Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.2925
java-1.8.0-ibm security update
31 August 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: java-1.8.0-ibm
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Modify Arbitrary Files -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2021-2369 CVE-2021-2341
Reference: ESB-2021.2675
ESB-2021.2474
Original Bulletin:
https://access.redhat.com/errata/RHSA-2021:3292
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: java-1.8.0-ibm security update
Advisory ID: RHSA-2021:3292-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://access.redhat.com/errata/RHSA-2021:3292
Issue date: 2021-08-30
CVE Names: CVE-2021-2341 CVE-2021-2369
=====================================================================
1. Summary:
An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux
7 Supplementary.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client Supplementary (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Supplementary (v. 7) - x86_64
Red Hat Enterprise Linux Server Supplementary (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 7) - x86_64
3. Description:
IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM
Java Software Development Kit.
This update upgrades IBM Java SE 8 to version 8 SR6-FP35.
Security Fix(es):
* OpenJDK: FTP PASV command response can cause FtpClient to connect to
arbitrary host (Networking, 8258432) (CVE-2021-2341)
* OpenJDK: Incorrect verification of JAR files with multiple MANIFEST.MF
files (Library, 8260967) (CVE-2021-2369)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
All running instances of IBM Java must be restarted for this update to take
effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1982874 - CVE-2021-2341 OpenJDK: FTP PASV command response can cause FtpClient to connect to arbitrary host (Networking, 8258432)
1982879 - CVE-2021-2369 OpenJDK: Incorrect verification of JAR files with multiple MANIFEST.MF files (Library, 8260967)
6. Package List:
Red Hat Enterprise Linux Client Supplementary (v. 7):
x86_64:
java-1.8.0-ibm-1.8.0.6.35-1jpp.1.el7.x86_64.rpm
java-1.8.0-ibm-demo-1.8.0.6.35-1jpp.1.el7.x86_64.rpm
java-1.8.0-ibm-devel-1.8.0.6.35-1jpp.1.el7.x86_64.rpm
java-1.8.0-ibm-jdbc-1.8.0.6.35-1jpp.1.el7.x86_64.rpm
java-1.8.0-ibm-plugin-1.8.0.6.35-1jpp.1.el7.x86_64.rpm
java-1.8.0-ibm-src-1.8.0.6.35-1jpp.1.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Supplementary (v. 7):
x86_64:
java-1.8.0-ibm-1.8.0.6.35-1jpp.1.el7.x86_64.rpm
java-1.8.0-ibm-demo-1.8.0.6.35-1jpp.1.el7.x86_64.rpm
java-1.8.0-ibm-devel-1.8.0.6.35-1jpp.1.el7.x86_64.rpm
java-1.8.0-ibm-src-1.8.0.6.35-1jpp.1.el7.x86_64.rpm
Red Hat Enterprise Linux Server Supplementary (v. 7):
ppc64:
java-1.8.0-ibm-1.8.0.6.35-1jpp.1.el7.ppc64.rpm
java-1.8.0-ibm-demo-1.8.0.6.35-1jpp.1.el7.ppc64.rpm
java-1.8.0-ibm-devel-1.8.0.6.35-1jpp.1.el7.ppc64.rpm
java-1.8.0-ibm-jdbc-1.8.0.6.35-1jpp.1.el7.ppc64.rpm
java-1.8.0-ibm-plugin-1.8.0.6.35-1jpp.1.el7.ppc64.rpm
