Bug 1951231 (CVE-2021-2161)

Summary: CVE-2021-2161 OpenJDK: Incorrect handling of partially quoted arguments in ProcessBuilder on Windows (Libraries, 8250568)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ahughes, chazlett, java-qa, jochrist, jvanek, neugens, pjindal, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-04-28 16:46:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1938202    

Description Tomas Hoger 2021-04-19 21:13:04 UTC 
It was discovered that the implementation of ProcesBuilder in the Libraries component of OpenJDK on the Windows platform did not properly detect command arguments that were not quoted correctly.  This could lead to manipulation of command arguments when executing processes with arguments from untrusted sources.

Note: This issue did not affect OpenJDK builds on the Linux platform.
Comment 1 Tomas Hoger 2021-04-20 20:13:38 UTC 
Further details about this change can be found in the Oracle Java SE release notes:

core-libs/java.lang
➜ Less Ambiguous Processing of ProcessBuilder Quotes on Windows

In the java.lang.ProcessBuilder implementation on Windows, the system property jdk.lang.process.allowAmbiguousCommands=false ensures, for each argument, that double-quotes are properly encoded in the command string passed to Windows CreateProcess. An argument with a final trailing double-quote preceded by a backslash is encoded as a literal double-quote; previously, the argument including the double-quote would be joined with the next argument. An empty argument is encoded as a pair of double-quotes ("") resulting in a zero length string passed for the argument to the process; previously, it was silently ignored. An argument containing double-quotes, other than first and last, is encoded to preserve the double-quotes when passed to the process; previously, the embedded double-quotes would be dropped and not passed to the process. There is no change to existing behavior when the jdk.lang.process.allowAmbiguousCommands property is set to true: jdk.lang.process.allowAmbiguousCommands=true.

JDK-8250568 (not public)

https://www.oracle.com/java/technologies/javase/16-0-1-relnotes.html
https://www.oracle.com/java/technologies/javase/11-0-11-relnotes.html
https://www.oracle.com/java/technologies/javase/8u291-relnotes.html
Comment 2 Tomas Hoger 2021-04-20 20:18:56 UTC 
Public now via Oracle CPU April 2021:

https://www.oracle.com/security-alerts/cpuapr2021.html#AppendixJAVA

Fixed in Oracle Java SE 16.0.1, 11.0.11, 8u291, and 7u301.
Comment 3 Tomas Hoger 2021-04-23 19:26:53 UTC 
OpenJDK-11 upstream commit:
http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/c73fe2a0141e

OpenJDK-8 upstream commit:
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/b423d9afa01f
Comment 4 errata-xmlrpc 2021-04-28 12:34:27 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK

Via RHSA-2021:1445 https://access.redhat.com/errata/RHSA-2021:1445
Comment 5 errata-xmlrpc 2021-04-28 12:34:56 UTC 
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK

Via RHSA-2021:1447 https://access.redhat.com/errata/RHSA-2021:1447
Comment 6 Product Security DevOps Team 2021-04-28 16:46:34 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-2161