rhsa-2025:3854
Vulnerability from csaf_redhat
Published
2025-04-16 17:29
Modified
2025-07-29 16:56
Summary
Red Hat Security Advisory: OpenJDK 17.0.15 Security Update for Windows Builds

Notes

Topic
An update is now available for OpenJDK. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The OpenJDK 17 packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit. This release of the Red Hat build of OpenJDK 17 (17.0.15) for Windows serves as a replacement for the Red Hat build of OpenJDK 17 (17.0.14) and includes security and bug fixes as well as enhancements. For further information, refer to the release notes linked to in the References section. Security Fix(es): * JDK: Better TLS connection support (CVE-2025-21587) * JDK: Improve compiler transformations (CVE-2025-30691) * JDK: Enhance Buffered Image handling (CVE-2025-30698) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.


To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update is now available for OpenJDK.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The OpenJDK 17 packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit.\n\nThis release of the Red Hat build of OpenJDK 17 (17.0.15) for Windows serves as a replacement for the Red Hat build of OpenJDK 17 (17.0.14) and includes security and bug fixes as well as enhancements. For further information, refer to the release notes linked to in the References section.\n\nSecurity Fix(es):\n\n* JDK: Better TLS connection support (CVE-2025-21587)\n* JDK: Improve compiler transformations (CVE-2025-30691)\n* JDK: Enhance Buffered Image handling (CVE-2025-30698)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2025:3854",
        "url": "https://access.redhat.com/errata/RHSA-2025:3854"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/red_hat_build_of_openjdk/17/html/release_notes_for_red_hat_build_of_openjdk_17.0.15/index",
        "url": "https://docs.redhat.com/en/documentation/red_hat_build_of_openjdk/17/html/release_notes_for_red_hat_build_of_openjdk_17.0.15/index"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_3854.json"
      }
    ],
    "title": "Red Hat Security Advisory: OpenJDK 17.0.15 Security Update for Windows Builds",
    "tracking": {
      "current_release_date": "2025-07-29T16:56:03+00:00",
      "generator": {
        "date": "2025-07-29T16:56:03+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.5"
        }
      },
      "id": "RHSA-2025:3854",
      "initial_release_date": "2025-04-16T17:29:51+00:00",
      "revision_history": [
        {
          "date": "2025-04-16T17:29:51+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2025-04-16T17:29:51+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-07-29T16:56:03+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Build of OpenJDK 17.0.15",
                "product": {
                  "name": "Red Hat Build of OpenJDK 17.0.15",
                  "product_id": "Red Hat Build of OpenJDK 17.0.15",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openjdk:17::windows"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "OpenJDK"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-21587",
      "cwe": {
        "id": "CWE-208",
        "name": "Observable Timing Discrepancy"
      },
      "discovery_date": "2025-04-15T07:43:27.892000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2359695"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE:8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24; Oracle GraalVM for JDK:17.0.14, 21.0.6, 24; Oracle GraalVM Enterprise Edition:20.3.17 and  21.3.13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "openjdk: Better TLS connection support (Oracle CPU 2025-04)",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The severity of this vulnerability is considered Moderate rather than Important due to the specific conditions required for exploitation and the complexity involved in executing the attack.\n\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-208: Observable Timing Discrepancy vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nThe platform enforces hardening guidelines to apply the most restrictive settings necessary for operations. Baseline configurations and system controls ensure secure software states, while least functionality reduces the attack surface by maintaining consistent settings and minimizing timing variations that could expose discrepancies. Domain accounts are configured with lockout policies to reduce the effectiveness of brute-force attacks and prevent attackers from inferring valid credentials through response timing. Event logs are centrally collected and analyzed to detect anomalous timing-based behaviors that may indicate timing attacks. Static code analysis and peer reviews enforce strong input validation and error handling, limiting the introduction of time-based exploits. Additionally, controls such as process isolation and encryption of data at rest contain the impact of successful exploitation by isolating compromised processes and preventing unauthorized data access.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Build of OpenJDK 17.0.15"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-21587"
        },
        {
          "category": "external",
          "summary": "RHBZ#2359695",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359695"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-21587",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-21587"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-21587",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21587"
        }
      ],
      "release_date": "2025-04-15T21:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-04-16T17:29:51+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat Build of OpenJDK 17.0.15"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:3854"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Build of OpenJDK 17.0.15"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "openjdk: Better TLS connection support (Oracle CPU 2025-04)"