java-1.8.0-ibm-src-1.8.0.6.35-1jpp.1.el7.ppc64.rpm
ppc64le:
java-1.8.0-ibm-1.8.0.6.35-1jpp.1.el7.ppc64le.rpm
java-1.8.0-ibm-demo-1.8.0.6.35-1jpp.1.el7.ppc64le.rpm
java-1.8.0-ibm-devel-1.8.0.6.35-1jpp.1.el7.ppc64le.rpm
java-1.8.0-ibm-jdbc-1.8.0.6.35-1jpp.1.el7.ppc64le.rpm
java-1.8.0-ibm-src-1.8.0.6.35-1jpp.1.el7.ppc64le.rpm
s390x:
java-1.8.0-ibm-1.8.0.6.35-1jpp.1.el7.s390x.rpm
java-1.8.0-ibm-demo-1.8.0.6.35-1jpp.1.el7.s390x.rpm
java-1.8.0-ibm-devel-1.8.0.6.35-1jpp.1.el7.s390x.rpm
java-1.8.0-ibm-jdbc-1.8.0.6.35-1jpp.1.el7.s390x.rpm
java-1.8.0-ibm-src-1.8.0.6.35-1jpp.1.el7.s390x.rpm
x86_64:
java-1.8.0-ibm-1.8.0.6.35-1jpp.1.el7.x86_64.rpm
java-1.8.0-ibm-demo-1.8.0.6.35-1jpp.1.el7.x86_64.rpm
java-1.8.0-ibm-devel-1.8.0.6.35-1jpp.1.el7.x86_64.rpm
java-1.8.0-ibm-jdbc-1.8.0.6.35-1jpp.1.el7.x86_64.rpm
java-1.8.0-ibm-plugin-1.8.0.6.35-1jpp.1.el7.x86_64.rpm
java-1.8.0-ibm-src-1.8.0.6.35-1jpp.1.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 7):
x86_64:
java-1.8.0-ibm-1.8.0.6.35-1jpp.1.el7.x86_64.rpm
java-1.8.0-ibm-demo-1.8.0.6.35-1jpp.1.el7.x86_64.rpm
java-1.8.0-ibm-devel-1.8.0.6.35-1jpp.1.el7.x86_64.rpm
java-1.8.0-ibm-jdbc-1.8.0.6.35-1jpp.1.el7.x86_64.rpm
java-1.8.0-ibm-plugin-1.8.0.6.35-1jpp.1.el7.x86_64.rpm
java-1.8.0-ibm-src-1.8.0.6.35-1jpp.1.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-2341
https://access.redhat.com/security/cve/CVE-2021-2369
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYSyQttzjgjWX9erEAQjBoQ/+M3dEAIsPB5MYGtF62NozhkfCXQrfdBkr
OIe6wbJA+EOIZeGZGnuo2KnED4Ijw5fnD8IJ7fiSHWF4YNdbiRpZnTxTOL3VKFAw
cYKs0Rcs5oMdHzTWiJrKjwRqg7fKNuKJubGbkBY10sHlIccEwKNzMjqmgLjdI1eS
FV61sOyjElrHk5+8iNSKo+nZr86EcWkt59WTV5ya0oCPbGSyXCFYT/sLPiLpFoYr
Xwt+c2QMxdXJTmBI87eCk/09NKM8cAzoxRh9WMM26YbaXhEgTJae2zZJPdS+JbB6
eoCOkbwQuKmR/GzJ2kwlEXew1KlkxBEWN/CgdPw68MTPCMPiTBfndQSFgQubSb7Z
Tu/3aN2AzwgAzoO8RCpduYUB2kZKk+n6+ZmjTqwSliA61EDKa38VChm9+yMg1I+p
8r4dF2JZjl8PGsATWCRIDmFW8qyHx5OzO0ktnq1wkPyQhKJCBunKoFxuP+olzVx1
eE9IPuXb1eqBKs7KVjLXUrOMoiJAZkN2YWEsQYYGcfPXpgVCYakZRs8jdano6WrK
XXO0lr1iA4pwFboofxctFnKQGkjxxswH9+grxZi3fFg43OlgKhEdxS0NreWJGlT8
7t2NAyxCBufSlTBjjjyWb6RI4cdZIm5kM9lBFyj1noolQeF3PD5UIfJrU/gX1BUJ
RvECETc3Ixc=
=iG68
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYS1sI+NLKJtyKPYoAQhxzQ//Qc/8Wof/DbmuvoB6+4Mn/Q5qRs61EF4c
16IUjqurMeRMSxUbUXRlY7BuirG42b2JR9KQ8qvzvZB4rHgRGLttWwj3JgX2YokL
27dxRzKJ61nEUc43NF8hXniqdeOG+Erg8nVa4+XZomtR7WHxPFhtdT+VIEe7BVag
oMzWrDG2L2t7sHjolWUk0zYId+PLhj7dmvPTNnpK7r78CRGhhTQPrCsK88ZMJqbG
v1x4OsBqfHrMBo0tc+mNE5Fp27QSAoPi6dtFbH8qpw+JSCySgBBVVEJWrYtmRwBK
4GHU2rPKuzjuzwcU97P6BRbAMfTwKlVwphH8BkU1MfO2eJ5KAL0o92DtAF2d7sUO
Lrr8cQBd5ocsllii3OVicfxH6EW1dIaOuah4KxWMnv5vkgyN8Ow3VhqT4DWXpFCq
veLaE+FVfTTWFxvnMb2pldKbfvmp0KpIpTZl7pYQS4FAOfIMjdg2vUIMshd1XZ5a
bQ4kStGoG+9QHNyjk/HxzTuQzYy1ufrnbeQe06bRTV8KrG7TUk62wok779G+7XvY
fKAFnPZuF59oL1GbNYTDSX97/jwriK8FS0xR4Qog8nel9JnWrNF6elP7/cNAgN9q
ZKoChZus2x7UToeFy7py9yt0+8qNCFhaoADy3B2t8ECaVSOiv8awOjxcnXtU7EzO
tg0STllDvBk=
=EdGj
-----END PGP SIGNATURE-----