-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.1444
            OpenJDK Security Updates for Portable Linux Builds
                               29 April 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           OpenJDK 8u292
                   OpenJDK 11
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Modify Arbitrary Files   -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-2163 CVE-2021-2161 

Reference:         ASB-2021.0076
                   ESB-2021.1414
                   ESB-2021.1400
                   ESB-2021.1394

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2021:1444
   https://access.redhat.com/errata/RHSA-2021:1445
   https://access.redhat.com/errata/RHSA-2021:1446
   https://access.redhat.com/errata/RHSA-2021:1447

Comment: This bulletin contains four (4) Red Hat security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenJDK 8u292 Security Update for Portable Linux Builds
Advisory ID:       RHSA-2021:1444-01
Product:           OpenJDK
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:1444
Issue date:        2021-04-28
Keywords:          openjdk,linux
Cross references:  RHSA-2021:70423-01
CVE Names:         CVE-2021-2163 
=====================================================================

1. Summary:

The Red Hat Build of OpenJDK 8 (java-1.8.0-openjdk) is now available for
portable Linux.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

The OpenJDK 8 packages provide the OpenJDK 8 Java Runtime Environment and
the OpenJDK 8 Java Software Development Kit.

This release of the Red Hat build of OpenJDK 8 (1.8.0.292) for portable
Linux serves as a replacement for the Red Hat build of OpenJDK 8
(1.8.0.282) and includes security and bug fixes, and enhancements. For
further information, refer to the release notes linked to in the References
section.

Security Fix(es):

* OpenJDK: Incomplete enforcement of JAR signing disabled algorithms
(Libraries, 8249906) (CVE-2021-2163)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/documentation/en-us/openjdk/8/html/installing_and
_using_openjdk_8_for_rhel/installing-openjdk8-on-rhel#installing-jdk8-on-rh
el-using-archive

4. Bugs fixed (https://bugzilla.redhat.com/):

1951217 - CVE-2021-2163 OpenJDK: Incomplete enforcement of JAR signing disabled algorithms (Libraries, 8249906)

5. References:

https://access.redhat.com/security/cve/CVE-2021-2163
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=core.service.openjdk&version=1.8.0.292
https://access.redhat.com/documentation/en-us/openjdk/8/html/installing_and_using_openjdk_8_for_rhel/installing-openjdk8-on-rhel#installing-jdk8-on-rhel-using-archive
https://openjdk.java.net/groups/vulnerability/advisories/2021-04-20

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYIlXEtzjgjWX9erEAQgkGA/+KwHX9908X0tSGlR+Rv+N7W8r1AwuAFCi
HyBHyL//zrDQCVF9HnW6COz2SIig3K10+TTZbYZsvNExd6b385A7h00gX6TBw+kW
YSZvPggAZMbDZHr5nPHyqiN/vrVtxm8hbi7t9t+HgEz8xTd4VlfWWVd4gBcF6IpG
VhoIdDaUrJucgSR9ZudO9iqQlHXDYP74GTvvznb5IUpHbsO7GZvtQM55BK0s57mh
erC3tz4UmpR09MhqE74QT8IcpZIVNOCwlSkfG3LVVrctblcj9sfCbcSo4PNqDv6L
Bpadskuw/zPT9zAxc70wgCycAflcZmb0Zg3DrjTniO36guzckvG5q0aIsAziDvFP
/Sla4lkIXsYz/Xa1WYRcY3INwznenkJ3mHPYFNH8JdXAjVpEWVqFxdNOTEekhzgg
brdHVjgMZbMR+JWixM1LRxS6eWlhseTDSSKt5mziFFBClm2MNiAZ8ghwMfgchw1t
36xBk7qzJmkcE3gBhDeoqiL/C31bZhZHpQlETK1acX3aaxS66V0wgDextRkyiRzT
V1o3lyMBKhfjrC/qxSV1sH+qGl/KXQq9MXXr6d68elAzsts3OxB06ALIR8s+IzZq
CLobiA34kyTeElURpS3LeK9treTaMpXicCayhRqBGiimmg28RP836O1IpE8qnNEb
9Z6bL7yqZog=
=/xtA
- -----END PGP SIGNATURE-----

- -----------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenJDK 8u292 Windows Builds release and security update
Advisory ID:       RHSA-2021:1445-01
Product:           OpenJDK
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:1445
Issue date:        2021-04-28
Keywords:          openjdk,windows
Cross references:  RHSA-2021:70386-01
CVE Names:         CVE-2021-2161 CVE-2021-2163 
=====================================================================

1. Summary:

The Red Hat Build of OpenJDK 8 (java-1.8.0-openjdk) is now available for
Windows.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

The OpenJDK 8 packages provide the OpenJDK 8 Java Runtime Environment and
the OpenJDK 8 Java Software Development Kit.