    },
    {
      "cve": "CVE-2025-30691",
      "cwe": {
        "id": "CWE-120",
        "name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)"
      },
      "discovery_date": "2025-04-15T07:41:09.945000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2359694"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Vulnerability in Oracle Java SE (component: Compiler).  Supported versions that are affected are Oracle Java SE: 21.0.6, 24; Oracle GraalVM for JDK: 21.0.6 and  24. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE accessible data as well as  unauthorized read access to a subset of Oracle Java SE accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "openjdk: Improve compiler transformations (Oracle CPU 2025-04)",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-120: Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027) vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nRed Hat follows best practice and federal requirements for least privilege, allowing only specific processes to be run with isolated accounts specific to team and federal platforms that have limited privileges that are only used for a single task. The environment leverages file integrity checks and malicious code protections, such as IPS/IDS and antimalware solutions, to help detect and prevent malicious code that attempts to exploit buffer overflow vulnerabilities. Robust input validation and error-handling mechanisms ensure all user inputs are thoroughly validated, preventing improperly validated inputs from causing system instability, exposing sensitive data, or escalating risks.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Build of OpenJDK 17.0.15"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-30691"
        },
        {
          "category": "external",
          "summary": "RHBZ#2359694",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359694"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-30691",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-30691"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-30691",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30691"
        }
      ],
      "release_date": "2025-04-15T21:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-04-16T17:29:51+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat Build of OpenJDK 17.0.15"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:3854"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Build of OpenJDK 17.0.15"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "openjdk: Improve compiler transformations (Oracle CPU 2025-04)"
    },
    {
      "cve": "CVE-2025-30698",
      "cwe": {
        "id": "CWE-122",
        "name": "Heap-based Buffer Overflow"
      },
      "discovery_date": "2025-04-15T07:38:28.558000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2359693"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D).  Supported versions that are affected are Oracle Java SE: 8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24; Oracle GraalVM for JDK: 17.0.14, 21.0.6, 24; Oracle GraalVM Enterprise Edition: 20.3.17 and  21.3.13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.6 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "openjdk: Enhance Buffered Image handling (Oracle CPU 2025-04)",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Within regulated environments, a combination of the following controls acts as a significant barrier to the successful exploitation of a CWE-122: Heap-based Buffer Overflow vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nAccess to the platform is granted only after successful hard token, multi-factor authentication (MFA), which is coupled with least privilege principles to ensure that only authorized roles and users can execute or manipulate code. Red Hat enforces the principle of least functionality, ensuring that only essential features, services, and ports are enabled. This minimizes the number of components that could be affected by heap-based buffer overflow exploitations. The environment leverages malicious code protections such as IPS/IDS and antimalware solutions that detect and respond to indicators in real time, preventing or limiting the impact of exploitation attempts. Static code analysis and peer code review techniques ensure all user inputs are thoroughly validated, preventing improperly validated inputs from causing system instability, exposing sensitive data, or escalating risks. Finally, memory protection mechanisms such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) enhance resilience against memory buffer overflows and denial-of-service attacks.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Build of OpenJDK 17.0.15"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-30698"
        },
        {
          "category": "external",
          "summary": "RHBZ#2359693",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359693"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-30698",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-30698"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-30698",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30698"
        }
      ],
      "release_date": "2025-04-15T21:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-04-16T17:29:51+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat Build of OpenJDK 17.0.15"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:3854"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat Build of OpenJDK 17.0.15"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "openjdk: Enhance Buffered Image handling (Oracle CPU 2025-04)"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.