Common Vulnerabilities and Exposures Fixes
The following Azul Platform Prime releases contain the July 2021 CPU release of OpenJDK:
| CPU | PSU |
|---|---|
21.07.0.0 |
21.07.0.0 |
The following table lists the latest CVE fixes added in the Azul Platform Prime 21.07.0.0 release. The CVE IDs in the table apply to JDK 7, JDK 8, JDK 11, JDK 13, and JDK 15 unless noted otherwise.
July 2021 CVE Fix
CVSS VERSION 3.0 RISK
| CVE # | Component | Protocol | Remote Exploit without Auth. | Base Score | Attack Vector | Attack Complex | Privs Req’d | User Interact | Scope | Confidentiality | Integrity | Availability | Supported Azul Platform Prime Versions Affected | Note |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
CVE-2021-2369 |
Library |
Multiple |
Yes |
4.3 |
N |
L |
N |
R |
U |
N |
L |
N |
15, 13, 11, 8, 7 |
Note 1 |
CVE-2021-2341 |
Networking |
Multiple |
Yes |
3.1 |
N |
H |
N |
R |
U |
L |
N |
N |
15, 13, 11, 8, 7 |
Note 1 |
CVE-2021-2388 |
Hotspot |
Multiple |
Yes |
7.5 |
N |
H |
N |
R |
U |
H |
H |
H |
None |
Note 1 |
CVE-2021-2432 |
JNDI |
Multiple |
Yes |
3.7 |
N |
H |
N |
N |
U |
N |
N |
L |
7, 6 |
Note 2 |
CVE-2020-28928 |
Oracle GraalVM Enterprise Edition: LLVM Interpreter (musl libc) |
None |
No |
5.5 |
L |
L |
L |
N |
U |
N |
N |
H |
None |
|
CVE-2021-29921 |
Oracle GraalVM Enterprise Edition: Python interpreter and runtime (CPython) |
Multiple |
Yes |
9.8 |
N |
L |
N |
N |
U |
H |
H |
H |
None |
Base and Impact Metric:
| Metrics | Values |
|---|---|
Attack Vector |
Network (N), Adjacent (A), Local (L), and Physical (P) |
Attack Complexity |
Low (L) and High (H) |
Privileges Required |
None (N), Low (L), and High (H) |
User Interaction |
None (N) and Required ® |
Scope |
Unchanged (U) and Changed © |
Confidentiality Impact |
High (H), Low (L), and None (N) |
Integrity Impact |
High (H), Low (L), and None (N) |
Availability Impact |
High (H), Low (L), and None (N) |
Notes
-
This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
-
This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
In-Depth Non-CVE Security Fixes
The following table lists the in-depth non-CVE security fixes implemented specifically for Azul Platform Prime.
July 2021 Non-CVE Security Fix
| Patch ID in OpenJDK Bug DB | JDK Levels Applicable in Azul Platform Prime | Synopsis | Java Update Type |
|---|---|---|---|
7, 6 |
Add capability to custom resolve host/domain names within the default JNDI LDAP provider. |
CPU |
|
15, 13, 11, 8, 7 |
Better HTTP transport. |
CPU |
|
15, 13, 11, 8, 7 |
Enhanced data transfers. |
CPU |
|
15, 13, 11, 8 |
Enhanced rules for zones. |
CPU |
|
15, 13, 11, 8, 7 |
Improve Zip file support |
CPU |
|
15, 13, 11, 8 |
Improve NTLM support. |
CPU |
|
15, 13, 11, 8, 7 |
Signs of jarsigner signing. |
CPU |
|
15, 13, 11, 8, 7 |
Improve Font Bounding. |
CPU |
|
15, 13, 11, 8, 7 |
Enhance String Conclusions. |
CPU |
|
15, 13, 11, 8, 7 |
Enhance XML processing passes. |
CPU |
|
15, 13, 11, 8, 7 |
Improve bytecode assembly. |
CPU |