OpenJDK Vulnerability Advisory: 2024/04/16

The following vulnerabilities in OpenJDK source code were fixed in this release. The affected versions are 22, 21.0.2, 17.0.10, 11.0.22, 8u402, and earlier. Please note that defense-in-depth issues are not assigned CVEs. We recommend that you upgrade as soon as possible.

The current and previous advisories are available for reference.

OpenJDK Risk matrix

Affects ...
CVE ID Component CVSSv3.1
Vector
8 11 17 21 22
CVE-2024-21094 hotspot/
compiler
3.7
NHNNUNLN
CVE-2024-21085 core-libs/
java.util
3.7
NHNNUNNL
CVE-2024-21011 hotspot/
runtime
3.7
NHNNUNNL
CVE-2024-21068 hotspot/
compiler
3.7
NHNNUNLN
CVE-2024-21012 core-libs/
java.net
3.7
NHNNUNLN

OpenJFX Risk matrix

Affects ...
CVE ID Component CVSSv3.1
Vector
17 21 22
CVE-2023-41993 javafx/
web
7.5
NHNRUHHH
CVE-2024-21003 javafx/
graphics
3.1
NHNRUNLN
CVE-2024-21005 javafx/
graphics
3.1
NHNRUNLN
CVE-2024-21002 javafx/
graphics
2.5
LHNRUNLN
CVE-2024-21004 javafx/
window-toolkit
2.5
LHNRUNLN

Acknowledgements

We acknowledge the following parties for their reports and contributions: Hedongbo, Vladimir Kondratyev, and Yakov Shafranovich.

We also thank the Leads of the JDK 8 Updates, JDK 11 Updates, JDK 17 Updates, JDK 21 Updates, and OpenJFX Projects for providing the risk-matrix information for their releases.

How to report a vulnerability

Please see the reporting instructions for information about how to report a vulnerability.

Last update: 2024/04/16 17:44 UTC