Red Hat Linux OS and other open source products

Advisory	Title	Published
RHSA-2024:8116	(RHSA-2024:8116) Moderate: java-1.8.0-openjdk security update	October 17, 2024
RHSA-2024:7941	(RHSA-2024:7941) Important: OpenShift Container Platform 4.13.z security update	October 16, 2024
RHSA-2024:7939	(RHSA-2024:7939) Important: OpenShift Container Platform 4.13.52 security update	October 16, 2024
RHSA-2024:8117	(RHSA-2024:8117) Moderate: java-1.8.0-openjdk security update	October 16, 2024
RHSA-2024:7944	(RHSA-2024:7944) Moderate: OpenShift Container Platform 4.16.17 security update	October 16, 2024
RHSA-2024:8129	(RHSA-2024:8129) Moderate: OpenJDK 21.0.5 Security Update for Windows Builds	October 16, 2024
RHSA-2024:8128	(RHSA-2024:8128) Moderate: OpenJDK 21.0.5 Security Update for Portable Linux Builds	October 16, 2024
RHSA-2024:8126	(RHSA-2024:8126) Moderate: OpenJDK 17.0.13 Security Update for Windows Builds	October 16, 2024
RHSA-2024:8125	(RHSA-2024:8125) Moderate: OpenJDK 17.0.13 Security Update for Portable Linux Builds	October 16, 2024
RHSA-2024:8123	(RHSA-2024:8123) Moderate: OpenJDK 11.0.25 Security Update for Windows Builds	October 16, 2024

By the Year

In 2024 there have been 1266 vulnerabilities in Red Hat with an average score of 6.6 out of ten. Last year Red Hat had 1166 security vulnerabilities published. That is, 100 more vulnerabilities have already been reported in 2024 as compared to last year. Last year, the average CVE base score was greater by 0.24

Year	Vulnerabilities	Average Score
2024	1266	6.56
2023	1166	6.81
2022	1344	6.98
2021	1090	6.67
2020	634	6.58
2019	755	6.93
2018	736	7.32

It may take a day or so for new Red Hat vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Red Hat Security Vulnerabilities

Vulnerability in the Oracle Java SE

CVE-2024-21208 3.7 - Low - October 15, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Vulnerability in Oracle Java SE (component: Hotspot)

CVE-2024-21210 3.7 - Low - October 15, 2024

Vulnerability in Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4 and 23. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Vulnerability in the Oracle Java SE

CVE-2024-21217 3.7 - Low - October 15, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Vulnerability in the Oracle Java SE

CVE-2024-21235 4.8 - Medium - October 15, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

Vulnerability in the Oracle Java SE

CVE-2024-21208 3.7 - Low - October 15, 2024

Vulnerability in Oracle Java SE (component: Hotspot)

CVE-2024-21210 3.7 - Low - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21217 3.7 - Low - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21235 4.8 - Medium - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21208 3.7 - Low - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21235 4.8 - Medium - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21217 3.7 - Low - October 15, 2024

Vulnerability in Oracle Java SE (component: Hotspot)

CVE-2024-21210 3.7 - Low - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21217 3.7 - Low - October 15, 2024

Vulnerability in Oracle Java SE (component: Hotspot)

CVE-2024-21210 3.7 - Low - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21208 3.7 - Low - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21235 4.8 - Medium - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21217 3.7 - Low - October 15, 2024

Vulnerability in Oracle Java SE (component: Hotspot)

CVE-2024-21210 3.7 - Low - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21208 3.7 - Low - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21235 4.8 - Medium - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21217 3.7 - Low - October 15, 2024

Vulnerability in Oracle Java SE (component: Hotspot)

CVE-2024-21210 3.7 - Low - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21208 3.7 - Low - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21235 4.8 - Medium - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21208 3.7 - Low - October 15, 2024

Vulnerability in Oracle Java SE (component: Hotspot)

CVE-2024-21210 3.7 - Low - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21217 3.7 - Low - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21235 4.8 - Medium - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21208 3.7 - Low - October 15, 2024

Vulnerability in Oracle Java SE (component: Hotspot)

