{"id":"USN-7338-1","summary":"openjdk-17-crac vulnerabilities","details":"Andy Boothe discovered that the Networking component of CRaC JDK 17 did not\nproperly handle access under certain circumstances. An unauthenticated\nattacker could possibly use this issue to cause a denial of service.\n(CVE-2024-21208)\n\nIt was discovered that the Hotspot component of CRaC JDK 17 did not\nproperly handle vectorization under certain circumstances. An\nunauthenticated attacker could possibly use this issue to access\nunauthorized resources and expose sensitive information.\n(CVE-2024-21210, CVE-2024-21235)\n\nIt was discovered that the Serialization component of CRaC JDK 17 did not\nproperly handle deserialization under certain circumstances. An\nunauthenticated attacker could possibly use this issue to cause a denial\nof service. (CVE-2024-21217)\n\nIt was discovered that the Hotspot component of CRaC JDK 17 did not\nproperly handle API access under certain circumstances. An unauthenticated\nattacker could possibly use this issue to access unauthorized resources\nand expose sensitive information. (CVE-2025-21502)\n\nIn addition to security fixes, the updated packages contain bug fixes, new\nfeatures, and possibly incompatible changes.\n\nPlease see the following for more information:\nhttps://openjdk.org/groups/vulnerability/advisories/2024-10-15\nhttps://openjdk.org/groups/vulnerability/advisories/2025-01-21\n","modified":"2026-02-04T04:32:38.554596Z","published":"2025-03-11T01:13:38.735327Z","related":["CVE-2024-21208","CVE-2024-21210","CVE-2024-21217","CVE-2024-21235","CVE-2025-21502","UBUNTU-CVE-2024-21208","UBUNTU-CVE-2024-21210","UBUNTU-CVE-2024-21217","UBUNTU-CVE-2024-21235","UBUNTU-CVE-2025-21502"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-7338-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-21208"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-21210"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-21217"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-21235"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-21502"}],"affected":[{"package":{"name":"openjdk-17-crac","ecosystem":"Ubuntu:24.10","purl":"pkg:deb/ubuntu/openjdk-17-crac@17.0.14+7-0ubuntu1~24.10?arch=source&distro=oracular"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"17.0.14+7-0ubuntu1~24.10"}]}],"versions":["17.0.13+0-0ubuntu1","17.0.13+0-0ubuntu2"],"ecosystem_specific":{"binaries":[{"binary_version":"17.0.14+7-0ubuntu1~24.10","binary_name":"openjdk-17-crac-dbg"},{"binary_version":"17.0.14+7-0ubuntu1~24.10","binary_name":"openjdk-17-crac-demo"},{"binary_version":"17.0.14+7-0ubuntu1~24.10","binary_name":"openjdk-17-crac-doc"},{"binary_version":"17.0.14+7-0ubuntu1~24.10","binary_name":"openjdk-17-crac-jdk"},{"binary_version":"17.0.14+7-0ubuntu1~24.10","binary_name":"openjdk-17-crac-jdk-headless"},{"binary_version":"17.0.14+7-0ubuntu1~24.10","binary_name":"openjdk-17-crac-jre"},{"binary_version":"17.0.14+7-0ubuntu1~24.10","binary_name":"openjdk-17-crac-jre-headless"},{"binary_version":"17.0.14+7-0ubuntu1~24.10","binary_name":"openjdk-17-crac-jre-zero"},{"binary_version":"17.0.14+7-0ubuntu1~24.10","binary_name":"openjdk-17-crac-source"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7338-1.json"}}],"schema_version":"1.7.3"}