i’ve an Amazon Linux EC2 Instance, with the following java version:
java version "17.0.8" 2023-07-18 LTS
Java(TM) SE Runtime Environment (build 17.0.8+9-LTS-211)
Java HotSpot(TM) 64-Bit Server VM (build 17.0.8+9-LTS-211, mixed mode, sharing)
Greenbone discovered the following vulnerabilities which have been fixed with Java version 17.0.1
- Oracle Java SE Security Update (jan2022) 02 - Linux
- Oracle Java SE Security Update (jan2022) 03 - Linux
Same issue with java version 17.0.6 and 17.0.7
Thanks in advance
welcome to this community forums and thanks a lot for your remark / report.
I have forwarded it to the responsible team working on this topic for a review.
So i had some few more minutes left and checked this on my own without waiting for the review of the responsible team.
It seems this is/was originating from a typo on the Oracle Advisory itself which has:
Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01;
while the versioning scheme of 17.x is actually
17.0.6 and similar. As
17.0.6 is <
17.01 the vulnerability report has been seen on all 17.x instances.
The version check was now updated to not use wrong 17.01 from the advisory but the more correct 17.0.1 and these changes should arrive in the feed the next few days.
Unfortunately this shows again that automated vulnerability scanning (especially if version based) is only as good as the source of the version info (in this case the vendor advisory) is.
As the CVE descriptions itself like e.g. https://www.cve.org/CVERecord?id=CVE-2022-21291 currently also containing the malformed version “17.01” i have contacted Oracle (as the assigning CNA) to correct the CVE descriptions as well as the advisory.
Let’s see if these resources are getting corrected to avoid further confusions / misunderstandings in the future.
The issue was solved. Thanks a lot for the support!
It seems Oracle has now updated these resources (all affected CVE descriptions as well as the advisory itself) accordingly.