24.02.400.0

Need help?

Schedule a consultation with an Azul performance expert.

24.02.400.0

Release date: August 19, 2024

This PSU release is based on Azul Prime 24.02.302.0 and corresponds to the following OpenJDK versions:

Major Version	OpenJDK Version
8	1.8.0_422-b1
11	11.0.24+8-LTS
17	17.0.12+7-LTS
21	21.0.4+4-LTS

What’s New

July 2024 PSU release security fixes.

CVE fixes

CVE #	Component	Protocol	Remote Exploit w/o Auth.	Base Score	Attack Vector	Attack Complex	Privileges Req’d	User Interact	Scope	Confiden-tiality	Integrity	Availability	Versions Affected	Notes
CVE-2024-21145	2D	Multiple	Yes	4.8	Network	High	None	None	Unchanged	Low	Low	None	21, 17, 11, 8	Note 1
CVE-2024-21131	Hotspot	Multiple	Yes	3.7	Network	High	None	None	Unchanged	None	Low	None	21, 17, 11, 8	Note 1
CVE-2024-21138	Hotspot	Multiple	Yes	3.7	Network	High	None	None	Unchanged	None	None	Low	21, 17, 11, 8	Note 1
CVE-2024-21144	Concurrency	Multiple	Yes	3.7	Network	High	None	None	Unchanged	None	None	Low	11, 8	Note 2
CVE-2024-27983 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Oracle GraalVM for JDK	HTTP/2	Yes	8.2	Network	Low	None	None	Unchanged	None	Low	High	None
CVE-2024-21147 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Hotspot	Multiple	Yes	7.4	Network	High	None	None	Unchanged	High	High	None	None	Note 1
CVE-2024-21140 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Hotspot	Multiple	Yes	4.8	Network	High	None	None	Unchanged	Low	Low	None	None	Note 1

CVE #

Component

Protocol

Remote Exploit w/o Auth.

Base Score

Attack Vector

Attack Complex

Privileges Req’d

User Interact

Scope

Confiden-tiality

Integrity

Availability

Versions Affected

Notes

CVE-2024-21145

Multiple

Yes

4.8

Network

High

None

Unchanged

Low

None

21, 17, 11, 8

Note 1

CVE-2024-21131

Hotspot

Multiple

Yes

3.7

Network

High

None

Unchanged

None

Low

None

21, 17, 11, 8

Note 1

CVE-2024-21138

Hotspot

Multiple

Yes

3.7

Network

High

None

Unchanged

None

Low

21, 17, 11, 8

Note 1

CVE-2024-21144

Concurrency

Multiple

Yes

3.7

Network

High

None

Unchanged

None

Low

11, 8

Note 2

CVE-2024-27983 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK

HTTP/2

Yes

8.2

Network

Low

None

Unchanged

None

Low

High

None

CVE-2024-21147 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

7.4

Network

High

None

Unchanged

High

None

Note 1

CVE-2024-21140 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

4.8

Network

High

None

Unchanged

Low

None

Note 1

Notes:

ID	Notes
1	This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.
2	This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

Notes

This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

For more information about CVE and non-CVE security fixes in this release, refer to Common Vulnerabilities and Exposures Fixes for July 2024

Known Issues

There are no new issues to report in this release.

Resolved Issues

There are no resolved issues associated with this release.