This release of the Red Hat build of OpenJDK 8 (1.8.0.292) for Windows
serves as a replacement for the Red Hat build of OpenJDK 8 (1.8.0.282) and
includes security and bug fixes, and enhancements. For further information,
refer to the release notes linked to in the References section.

Security Fix(es):

* OpenJDK: Incorrect handling of partially quoted arguments in
ProcessBuilder on Windows (Libraries, 8250568) (CVE-2021-2161)

* OpenJDK: Incomplete enforcement of JAR signing disabled algorithms
(Libraries, 8249906) (CVE-2021-2163)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/documentation/en-us/openjdk/8/html/installing_and
_using_openjdk_8_for_windows/index

4. Bugs fixed (https://bugzilla.redhat.com/):

1951217 - CVE-2021-2163 OpenJDK: Incomplete enforcement of JAR signing disabled algorithms (Libraries, 8249906)
1951231 - CVE-2021-2161 OpenJDK: Incorrect handling of partially quoted arguments in ProcessBuilder on Windows (Libraries, 8250568)

5. References:

https://access.redhat.com/security/cve/CVE-2021-2161
https://access.redhat.com/security/cve/CVE-2021-2163
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=core.service.openjdk&version=1.8.0.292
https://access.redhat.com/documentation/en-us/openjdk/8/html/installing_and_using_openjdk_8_for_windows/index
https://access.redhat.com/documentation/en-us/openjdk/8/html/troubleshooting_openjdk_8_for_windows/index
https://openjdk.java.net/groups/vulnerability/advisories/2021-04-20

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYIlW99zjgjWX9erEAQhf2w//Y2ma/p8XNZzkqypaS9tLt4O5WTaLkZ84
p9YgmTYdaXQqcqoxeMkgWeoDDncbSfa1rK8Gx+zDY+wtqiGP3RTWcPZ6qzyOdHfM
h2AzuDxjtoWqk0aIzomzzNUitC+EAicJ/GeUzqaVqlStopjH3Yfz+zn2nL/40JNI
BX88A7c9vxtZXlaYqLNn3qOE5nB2fKLDYDkYkb3iK0hbJHONQI1m3gIVxh3dyCA3
vo6b5Mh5s1gk6Hud+YObiXpbYnC++obSHYJW0eeMk6uJnocTn1GodS1CFAszquqM
DhG2wUuMooG94GRbZVvsfNfKHCJ7/kCU/ViVs1GCuOhkhBlklWNZg5KBAB8hLKug
Xh9u6NcYidM0mTd/mwhjkfptZs+cqxLRoo2aSAwwmxmOauv6PXwExBnTqKgYipjD
4e3uvd28U6AD1zI/VmWQsE5BCGpy6pPeFWmbHzoVTZdWLihxA9Hj/BvX2GNj7R9p
psytP80l2Dx01ppCP0vUf85KmmLVxklb0j7zmxCxYsZk/T7p9h3/Hf8LtvHHDr35
UO3DwT4LXbrMiGZByI/QuD4EW5sEZd7a+w3obbTmoc5S0dFPLals3OdB20R5mixu
69/A8XxOQ4XlTq+SkhBLpjVSnyWjsfeNsBIFYS8m8YW4f+U2/6GhLNbaaJ2PQiGW
tyiQ9zRCIe4=
=V8tu
- -----END PGP SIGNATURE-----

- -----------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenJDK 11.0.11 Security Update for Portable Linux Builds
Advisory ID:       RHSA-2021:1446-01
Product:           OpenJDK
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:1446
Issue date:        2021-04-28
Keywords:          openjdk,linux
Cross references:  RHSA-2021:71666-01
CVE Names:         CVE-2021-2163 
=====================================================================

1. Summary:

The Red Hat Build of OpenJDK 11 (java-11-openjdk) is now available for
portable Linux.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

The OpenJDK 11 packages provide the OpenJDK 11 Java Runtime Environment and
the OpenJDK 11 Java Software Development Kit.