CVE-2024-21210 3.7 - Low - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21217 3.7 - Low - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21235 4.8 - Medium - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21208 3.7 - Low - October 15, 2024

Vulnerability in Oracle Java SE (component: Hotspot)

CVE-2024-21210 3.7 - Low - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21217 3.7 - Low - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21235 4.8 - Medium - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21208 3.7 - Low - October 15, 2024

Vulnerability in Oracle Java SE (component: Hotspot)

CVE-2024-21210 3.7 - Low - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21217 3.7 - Low - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21235 4.8 - Medium - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21208 3.7 - Low - October 15, 2024

Vulnerability in Oracle Java SE (component: Hotspot)

CVE-2024-21210 3.7 - Low - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21217 3.7 - Low - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21235 4.8 - Medium - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21208 3.7 - Low - October 15, 2024

Vulnerability in Oracle Java SE (component: Hotspot)

CVE-2024-21210 3.7 - Low - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21217 3.7 - Low - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21235 4.8 - Medium - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21208 3.7 - Low - October 15, 2024

Vulnerability in Oracle Java SE (component: Hotspot)

CVE-2024-21210 3.7 - Low - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21217 3.7 - Low - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21235 4.8 - Medium - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21208 3.7 - Low - October 15, 2024

Vulnerability in Oracle Java SE (component: Hotspot)

CVE-2024-21210 3.7 - Low - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21217 3.7 - Low - October 15, 2024

Vulnerability in the Oracle Java SE

CVE-2024-21235 4.8 - Medium - October 15, 2024

The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation.

CVE-2024-48949 9.1 - Critical - October 10, 2024

The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation.

Improper Verification of Cryptographic Signature

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines

CVE-2024-9680 9.8 - Critical - October 09, 2024

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild. This vulnerability affects Firefox < 131.0.2, Firefox ESR < 128.3.1, Firefox ESR < 115.16.1, Thunderbird < 131.0.1, Thunderbird < 128.3.1, and Thunderbird < 115.16.0.

Dangling pointer

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines

CVE-2024-9680 9.8 - Critical - October 09, 2024

Dangling pointer

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines

CVE-2024-9680 9.8 - Critical - October 09, 2024

Dangling pointer

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines

CVE-2024-9680 9.8 - Critical - October 09, 2024

Dangling pointer

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines

CVE-2024-9680 9.8 - Critical - October 09, 2024

Dangling pointer

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines

CVE-2024-9680 9.8 - Critical - October 09, 2024

Dangling pointer

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines

CVE-2024-9680 9.8 - Critical - October 09, 2024

Dangling pointer

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines

CVE-2024-9680 9.8 - Critical - October 09, 2024

Dangling pointer

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines

CVE-2024-9680 9.8 - Critical - October 09, 2024

Dangling pointer

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines

CVE-2024-9680 9.8 - Critical - October 09, 2024

Dangling pointer

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines

CVE-2024-9680 9.8 - Critical - October 09, 2024

Dangling pointer

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines

CVE-2024-9680 9.8 - Critical - October 09, 2024

Dangling pointer

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines

CVE-2024-9680 9.8 - Critical - October 09, 2024

Dangling pointer

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines

CVE-2024-9680 9.8 - Critical - October 09, 2024

Dangling pointer

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines

CVE-2024-9680 9.8 - Critical - October 09, 2024

Dangling pointer

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines

CVE-2024-9680 9.8 - Critical - October 09, 2024

Dangling pointer

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines

CVE-2024-9680 9.8 - Critical - October 09, 2024

Dangling pointer

OpenIPMI before 2.0.36 has an out-of-bounds array access (for authentication type) in the ipmi_sim simulator

CVE-2024-42934 - October 09, 2024

OpenIPMI before 2.0.36 has an out-of-bounds array access (for authentication type) in the ipmi_sim simulator, resulting in denial of service or (with very low probability) authentication bypass or code execution.

OpenIPMI before 2.0.36 has an out-of-bounds array access (for authentication type) in the ipmi_sim simulator

CVE-2024-42934 - October 09, 2024