affected packages:

aarch64:
    java-17-amazon-corretto-17.0.11+9-1.amzn2023.1.aarch64
    java-17-amazon-corretto-devel-17.0.11+9-1.amzn2023.1.aarch64
    java-17-amazon-corretto-headless-17.0.11+9-1.amzn2023.1.aarch64
    java-17-amazon-corretto-javadoc-17.0.11+9-1.amzn2023.1.aarch64
    java-17-amazon-corretto-jmods-17.0.11+9-1.amzn2023.1.aarch64

src:
    java-17-amazon-corretto-17.0.11+9-1.amzn2023.1.src

x86_64:
    java-17-amazon-corretto-17.0.11+9-1.amzn2023.1.x86_64
    java-17-amazon-corretto-devel-17.0.11+9-1.amzn2023.1.x86_64
    java-17-amazon-corretto-headless-17.0.11+9-1.amzn2023.1.x86_64
    java-17-amazon-corretto-javadoc-17.0.11+9-1.amzn2023.1.x86_64
    java-17-amazon-corretto-jmods-17.0.11+9-1.amzn2023.1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:

External links

http://alas.aws.amazon.com/AL2023/ALAS-2024-599.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Risk	Low
Patch available	YES
Number of vulnerabilities	4
CVE-ID	CVE-2024-21011 CVE-2024-21012 CVE-2024-21068 CVE-2024-21094
CWE-ID	CWE-20
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	Amazon Linux AMI Operating systems & Components / Operating system
Vendor	Amazon Web Services