Ubuntu 20.10 LTS: USN-4892-1 Critical OpenJDK Jar Bypass
Apr 27, 2021
•
LinuxSecurity Advisories
2 - 3 min read
OpenJDK's security restriction could be bypassed when verifying Jar signatures.
=========================================================================Ubuntu Security Notice USN-4892-1 April 27, 2021 openjdk-8, openjdk-lts vulnerability ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.10 - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: OpenJDK's security restriction could be bypassed when verifying Jar signatures. Software Description: - openjdk-8: Open Source Java implementation - openjdk-lts: Open Source Java implementation Details: It was discovered that OpenJDK incorrectly verified Jar signatures. An attacker could possibly use this issue to bypass intended security restrictions when using Jar files signed with a disabled algorithm. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.10: openjdk-11-jdk 11.0.11+9-0ubuntu2~20.10 openjdk-11-jre 11.0.11+9-0ubuntu2~20.10 openjdk-11-jre-headless 11.0.11+9-0ubuntu2~20.10 openjdk-11-jre-zero 11.0.11+9-0ubuntu2~20.10 openjdk-8-jdk 8u292-b10-0ubuntu1~20.10 openjdk-8-jre 8u292-b10-0ubuntu1~20.10 openjdk-8-jre-headless 8u292-b10-0ubuntu1~20.10 openjdk-8-jre-zero 8u292-b10-0ubuntu1~20.10 Ubuntu 20.04 LTS: openjdk-11-jdk 11.0.11+9-0ubuntu2~20.04 openjdk-11-jre 11.0.11+9-0ubuntu2~20.04 openjdk-11-jre-headless 11.0.11+9-0ubuntu2~20.04 openjdk-11-jre-zero 11.0.11+9-0ubuntu2~20.04 openjdk-8-jdk 8u292-b10-0ubuntu1~20.04 openjdk-8-jre 8u292-b10-0ubuntu1~20.04 openjdk-8-jre-headless 8u292-b10-0ubuntu1~20.04 openjdk-8-jre-zero 8u292-b10-0ubuntu1~20.04 Ubuntu 18.04 LTS: openjdk-11-jdk 11.0.11+9-0ubuntu2~18.04 openjdk-11-jre 11.0.11+9-0ubuntu2~18.04 openjdk-11-jre-headless 11.0.11+9-0ubuntu2~18.04 openjdk-11-jre-zero 11.0.11+9-0ubuntu2~18.04 openjdk-8-jdk 8u292-b10-0ubuntu1~18.04 openjdk-8-jre 8u292-b10-0ubuntu1~18.04 openjdk-8-jre-headless 8u292-b10-0ubuntu1~18.04 openjdk-8-jre-zero 8u292-b10-0ubuntu1~18.04 Ubuntu 16.04 LTS: openjdk-8-jdk 8u292-b10-0ubuntu1~16.04.1 openjdk-8-jre 8u292-b10-0ubuntu1~16.04.1 openjdk-8-jre-headless 8u292-b10-0ubuntu1~16.04.1 openjdk-8-jre-zero 8u292-b10-0ubuntu1~16.04.1 This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart any Java applications or applets to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-4892-1 CVE-2021-2163 Package Information: https://launchpad.net/ubuntu/+source/openjdk-8/8u292-b10-0ubuntu1~20.10 https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.11+9-0ubuntu2~20.10 https://launchpad.net/ubuntu/+source/openjdk-8/8u292-b10-0ubuntu1~20.04 https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.11+9-0ubuntu2~20.04 https://launchpad.net/ubuntu/+source/openjdk-8/8u292-b10-0ubuntu1~18.04 https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.11+9-0ubuntu2~18.04 https://launchpad.net/ubuntu/+source/openjdk-8/8u292-b10-0ubuntu1~16.04.1
PREVIOUS
NEXT
Ubuntu 20.10 LTS: USN-4892-1 Critical OpenJDK Jar Bypass
ubuntu
April 27, 2021
OpenJDK's security restriction could be bypassed when verifying Jar signatures.
Summary
Update Instructions
The problem can be corrected by updating your system to the following package versions: Ubuntu 20.10: openjdk-11-jdk 11.0.11+9-0ubuntu2~20.10 openjdk-11-jre 11.0.11+9-0ubuntu2~20.10 openjdk-11-jre-headless 11.0.11+9-0ubuntu2~20.10 openjdk-11-jre-zero 11.0.11+9-0ubuntu2~20.10 openjdk-8-jdk 8u292-b10-0ubuntu1~20.10 openjdk-8-jre 8u292-b10-0ubuntu1~20.10 openjdk-8-jre-headless 8u292-b10-0ubuntu1~20.10 openjdk-8-jre-zero 8u292-b10-0ubuntu1~20.10 Ubuntu 20.04 LTS: openjdk-11-jdk 11.0.11+9-0ubuntu2~20.04 openjdk-11-jre 11.0.11+9-0ubuntu2~20.04 openjdk-11-jre-headless 11.0.11+9-0ubuntu2~20.04 openjdk-11-jre-zero 11.0.11+9-0ubuntu2~20.04 openjdk-8-jdk 8u292-b10-0ubuntu1~20.04 openjdk-8-jre 8u292-b10-0ubuntu1~20.04 openjdk-8-jre-headless 8u292-b10-0ubuntu1~20.04 openjdk-8-jre-zero 8u292-b10-0ubuntu1~20.04 Ubuntu 18.04 LTS: openjdk-11-jdk 11.0.11+9-0ubuntu2~18.04 openjdk-11-jre 11.0.11+9-0ubuntu2~18.04 openjdk-11-jre-headless 11.0.11+9-0ubuntu2~18.04 openjdk-11-jre-zero 11.0.11+9-0ubuntu2~18.04 openjdk-8-jdk 8u292-b10-0ubuntu1~18.04 openjdk-8-jre 8u292-b10-0ubuntu1~18.04 openjdk-8-jre-headless 8u292-b10-0ubuntu1~18.04 openjdk-8-jre-zero 8u292-b10-0ubuntu1~18.04 Ubuntu 16.04 LTS: openjdk-8-jdk 8u292-b10-0ubuntu1~16.04.1 openjdk-8-jre 8u292-b10-0ubuntu1~16.04.1 openjdk-8-jre-headless 8u292-b10-0ubuntu1~16.04.1 openjdk-8-jre-zero 8u292-b10-0ubuntu1~16.04.1 This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart any Java applications or applets to make all the necessary changes.
References
https://ubuntu.com/security/notices/USN-4892-1
CVE-2021-2163
Severity
critical
Lowest
Low
Medium
High
Critical
April 27, 2021
Package Information
https://launchpad.net/ubuntu/+source/openjdk-8/8u292-b10-0ubuntu1~20.10 https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.11+9-0ubuntu2~20.10 https://launchpad.net/ubuntu/+source/openjdk-8/8u292-b10-0ubuntu1~20.04 https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.11+9-0ubuntu2~20.04 https://launchpad.net/ubuntu/+source/openjdk-8/8u292-b10-0ubuntu1~18.04 https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.11+9-0ubuntu2~18.04 https://launchpad.net/ubuntu/+source/openjdk-8/8u292-b10-0ubuntu1~16.04.1
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!