Visit Azul.com Support

Common Vulnerabilities and Exposures Fixes

Table of Contents

Looking for Zing? The Azul Zing Virtual Machine is now Azul Zulu Prime Builds of OpenJDK and part of Azul Platform Prime. Learn more.

Azul Platform Prime 21.07.0.0 contains the July 2021 CPU release of OpenJDK. Azul Platform Prime 21.07.0.0 brings the associated JDK 7, JDK 8, JDK 11, JDK 13, and JDK 15 versions to July 2021 CPU security update levels and incorporates changes related to OpenJDK 7u301, OpenJDK 8u291, OpenJDK 11.0.10.0.101+1, OpenJDK 13.0.6.0.101+2, and OpenJDK 15.0.2.0.101+2 release contents.

The following table lists the latest CVE fixes added in the Azul Platform Prime 21.07.0.0 release. The CVE IDs in the table apply to JDK 7, JDK 8, JDK 11, JDK 13, and JDK 15 unless noted otherwise.

July 2021 CVE Fix

CVSS VERSION 3.0 RISK

CVE # Component Protocol Remote Exploit without Auth. Base Score Attack Vector Attack Complex Privs Req’d User Interact Scope Confidentiality Integrity Availability Supported Azul Platform Prime Versions Affected Note

CVE-2021-2369

Library

Multiple

Yes

4.3

N

L

N

R

U

N

L

N

15, 13, 11, 8, 7

Note 1

CVE-2021-2341

Networking

Multiple

Yes

3.1

N

H

N

R

U

L

N

N

15, 13, 11, 8, 7

Note 1

CVE-2021-2388

Hotspot

Multiple

Yes

7.5

N

H

N

R

U

H

H

H

None

Note 1

CVE-2021-2432

JNDI

Multiple

Yes

3.7

N

H

N

N

U

N

N

L

7, 6

Note 2

CVE-2020-28928

Oracle GraalVM Enterprise Edition: LLVM Interpreter (musl libc)

None

No

5.5

L

L

L

N

U

N

N

H

None

CVE-2021-29921

Oracle GraalVM Enterprise Edition: Python interpreter and runtime (CPython)

Multiple

Yes

9.8

N

L

N

N

U

H

H

H

None

Base and Impact Metric:

Metrics Values

Attack Vector

Network (N), Adjacent (A), Local (L), and Physical (P)

Attack Complexity

Low (L) and High (H)

Privileges Required

None (N), Low (L), and High (H)

User Interaction

None (N) and Required ®

Scope

Unchanged (U) and Changed ©

Confidentiality Impact

High (H), Low (L), and None (N)

Integrity Impact

High (H), Low (L), and None (N)

Availability Impact

High (H), Low (L), and None (N)

Notes

  1. This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

  2. This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.

In-Depth Non-CVE Security Fixes

The following table lists the in-depth non-CVE security fixes implemented specifically for Azul Platform Prime.

July 2021 Non-CVE Security Fix

Patch ID in OpenJDK Bug DB JDK Levels Applicable in Azul Platform Prime Synopsis Java Update Type

JDK-8160768

7, 6

Add capability to custom resolve host/domain names within the default JNDI LDAP provider.

CPU

JDK-8256491

15, 13, 11, 8, 7

Better HTTP transport.

CPU

JDK-8262403

15, 13, 11, 8, 7

Enhanced data transfers.

CPU

JDK-8262410

15, 13, 11, 8

Enhanced rules for zones.

CPU

JDK-8262967

15, 13, 11, 8, 7

Improve Zip file support

CPU

JDK-8264460

15, 13, 11, 8

Improve NTLM support.

CPU

JDK-8260960

15, 13, 11, 8, 7

Signs of jarsigner signing.

CPU

JDK-8260453

15, 13, 11, 8, 7

Improve Font Bounding.

CPU

JDK-8262477

15, 13, 11, 8, 7

Enhance String Conclusions.

CPU

JDK-8262380

15, 13, 11, 8, 7

Enhance XML processing passes.

CPU

JDK-8256157

15, 13, 11, 8, 7

Improve bytecode assembly.

CPU