Common Vulnerabilities and Exposures Fixes
The following Azul Platform Prime releases contain the October 2021 CPU release of OpenJDK:
| CPU | PSU |
|---|---|
21.10.0.0 |
21.08.200.0 |
21.08.100.0 |
- |
21.02.500.0 |
- |
The following table lists the latest CVE fixes added in the Azul Platform Prime 21.10.0.0 release. The CVE IDs in the table apply to JDK 7, JDK 8, JDK 11, JDK 13, and JDK 15 unless noted otherwise.
October 2021 CVE Fix
CVSS VERSION 3.1 RISK
| CVE # | Component | Protocol | Remote Exploit without Auth. | Base Score | Attack Vector | Attack Complex | Privs Req’d | User Interact | Scope | Confidentiality | Integrity | Availability | Supported Azul Platform Prime Versions Affected | Note |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
CVE-2021-35550 |
JSSE |
TLS |
Yes |
5.9 |
N |
H |
N |
N |
U |
H |
N |
N |
11, 8, 7 |
See Note 2 |
CVE-2021-35556 |
Swing |
Multiple |
Yes |
5.3 |
N |
L |
N |
N |
U |
N |
N |
L |
17, 15, 13, 11, 8, 7 |
See Note 1 |
CVE-2021-35559 |
Swing |
Multiple |
Yes |
5.3 |
N |
L |
N |
N |
U |
N |
N |
L |
17, 15, 13, 11, 8, 7 |
See Note 2 |
CVE-2021-35561 |
Utility |
Multiple |
Yes |
5.3 |
N |
L |
N |
N |
U |
N |
N |
L |
17, 15, 13, 11, 8, 7 |
See Note 2 |
CVE-2021-35564 |
Keytool |
Multiple |
Yes |
5.3 |
N |
L |
N |
N |
U |
N |
L |
N |
17, 15, 13, 11, 8, 7 |
See Note 2 |
CVE-2021-35567 |
Libraries |
Kerberos |
No |
6.8 |
N |
L |
L |
R |
C |
H |
N |
N |
17, 15, 13, 11, 8 |
See Note 2 |
CVE-2021-35578 |
JSSE |
TLS |
Yes |
5.3 |
N |
L |
N |
N |
U |
N |
N |
L |
17, 15, 13, 11, 8 |
See Note 3 |
CVE-2021-35586 |
ImageIO |
Multiple |
Yes |
5.3 |
N |
L |
N |
N |
U |
N |
N |
L |
17, 15, 13, 11, 8, 7 |
See Note 2 |
CVE-2021-35588 |
Hotspot |
Multiple |
Yes |
3.1 |
N |
H |
N |
R |
U |
N |
N |
L |
8, 7 |
See Note 2 |
CVE-2021-35603 |
JSSE |
TLS |
Yes |
3.7 |
N |
H |
N |
N |
U |
L |
N |
N |
17, 15, 13, 11, 8, 7 |
See Note 2 |
CVE-2021-35565 |
JSSE |
TLS |
Yes |
5.3 |
N |
L |
N |
N |
U |
N |
N |
L |
15, 13, 11, 7, 8 |
See Note 3 |
CVE-2021-3517 |
JavaFX |
Multiple |
Yes |
8.6 |
N |
L |
N |
N |
U |
L |
L |
H |
None |
See Note 1 |
CVE-2021-3522 |
JavaFX |
None |
No |
5.5 |
L |
L |
N |
R |
U |
N |
N |
H |
None |
See Note 1 |
Notes:
-
This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
-
This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
-
This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted applications, such as through a web service.
Additional CVEs addressed: The updates that address CVE-2021-3517 also address CVE-2021-3537.
Base and Impact Metric:
| Metrics | Values |
|---|---|
Attack Vector |
Network (N), Adjacent (A), Local (L), and Physical (P) |
Attack Complexity |
Low (L) and High (H) |
Privileges Required |
None (N), Low (L), and High (H) |
User Interaction |
None (N) and Required ® |
Scope |
Unchanged (U) and Changed © |
Confidentiality Impact |
High (H), Low (L), and None (N) |
Integrity Impact |
High (H), Low (L), and None (N) |
Availability Impact |
High (H), Low (L), and None (N) |
In-Depth Non-CVE Security Fixes
The following table lists the in-depth non-CVE security fixes implemented specifically for Azul Platform Prime.
October 2021 Non-CVE Security Fix
| Patch ID in OpenJDK Bug DB | JDK Levels Applicable in Azul Platform Prime | Synopsis | Java Update Type |
|---|---|---|---|
7, 8, 11, 13, 15 |
Better LDAP reference processing |
CPU |
|
7, 8, 11, 13, 15 |
Enhance method selection support |
CPU |
|
7, 8, 11, 13, 15 |
More Manifest Digests |
CPU |
|
7, 8, 11, 13, 15 |
ArrayIndexOutOfBoundsException in java.security.KeyFactory.generatePublic |
CPU |
|
7, 8, 11, 13, 15 |
The JEditorPane is blank |
CPU |
|
11, 13, 15 |
Improve requests of certificates |
CPU |
|
11, 13, 15 |
Correct certificate requests |
CPU |
|
7, 8, 11, 13, 15 |
Enhance canonicalization |
CPU |
|
7, 8, 11, 13, 15 |
Better canonicalization |
CPU |
|
7, 8 |
Perfectly perplexing proclivity in the presence of a proxy |
CPU |
|
7, 8, 11, 13, 15 |
More Resilient Classloading |
CPU |
|
7, 8, 11, 13, 15 |
More Manifest Jar Loading |
CPU |
|
7, 8, 11, 13, 15 |
Improve KeyFactory key generation |
CPU |
|
7, 8, 11, 13, 15 |
Enhance XML Dsig modes |
CPU |
|
7, 8, 11, 13, 15 |
Improve handling of sheets |
CPU |
|
7, 8, 11, 13, 15 |
Improve Stream handling for SSL |
CPU |
|
7, 8, 11, 13, 15 |
Better specified spec values |
CPU |