Common Vulnerabilities and Exposures Fixes

Table of Contents

April 2021 CVE Fix
In-Depth Non-CVE Security Fixes

Need help?

Schedule a consultation with an Azul performance expert.

The following Azul Platform Prime releases contain the April 2021 CPU release of OpenJDK:

CPU	PSU
21.04.0.0	21.04.0.0

CPU

PSU

21.04.0.0

The following table lists the latest CVE fixes added in the Azul Platform Prime 21.02.100.0 release. The CVE IDs in the table apply to JDK 7, JDK 8, JDK 11, JDK 13, and JDK 15 unless noted otherwise.

April 2021 CVE Fix

CVSS VERSION 3.0 RISK

CVE #	Component	Protocol	Remote Exploit without Auth.	Base Score	Attack Vector	Attack Complex	Privs Req’d	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Azul Platform Prime Versions Affected	Note
CVE-2021-2161	Libraries	Multiple	Yes	5.9	Network	H	N	N	U	N	H	N	15, 13, 11, 8, 7	Note1
CVE-2021-2163	Libraries	Multiple	Yes	5.3	Network	H	N	R	U	N	H	N	1, 8, 7	Note 2 CVE-2021-23841
Oracle GraalVM Enterprise Edition: Node (OpenSSL)	HTTPS	Yes	7.5	Network	L	N	N	U	N	N	H	N/A	CVE-2021-3450	Oracle GraalVM Enterprise Edition: Node (Node.js)

CVE #

Component

Protocol

Remote Exploit without Auth.

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confidentiality

Integrity

Availability

Supported Azul Platform Prime Versions Affected

Note

CVE-2021-2161

Libraries

Multiple

Yes

5.9

Network

15, 13, 11, 8, 7

Note1

CVE-2021-2163

Libraries

Multiple

Yes

5.3

Network

1, 8, 7

Note 2 CVE-2021-23841

Oracle GraalVM Enterprise Edition: Node (OpenSSL)

HTTPS

Yes

7.5

Network

N/A

CVE-2021-3450

Oracle GraalVM Enterprise Edition: Node (Node.js)

Fixed in the October 2020 CPU release of Azul Platform Prime.

Base and Impact Metric:

Metrics	Values
Attack Vector	Network (N), Adjacent (A), Local (L), and Physical (P)
Attack Complexity	Low (L) and High (H)
Privileges Required	None (N), Low (L), and High (H)
User Interaction	None (N) and Required ®
Scope	Unchanged (U) and Changed ©
Confidentiality Impact	High (H), Low (L), and None (N)
Integrity Impact	High (H), Low (L), and None (N)
Availability Impact	High (H), Low (L), and None (N)

Metrics

Values

Attack Vector

Network (N), Adjacent (A), Local (L), and Physical (P)

Attack Complexity

Low (L) and High (H)

Privileges Required

None (N), Low (L), and High (H)

User Interaction

None (N) and Required ®

Scope

Unchanged (U) and Changed ©

Confidentiality Impact

High (H), Low (L), and None (N)

Integrity Impact

High (H), Low (L), and None (N)

Availability Impact

High (H), Low (L), and None (N)

Notes

This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. It can also be exploited by supplying untrusted data to APIs in the specified Component.
This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

In-Depth Non-CVE Security Fixes

The following table lists the in-depth non-CVE security fixes implemented specifically for Azul Platform Prime.

January 2021 Non-CVE Security Fix

Patch ID in OpenJDK Bug DB	JDK Levels Applicable in Azul Platform Prime	Synopsis	Java Update Type
JDK-8261183	11, 8, 7	Follow on to Make lists of normal filenames	CPU
JDK-8259633	11	compiler/graalunit/CoreTest.java fails with NPE after JDK-8244543	CPU
JDK-8259428	11, 8, 7	AlgorithmId.getEncodedParams() should return copy	CPU
JDK-8258247	11, 8, 7	Couple of issues in fix for JDK-8249906	CPU
JDK-8257001	11	Improve HTTP client support	CPU
JDK-8253799	11, 8, 7	Make lists of normal filenames	CPU
JDK-8244473	11, 8, 7	Contextualize registration for JNDI	CPU

Patch ID in OpenJDK Bug DB

JDK Levels Applicable in Azul Platform Prime

Synopsis

Java Update Type

JDK-8261183

11, 8, 7

Follow on to Make lists of normal filenames

CPU

JDK-8259633

compiler/graalunit/CoreTest.java fails with NPE after JDK-8244543

CPU

JDK-8259428