Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.0982
Red Hat Build of OpenJDK (container images) release and security update
22 March 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: OpenJDK 11
OpenJDK 1.8
Publisher: Red Hat
Operating System: Red Hat
UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Increased Privileges -- Existing Account
Reduced Security -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-20264
Original Bulletin:
https://access.redhat.com/errata/RHSA-2021:0945
https://access.redhat.com/errata/RHSA-2021:0946
Comment: This advisory references vulnerabilities in products which run on
platforms other than Red Hat. It is recommended that administrators
running OpenJDK 11 or OpenJDK 1.8 check for an updated version of
the software for their operating system.
This bulletin contains two (2) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat Build of OpenJDK 11 (container images) release and security update
Advisory ID: RHSA-2021:0945-01
Product: OpenJDK
Advisory URL: https://access.redhat.com/errata/RHSA-2021:0945
Issue date: 2021-03-19
Keywords: openjdk,images
CVE Names: CVE-2021-20264
=====================================================================
1. Summary:
The Red Hat Build of OpenJDK 11 (container images) is now available from
the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
The OpenJDK 11 container images provide the OpenJDK 11 Java Runtime
Environment and the OpenJDK 11 Java Software Development Kit.
This release of the Red Hat Build of OpenJDK 11 (openjdk-11-rhel7:1.1-12
and ubi8-openjdk-11:1.3-10) serves as a replacement for the Red Hat Build
of OpenJDK 11 (openjdk-11-rhel7:1.1-11 and ubi8-openjdk-11:1.3-9), and
includes security and bug fixes, and enhancements. For further information,
refer to the release notes linked to in the References section.
Security Fix(es):
* ubi8/openjdk-11: containers/openjdk: /etc/passwd is given incorrect
privileges (CVE-2021-20264)
* openjdk/openjdk-11-rhel7: containers/openjdk: /etc/passwd is given
incorrect privileges (CVE-2021-20264)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
3. Solution:
Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.
The References section of this erratum contains a link to the updated
containers.
4. Bugs fixed (https://bugzilla.redhat.com/):
1932283 - CVE-2021-20264 containers/openjdk: /etc/passwd is given incorrect privileges
5. References:
https://access.redhat.com/security/cve/CVE-2021-20264
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/articles/4859371
https://catalog.redhat.com/software/containers/openjdk/openjdk-11-rhel7/5bf57185dd19c775cddc4ce5?tag=1.1-12&push_date=1616089599000
https://catalog.redhat.com/software/containers/ubi8/openjdk-11/5dd6a4b45a13461646f677f4?container-tabs=overview&tag=1.3-10&push_date=1616090044000
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYFTX7tzjgjWX9erEAQg2YRAAnDwOkQx7Pqq3VnxJi5mxdUiN0JAJ4L2C
N/kh4yGMz9ZbqFXQfdXRdSlTIJoO6cyVe/ObV2WBzaKJRh1XrHzQgaN62rfTntu2
L2NcycAnZXSthY4Hx0gHNkF52zgPibDjjMFvsDasvlbmr2ga82tZvj1Dq3mwE81K
XrvFY1f+FP05RHkJP3oGtfOGPBNGXTqYCHyFguQwj2XNVr9gUus/NWLweDxkJrhS
QQD/Q1qCg6VwI+O+LfxQilkXgnvtHFk7ICxVDt1hiEoBeBeFqKbLUXJ7xsqxzmmj
V8sgy9Va82qA51CJnXZHpY4rbwnQoUI82D9BRWyyHvjFQfe+zBNjf1qIW7c7zhyd
U65h8nLhJgjhdFpojH7nQvCib2c12a4Y/CO1hq9OUc/RN4enemRWH9oNOcMekn+7
SakvTsZp3Y0IxakiSFPuwnMnGaVJnDn+iLOqyxGk0oCxdgzvWCrU7x+SNJz/JSVr
OFJ+Mn1x6P05RMsmL2eSJc06dutDOpztcXrToWHjuzkCXSjN3ABpJoigsaKHvNsG
F0n9SzoAa2m+f0NbUwUC4/KArnqSp/w07VS3q4hvJkdnzSq8Rc1OsV3vOWOBibIm
mSgpIaGjKZBqRT63I4DcpVxmtknxJhLd6YaFVv3sw1NPi6+AhgSEuDelI2i/S4AK
5qt1hDnJtNA=
=e0p2
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat Build of OpenJDK 1.8 (container images) release and security update
Advisory ID: RHSA-2021:0946-01
Product: OpenJDK
Advisory URL: https://access.redhat.com/errata/RHSA-2021:0946
Issue date: 2021-03-19
Keywords: openjdk,images
CVE Names: CVE-2021-20264
=====================================================================
1. Summary:
The Red Hat Build of OpenJDK 8 (container images) is now available from the
Red Hat Container Catalog.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
The OpenJDK 8 container images provide the OpenJDK 8 Java Runtime
Environment and the OpenJDK 8 Java Software Development Kit.