This release of the Red Hat build of OpenJDK 11 (11.0.11) for portable
Linux serves as a replacement for the Red Hat build of OpenJDK 11 (11.0.10)
and includes security and bug fixes, and enhancements. For further
information, refer to the release notes linked to in the References
section.

Security Fix(es):

* OpenJDK: Incomplete enforcement of JAR signing disabled algorithms
(Libraries, 8249906) (CVE-2021-2163)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/documentation/en-us/openjdk/11/html/installing_an
d_using_openjdk_11_on_rhel/installing-openjdk11-on-rhel8#installing-jdk11-o
n-rhel-using-archive

4. Bugs fixed (https://bugzilla.redhat.com/):

1951217 - CVE-2021-2163 OpenJDK: Incomplete enforcement of JAR signing disabled algorithms (Libraries, 8249906)

5. References:

https://access.redhat.com/security/cve/CVE-2021-2163
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=core.service.openjdk&version=11.0.11.9
https://access.redhat.com/documentation/en-us/openjdk/11/html/installing_and_using_openjdk_11_on_rhel/installing-openjdk11-on-rhel8#installing-jdk11-on-rhel-using-archive
https://openjdk.java.net/groups/vulnerability/advisories/2021-04-20

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYIlW3dzjgjWX9erEAQhX+g/+OPn5r48LkxCPHu7NnCpWp1W3GR3boaCa
KjIPQ3cbtFVqrgMs8xK33ObaWmb2lFMQFyPYZudnSlvpBYzo+c3iz5OxM2fyGjPd
ZtgGCjfnZwticJa4wEY8GhgG3ruRFEokoeOdLbYWkMbk3ranQ1N48xDEE5gmfybO
9drBITOaTKljRDlYHIU/ePafDwe6ZLtgescdA6SGMeY0qgKuqpcODx/1ags+Vpvb
E0sjPfAGU3amAsmQwUCq2tVV0Bq93E9WOLwN/e28ys+uZo30XCQnjPoV5NPzCwOr
oQ78LlHL/uD4utklZlVRuGG6gQAS8vE8ykcPQsr0m4lJIFcBro9ONrY1ppuFb6lL
fV5e4gVLlNkMtmPWmA0E4gqgBa5bULgWJdEtq3RauWPp/YgsZgaQBPHHwtZlSjWC
0NTrcQqahrdrAfc09YnUfpZwFLrl+ohPsUWFsBLPzTRpJNyxVPeEtVi9nxzHom8n
5tMrHStWiP5LFfS2f61eD6MbLAy58TdcWtA/aEYutZBgcRSk9xTCK+kmprM/DGoY
Ks95FhbLw/LKGeyKDa1E9j+5c9b3mEHGBO3Mm24HB8KiLiMKKbghTotcjCeXvwzO
ZO36yTWWntJ8xvRDtQ5HPDbWnHVD+3Aw23KglzFKaSfnPqvW8/0R5QVZg1nuLXvY
jNEVI8Rx0Gk=
=tx/r
- -----END PGP SIGNATURE-----

- -----------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenJDK 11.0.11 Security Update for Windows Builds
Advisory ID:       RHSA-2021:1447-01
Product:           OpenJDK
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:1447
Issue date:        2021-04-28
Keywords:          openjdk,windows
Cross references:  RHSA-2021:71665-01
CVE Names:         CVE-2021-2161 CVE-2021-2163 
=====================================================================

1. Summary:

The Red Hat Build of OpenJDK 11 (java-11-openjdk) is now available for
Windows.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

The OpenJDK 11 packages provide the OpenJDK 11 Java Runtime Environment and
the OpenJDK 11 Java Software Development Kit.

This release of the Red Hat build of OpenJDK 11 (11.0.11) for Windows
serves as a replacement for the Red Hat build of OpenJDK 11 (11.0.10) and
includes security and bug fixes, and enhancements. For further information,
refer to the release notes linked to in the References section.

