Vulnerability Location
This is the OpenJDK image used for Mirth
Environment (please complete the following information if it is applicable to the issue)
OS: Docker
Java Distribution/Version OpenJDK 17.0.6
Connect Version 4.3.0
Suggested remediation
Upgrade OpenJDK to 17.0.8 or greater
Additional context
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Utility). Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. (https://github.com/advisories/GHSA-mw33-48wm-m4r2)
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. (https://github.com/advisories/GHSA-rgxf-494f-377c)
Vulnerability in Oracle Java SE (component: JavaFX). The supported version that is affected is Oracle Java SE: 8u371. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE accessible data. (https://github.com/advisories/GHSA-grjf-4ggg-f6cm)
Exploitability Information
EXPLOIT AVAILABLE
True
EXPLOIT EASE
Exploits are available
Risk Information
RISK FACTOR
Medium
CVSS BASE SCORE
5.4
CVSS TEMPORAL SCORE
4.2
CVSS VECTOR
AV:N/AC:H/Au:N/C:N/I:C/A:N
CVSS TEMPORAL VECTOR
E:POC/RL:OF/RC:C
CVSS3 BASE SCORE
5.9
CVSS3 TEMPORAL SCORE
5.3
CVSS3 VECTOR
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS3 TEMPORAL VECTOR
E:P/RL:O/RC:C
IVAM SEVERITY
I
Path : /var/lib/docker/overlay2/e6cd599ca96af456509de813299cf0dbaa6c57eafca4a31a5ffd7ac040260dc7/diff/opt/java/openjdk/
Installed version : 17.0.6
Fixed version : Upgrade to version 17.0.8 or greater
Path : /var/lib/docker/overlay2/29ece69f535e91d11e8e7abe1f783d8c937e7b1b6d29781f46ec8e72ddd3a453/merged/opt/java/openjdk/
Installed version : 17.0.6
Fixed version : Upgrade to version 17.0.8 or greater
Describe the security issue Security Scan from. Tenable.IO is reporting these three CVE's for OpenJDK bundled within Mirth 4.3.0, https://github.com/advisories/GHSA-mw33-48wm-m4r2, https://github.com/advisories/GHSA-rgxf-494f-377c and https://github.com/advisories/GHSA-grjf-4ggg-f6cm.
Vulnerability Location This is the OpenJDK image used for Mirth
Environment (please complete the following information if it is applicable to the issue)
OS: Docker Java Distribution/Version OpenJDK 17.0.6 Connect Version 4.3.0 Suggested remediation Upgrade OpenJDK to 17.0.8 or greater
Additional context
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Utility). Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. (https://github.com/advisories/GHSA-mw33-48wm-m4r2)
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. (https://github.com/advisories/GHSA-rgxf-494f-377c)
Vulnerability in Oracle Java SE (component: JavaFX). The supported version that is affected is Oracle Java SE: 8u371. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE accessible data. (https://github.com/advisories/GHSA-grjf-4ggg-f6cm)
Exploitability Information EXPLOIT AVAILABLE True EXPLOIT EASE Exploits are available
Risk Information RISK FACTOR Medium CVSS BASE SCORE 5.4 CVSS TEMPORAL SCORE 4.2 CVSS VECTOR AV:N/AC:H/Au:N/C:N/I:C/A:N CVSS TEMPORAL VECTOR E:POC/RL:OF/RC:C CVSS3 BASE SCORE 5.9 CVSS3 TEMPORAL SCORE 5.3 CVSS3 VECTOR AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS3 TEMPORAL VECTOR E:P/RL:O/RC:C IVAM SEVERITY I
Path : /var/lib/docker/overlay2/e6cd599ca96af456509de813299cf0dbaa6c57eafca4a31a5ffd7ac040260dc7/diff/opt/java/openjdk/ Installed version : 17.0.6 Fixed version : Upgrade to version 17.0.8 or greater
Path : /var/lib/docker/overlay2/29ece69f535e91d11e8e7abe1f783d8c937e7b1b6d29781f46ec8e72ddd3a453/merged/opt/java/openjdk/ Installed version : 17.0.6 Fixed version : Upgrade to version 17.0.8 or greater
is the output