Visit Azul.com Support

Common Vulnerabilities and Exposures Fixes

Table of Contents

Looking for Zing? The Azul Zing Virtual Machine is now Azul Zulu Prime Builds of OpenJDK and part of Azul Platform Prime. Learn more.

Azul Platform Prime 21.05.0.0 is based on Azul Platform Prime 21.04.0.0 that contains the April 2021 CPU release of OpenJDK. Azul Platform Prime 21.02.100.0 brings the associated JDK 7, JDK 8, JDK 11, JDK 13, and JDK 15 versions to April 2021 CPU security update levels and incorporates changes related to OpenJDK 7u301, OpenJDK 8u291, OpenJDK 11.0.10.0.101+1, OpenJDK 13.0.6.0.101+2, and OpenJDK 15.0.2.0.101+2 release contents.

The following table lists the latest CVE fixes added in the Azul Platform Prime 21.02.100.0 release. The CVE IDs in the table apply to JDK 7, JDK 8, JDK 11, JDK 13, and JDK 15 unless noted otherwise.

April 2021 CVE Fix

CVSS VERSION 3.0 RISK

CVE # Component Protocol Remote Exploit without Auth. Base Score Attack Vector Attack Complex Privs Req’d User Interact Scope Confidentiality Integrity Availability Supported Azul Platform Prime Versions Affected Note

CVE-2021-2161

Libraries

Multiple

Yes

5.9

Network

H

N

N

U

N

H

N

15, 13, 11, 8, 7

Note1

CVE-2021-2163

Libraries

Multiple

Yes

5.3

Network

H

N

R

U

N

H

N

1, 8, 7

Note 2 CVE-2021-23841

Oracle GraalVM Enterprise Edition: Node (OpenSSL)

HTTPS

Yes

7.5

Network

L

N

N

U

N

N

H

N/A

CVE-2021-3450

Oracle GraalVM Enterprise Edition: Node (Node.js)

Base and Impact Metric:

Metrics Values

Attack Vector

Network (N), Adjacent (A), Local (L), and Physical (P)

Attack Complexity

Low (L) and High (H)

Privileges Required

None (N), Low (L), and High (H)

User Interaction

None (N) and Required ®

Scope

Unchanged (U) and Changed ©

Confidentiality Impact

High (H), Low (L), and None (N)

Integrity Impact

High (H), Low (L), and None (N)

Availability Impact

High (H), Low (L), and None (N)

Notes

  1. This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. It can also be exploited by supplying untrusted data to APIs in the specified Component.

  2. This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

In-Depth Non-CVE Security Fixes

The following table lists the in-depth non-CVE security fixes implemented specifically for Azul Platform Prime.

January 2021 Non-CVE Security Fix

Patch ID in OpenJDK Bug DB JDK Levels Applicable in Azul Platform Prime Synopsis Java Update Type

JDK-8261183

11, 8, 7

Follow on to Make lists of normal filenames

CPU

JDK-8259633

11

compiler/graalunit/CoreTest.java fails with NPE after JDK-8244543

CPU

JDK-8259428

11, 8, 7

AlgorithmId.getEncodedParams() should return copy

CPU

JDK-8258247

11, 8, 7

Couple of issues in fix for JDK-8249906

CPU

JDK-8257001

11

Improve HTTP client support

CPU

JDK-8253799

11, 8, 7

Make lists of normal filenames

CPU

JDK-8244473

11, 8, 7

Contextualize registration for JNDI

CPU