21.02.500.0
21.02.500.0
Release date: October 19, 2021
This CPU release is based on the following OpenJDK versions:
| Major Version | OpenJDK Version |
|---|---|
7 |
7u321 |
8 |
8u311 |
11 |
11.0.12.0.101+2 |
13 |
13.0.8.0.101+1 |
15 |
15.0.4.101+1 |
CVE fixes
| CVE # | Component | Protocol | Remote Exploit w/o Auth. | Base Score | Attack Vector | Attack Complex | Privileges Req’d | User Interact | Scope | Confiden-tiality | Integrity | Availability | Versions Affected | Notes |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
JavaFX (libxml) |
Multiple |
Yes |
8.6 |
Network |
Low |
None |
None |
Unchanged |
Low |
Low |
High |
17, 15, 13, 11, 8 |
Note 1 |
|
Libraries |
Kerberos |
No |
6.8 |
Network |
Low |
Low |
Required |
Changed |
High |
None |
None |
17, 15, 13, 11, 8 |
Note 2 |
|
JSSE |
TLS |
Yes |
5.9 |
Network |
High |
None |
None |
Unchanged |
High |
None |
None |
11, 8, 7, 6 |
Note 2 |
|
JavaFX (GStreamer) |
None |
No |
5.5 |
Local |
Low |
None |
Required |
Unchanged |
None |
None |
High |
17, 15, 13, 11, 8 |
Note 1 |
|
Swing |
Multiple |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
Low |
17, 15, 13, 11, 8, 7, 6 |
Note 1 |
|
Swing |
Multiple |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
Low |
17, 15, 13, 11, 8, 7, 6 |
Note 2 |
|
Utility |
Multiple |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
Low |
17, 15, 13, 11, 8, 7, 6 |
Note 2 |
|
Keytool |
Multiple |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
None |
Low |
None |
17, 15, 13, 11, 8, 7, 6 |
Note 2 |
|
JSSE |
TLS |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
Low |
15, 13, 11, 8, 7, 6 |
Note 3 |
|
JSSE |
TLS |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
Low |
17, 15, 13, 11, 8 |
Note 3 |
|
ImageIO |
Multiple |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
Low |
17, 15, 13, 11, 8, 7, 6 |
Note 2 |
|
JSSE |
TLS |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
Low |
None |
None |
17, 15, 13, 11, 8, 7, 6 |
Note 2 |
|
Hotspot |
Multiple |
Yes |
3.1 |
Network |
High |
None |
Required |
Unchanged |
None |
None |
Low |
8, 7, 6 |
Note 2 |
|
CVE-2021-27290 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM Enterprise Edition: Node (Node.js) |
Multiple |
Yes |
7.5 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
High |
None |
|
CVE-2021-35560 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Deployment |
Multiple |
Yes |
7.5 |
Network |
High |
None |
Required |
Unchanged |
High |
High |
High |
None |
Note 1 |
Notes:
| ID | Notes |
|---|---|
1 |
This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). |
2 |
This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. |
3 |
This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted applications, such as through a web service. |