Visit Azul.com Support

Common Vulnerabilities and Exposures Fixes

Table of Contents

Looking for Zing? The Azul Zing Virtual Machine is now Azul Zulu Prime Builds of OpenJDK and part of Azul Platform Prime. Learn more.

Azul Platform Prime 21.10.0.0 contains the October 2021 CPU release of OpenJDK. Azul Platform Prime 21.10.0.0 brings the associated JDK 7, JDK 8, JDK 11, JDK 13, and JDK 15 versions to October 2021 CPU security update levels.

The following table lists the latest CVE fixes added in the Azul Platform Prime 21.10.0.0 release. The CVE IDs in the table apply to JDK 7, JDK 8, JDK 11, JDK 13, and JDK 15 unless noted otherwise.

October 2021 CVE Fix

CVSS VERSION 3.1 RISK

CVE # Component Protocol Remote Exploit without Auth. Base Score Attack Vector Attack Complex Privs Req’d User Interact Scope Confidentiality Integrity Availability Supported Azul Platform Prime Versions Affected Note

CVE-2021-35550

JSSE

TLS

Yes

5.9

N

H

N

N

U

H

N

N

11, 8, 7

See Note 2

CVE-2021-35556

Swing

Multiple

Yes

5.3

N

L

N

N

U

N

N

L

17, 15, 13, 11, 8, 7

See Note 1

CVE-2021-35559

Swing

Multiple

Yes

5.3

N

L

N

N

U

N

N

L

17, 15, 13, 11, 8, 7

See Note 2

CVE-2021-35561

Utility

Multiple

Yes

5.3

N

L

N

N

U

N

N

L

17, 15, 13, 11, 8, 7

See Note 2

CVE-2021-35564

Keytool

Multiple

Yes

5.3

N

L

N

N

U

N

L

N

17, 15, 13, 11, 8, 7

See Note 2

CVE-2021-35567

Libraries

Kerberos

No

6.8

N

L

L

R

C

H

N

N

17, 15, 13, 11, 8

See Note 2

CVE-2021-35578

JSSE

TLS

Yes

5.3

N

L

N

N

U

N

N

L

17, 15, 13, 11, 8

See Note 3

CVE-2021-35586

ImageIO

Multiple

Yes

5.3

N

L

N

N

U

N

N

L

17, 15, 13, 11, 8, 7

See Note 2

CVE-2021-35588

Hotspot

Multiple

Yes

3.1

N

H

N

R

U

N

N

L

8, 7

See Note 2

CVE-2021-35603

JSSE

TLS

Yes

3.7

N

H

N

N

U

L

N

N

17, 15, 13, 11, 8, 7

See Note 2

CVE-2021-35565

JSSE

TLS

Yes

5.3

N

L

N

N

U

N

N

L

15, 13, 11, 7, 8

See Note 3

CVE-2021-3517

JavaFX

Multiple

Yes

8.6

N

L

N

N

U

L

L

H

None

See Note 1

CVE-2021-3522

JavaFX

None

No

5.5

L

L

N

R

U

N

N

H

None

See Note 1

Notes:

  1. This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

  2. This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.

  3. This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted applications, such as through a web service.

Additional CVEs addressed: The updates that address CVE-2021-3517 also address CVE-2021-3537.

Base and Impact Metric:

Metrics Values

Attack Vector

Network (N), Adjacent (A), Local (L), and Physical (P)

Attack Complexity

Low (L) and High (H)

Privileges Required

None (N), Low (L), and High (H)

User Interaction

None (N) and Required ®

Scope

Unchanged (U) and Changed ©

Confidentiality Impact

High (H), Low (L), and None (N)

Integrity Impact

High (H), Low (L), and None (N)

Availability Impact

High (H), Low (L), and None (N)

In-Depth Non-CVE Security Fixes

The following table lists the in-depth non-CVE security fixes implemented specifically for Azul Platform Prime.

October 2021 Non-CVE Security Fix

Patch ID in OpenJDK Bug DB JDK Levels Applicable in Azul Platform Prime Synopsis Java Update Type

JDK-8267712

7, 8, 11, 13, 15

Better LDAP reference processing

CPU

JDK-8269624

7, 8, 11, 13, 15

Enhance method selection support

CPU

JDK-8268506

7, 8, 11, 13, 15

More Manifest Digests

CPU

JDK-8267086

7, 8, 11, 13, 15

ArrayIndexOutOfBoundsException in java.security.KeyFactory.generatePublic

CPU

JDK-8269763

7, 8, 11, 13, 15

The JEditorPane is blank

CPU

JDK-8268193

11, 13, 15

Improve requests of certificates

CPU

JDK-8268199

11, 13, 15

Correct certificate requests

CPU

JDK-8270398

7, 8, 11, 13, 15

Enhance canonicalization

CPU

JDK-8270404

7, 8, 11, 13, 15

Better canonicalization

CPU

JDK-8268059

7, 8

Perfectly perplexing proclivity in the presence of a proxy

CPU

JDK-8266109

7, 8, 11, 13, 15

More Resilient Classloading

CPU

JDK-8266115

7, 8, 11, 13, 15

More Manifest Jar Loading

CPU

JDK-8270212

7, 8, 11, 13, 15

Improve KeyFactory key generation

CPU

JDK-8263314

7, 8, 11, 13, 15

Enhance XML Dsig modes

CPU

JDK-8265574

7, 8, 11, 13, 15

Improve handling of sheets

CPU

JDK-8265776

7, 8, 11, 13, 15

Improve Stream handling for SSL

CPU

JDK-8266103

7, 8, 11, 13, 15

Better specified spec values

CPU