Source: openjdk-21 Version: 21.0.7~8ea-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: clone -1 -2 -3 -4 Control: reassign -2 src:openjdk-17 17.0.15~5ea-1 Control: retitle -2 openjdk-17: CVE-2025-30698 CVE-2025-30691 CVE-2025-21587 Control: reassign -3 src:openjdk-11 11.0.27~4ea-1 Control: retitle -3 openjdk-11: CVE-2025-30698 CVE-2025-30691 CVE-2025-21587 Control: reassign -4 src:openjdk-8 8u442-ga-2 Control: retitle -4 openjdk-8: CVE-2025-30698 CVE-2025-30691 CVE-2025-21587
Hi, The following vulnerabilities were published for OpenJDK. CVE-2025-30698[0]: | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition product of Oracle Java SE (component: | 2D). Supported versions that are affected are Oracle Java SE: | 8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24; Oracle GraalVM for | JDK: 17.0.14, 21.0.6, 24; Oracle GraalVM Enterprise Edition: 20.3.17 | and 21.3.13. Difficult to exploit vulnerability allows | unauthenticated attacker with network access via multiple protocols | to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM | Enterprise Edition. Successful attacks of this vulnerability can | result in unauthorized update, insert or delete access to some of | Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise | Edition accessible data as well as unauthorized read access to a | subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM | Enterprise Edition accessible data and unauthorized ability to cause | a partial denial of service (partial DOS) of Oracle Java SE, Oracle | GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This | vulnerability applies to Java deployments, typically in clients | running sandboxed Java Web Start applications or sandboxed Java | applets, that load and run untrusted code (e.g., code that comes | from the internet) and rely on the Java sandbox for security. This | vulnerability does not apply to Java deployments, typically in | servers, that load and run only trusted code (e.g., code installed | by an administrator). CVSS 3.1 Base Score 5.6 (Confidentiality, | Integrity and Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L). CVE-2025-30691[1]: | Vulnerability in Oracle Java SE (component: Compiler). Supported | versions that are affected are Oracle Java SE: 21.0.6, 24; Oracle | GraalVM for JDK: 21.0.6 and 24. Difficult to exploit vulnerability | allows unauthenticated attacker with network access via multiple | protocols to compromise Oracle Java SE. Successful attacks of this | vulnerability can result in unauthorized update, insert or delete | access to some of Oracle Java SE accessible data as well as | unauthorized read access to a subset of Oracle Java SE accessible | data. Note: This vulnerability can be exploited by using APIs in the | specified Component, e.g., through a web service which supplies data | to the APIs. This vulnerability also applies to Java deployments, | typically in clients running sandboxed Java Web Start applications | or sandboxed Java applets, that load and run untrusted code (e.g., | code that comes from the internet) and rely on the Java sandbox for | security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). CVE-2025-21587[2]: | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition product of Oracle Java SE (component: | JSSE). Supported versions that are affected are Oracle Java | SE:8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24; Oracle GraalVM | for JDK:17.0.14, 21.0.6, 24; Oracle GraalVM Enterprise | Edition:20.3.17 and 21.3.13. Difficult to exploit vulnerability | allows unauthenticated attacker with network access via multiple | protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, | Oracle GraalVM Enterprise Edition. Successful attacks of this | vulnerability can result in unauthorized creation, deletion or | modification access to critical data or all Oracle Java SE, Oracle | GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data | as well as unauthorized access to critical data or complete access | to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM | Enterprise Edition accessible data. Note: This vulnerability can be | exploited by using APIs in the specified Component, e.g., through a | web service which supplies data to the APIs. This vulnerability also | applies to Java deployments, typically in clients running sandboxed | Java Web Start applications or sandboxed Java applets, that load and | run untrusted code (e.g., code that comes from the internet) and | rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 | (Confidentiality and Integrity impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N). If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-30698 https://www.cve.org/CVERecord?id=CVE-2025-30698 [1] https://security-tracker.debian.org/tracker/CVE-2025-30691 https://www.cve.org/CVERecord?id=CVE-2025-30691 [2] https://security-tracker.debian.org/tracker/CVE-2025-21587 https://www.cve.org/CVERecord?id=CVE-2025-21587 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