Security Fix(es):

* OpenJDK: Incorrect handling of partially quoted arguments in
ProcessBuilder on Windows (Libraries, 8250568) (CVE-2021-2161)

* OpenJDK: Incomplete enforcement of JAR signing disabled algorithms
(Libraries, 8249906) (CVE-2021-2163)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/documentation/en-us/openjdk/11/html/installing_an
d_using_openjdk_11_for_windows/index

4. Bugs fixed (https://bugzilla.redhat.com/):

1951217 - CVE-2021-2163 OpenJDK: Incomplete enforcement of JAR signing disabled algorithms (Libraries, 8249906)
1951231 - CVE-2021-2161 OpenJDK: Incorrect handling of partially quoted arguments in ProcessBuilder on Windows (Libraries, 8250568)

5. References:

https://access.redhat.com/security/cve/CVE-2021-2161
https://access.redhat.com/security/cve/CVE-2021-2163
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=core.service.openjdk&version=11.0.11.9
https://access.redhat.com/documentation/en-us/openjdk/11/html/installing_and_using_openjdk_11_for_windows/index
https://access.redhat.com/documentation/en-us/openjdk/11/html/configuring_openjdk_11_for_windows/index
https://openjdk.java.net/groups/vulnerability/advisories/2021-04-20

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYIlWwtzjgjWX9erEAQg1nQ/+Phk1CDTrqJsiWYuG/OSDpl5buWESyJ2Z
y6tM7eR/d0YGmqwtj04YlEzixosmgw74cEDjc5zqFGpqDatHS4Ssrop+s1t6QbUI
zd/OECe0AQlq+UUVXNXWlhLyU60T4T5NZSqetxkzuo28gQ6N2G+OoG9TrkcLS+3m
a8SjyOAtlH41Kv/i8cSulpICf4Byp3zeoIBzcDSZO7YZkBaWUUSGxiH4pdXTBZ+N
6MiPP5qMUvPwQ5y49Y2G3jZljQT/YiqRcGnPRcyZguY98OV2HFpS/ii7FliSHFFs
Ajzn4OlxYDYCUW6KuHZvBSVsgWVZXWc5Bk84Wyfwmn0hpBZ2FG0FBh0nPx5dBuOz
9YMoZ+pL/zcOkx/vzWes/kJwQ2R7Vym8uB+eud1jnG5csJVMH6JDz+81k19IvWyT
yd3sO90Z0GQtWY26m4fKMu6cjRx7pBZduIk/6scZrcHXp67O02OzOkiBNLTyeNg5
x+Kjp047sUEL+ImXFC9J+erCoc9/54n1ewa0BScOY2zLXvvifrRNItG0cpCmyoOV
+qsCj6snkbEoK+OPKRcHCbaeqny5AzjsSLpD60ZGlO5OqMhAhweClqKqBNpMq+aq
KBldlw5h5pri68Ggpjw5mpHMHzTuigRWZXzLztmiWXx0vuptoxRmOhWuyRUwNaR1
jPu4rUulpG4=
=ZaE+
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYIn2ZuNLKJtyKPYoAQhIbg/+Oii/1Jc+FzoP0YkJJ7tCIL4XFQZtwOvr
qcRu+iFC2dq6uvrjikEPmrYOWJmi4bVbPsaB8HI2E8rR8vmivKkQFTskMmyibjpG
zBFg9Dl3BwhMOMLXkVkPrFtEucKnLSjzjizzmjttWWlZ0RnKkb8DNP+TkAgmJRuW
mFeXnT3AzoUL25DbA/VgzP8Zi1u0AMUYmklE3foiOW4M+Hqhmxo+rCEbghyVYbj+
Uc5mSjHFgOHl8MathJaSZIxuj01+00QRFiXHptWJznCHEXjJ2HNvl/aEOrKlnQ2D
7FHiVKw3WbV6L9YI8OIVNi+tJrORH/WCd0k9zC+rfTLXplTNLHiGpkUan5O2AEUl
rROnKKfGwtKxw+uRP5Tvck/E4SZbNYMcqBKKlfYnocDBD1cYX32UCFpcXC2nMEAn
1Z+uJk4AG2gGCTHsfneTz7iVijtCWpDHmQ662f+G5+QeOifhRbkZuzHVVeTZVBXg
7YAh67SruzsrTKF7WDeuRotGwotzddezkPTfw0fBgiTZKwn/TS/dI58Z/eVZpDMO
9LKxsdrgXiqRddPXxiEn3RAXjsxXclkjRk1pxLctQuDUzl+fwBNoYkrhiouR0u/R
DcqG4B51RR7sBhlxP6JpsKUaJ8+/Vkv6ipLUTWuwuqJTivoJhxFihqNXZ2ksJqlg
HDCtVdt1eyU=
=b3dr
-----END PGP SIGNATURE-----