This release of the Red Hat build of OpenJDK 8 (openjdk18-openshift:1.8-26
and ubi8-openjdk-8:1.3-9) serves as a replacement for the Red Hat build of
OpenJDK 8 (openjdk18-openshift:1.8-25 and ubi8-openjdk-8:1.3-8), and
includes security and bug fixes, and enhancements. For further information,
refer to the release notes linked to in the References section.
Security Fix(es):
* ubi8/openjdk-8: containers/openjdk: /etc/passwd is given incorrect
privileges (CVE-2021-20264)
* redhat-openjdk-18/openjdk18-openshift: containers/openjdk: /etc/passwd is
given incorrect privileges (CVE-2021-20264)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
3. Solution:
Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.
The References section of this erratum contains a link to the updated
containers.
4. Bugs fixed (https://bugzilla.redhat.com/):
1932283 - CVE-2021-20264 containers/openjdk: /etc/passwd is given incorrect privileges
5. References:
https://access.redhat.com/security/cve/CVE-2021-20264
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/articles/4859371
https://catalog.redhat.com/software/containers/redhat-openjdk-18/openjdk18-openshift/58ada5701fbe981673cd6b10?tag=1.8-26&push_date=1616089599000
https://catalog.redhat.com/software/containers/ubi8/openjdk-8/5dd6a48dbed8bd164a09589a?tag=1.3-9&push_date=1616090044000
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYFTYC9zjgjWX9erEAQicdg//XcrznVl6lL0ia0iASxS5TxKyCme9cpqi
+wIfgO2cnYdD5zszQREx+1+U97QgFOfz7jjeHlikhf4xrRLt2bH9mwaKEOxvRe60
mT/rTjsu75SNtJON8+g+LgvpYx7CFvVul90Nxf875EIQizVjpAGIddbbBY5G969Q
N/HgQHPSZjnLHUUa4J5MvzRxW1pPrIdQHXyXtK3TSj6WB1IhpWZ12xTvQnfyQ6Yd
Ue2mat5sM0iIrRMeATtH7VrEnkaIgwrliYk5Uvs2FZ6dBJeh7aa9IVZMw3YyiXt7
HkM/oT6RDqGx8x9xij1xbffoziggnJnzzYTP1b42lo3N+ykc82Ye5t6bwzSNomjA
bqxoTxkzcyJ9SsnU5VY+bi73CU6xC599R1yhElyvdRTCYXniHMsPigrnRQNXkukB
K7KWWa1UHpBABqcheXX+QpYZWhxIY6IiH2ceBhRo8+UnmxQ6TJb5YPLAltMrwsh8
jzXk1nf9sQOufjH1jwKPPY1MxE9dfNAve/vzXc7BWGPh1VyXVhGtnYzsGb5jy97d
FDzVha6aWGas030hrLfG4nEIil4RT06zTFRbeY2WpkW8dMJ9OL3UdKJEYhuH4RkN
I2GRxSVDoCrXvKHfN7Zf8LNq3Z9oR0uU6rgBU+ERGj5vVnCeqQFwaVsSiwLbayht
QXege6hsBbQ=
=YsgT
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYFgFuuNLKJtyKPYoAQgJ4g//dwwD8SbEAaFqtkM4itICe5hXtbUxEgsE
54q25JA7SaHkMmmWnW3tbiIaJN7R2k0FGJZxzdTwtbGBtVbhdue51jGmskluen/O
v2metRU0oft+2UfJ5YZjT9XcZS5gjWibB9UdDFJ5zSWRLuMNPjN3cf+vs0Ig4J9w
GcIMQOYZeuO8jgA+kyD5YsDNtZDk/3wo/GiHBfcKKY3+OSFNKllXJ563d8B33Fd8
sngFd1aG0zdDdgSF5WIb93pT03NTGYJ5S0MLZb+aAesSdQ7ic9vJgTDx/6tEoE+o
jYH5UhZ9W4SzbCc+NkRJamuCEAqYR62sU5+bPMEbNrBNOziPEEBLljM4pSvXHRgf
fIzj8yGyYFEsxiv39QO+jz6dhuYuxqqVVhxCJ14pkVxd4uzBGS/PsKSNM3kdHulv
C3jcvpcJO1+eqaF9dOtuk4ny7oSfpCjUZ6gp7STZ2CI7YpVbo1yBsLV4L9AGB41b
XC1TiazXBQvtU7hOdDcF44CO3iyEfvHrIELg3dB2dG8S/ZnHxW7/tWN+yRoqo7yF
WDEbWmwD+krm8CdCrsIe9Mty0udjIp4sYg3yPGEP0kZK9P6H0y3DKH8bdfF2+BYS
0FLkzDsKCZT8zCP+d8O8yuBgv4oyj/yvhukgtUREPu5IQI93E07v573Cj/cnWn+w
B1dQHc837D8=
=ZO/o
-----END PGP SIGNATURE-----