Bug 1982874 (CVE-2021-2341)
| Summary: | CVE-2021-2341 OpenJDK: FTP PASV command response can cause FtpClient to connect to arbitrary host (Networking, 8258432) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | ahughes, chazlett, java-qa, jochrist, jvanek, neugens, pjindal, security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-07-21 09:54:40 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1972397, 1972399, 1972400, 1972401, 1972402, 1972406, 1972407, 1972408, 1972409, 1972410, 1995015, 1995016, 1995017, 1995502 | ||
| Bug Blocks: | 1972396 | ||
|
Description
Tomas Hoger
2021-07-15 21:29:25 UTC
Oracle JDK release notes include the following note related to this fix: core-libs/java.net ➜ URL FTP Protocol Handler: IPv4 Address Validation in Passive Mode Client-side FTP support in the Java platform is available through the FTP URL stream protocol handler, henceforth referred to as the FTP Client. The following system property has been added for validation of server addresses in FTP passive mode. jdk.net.ftp.trustPasvAddress. In this release, the FTP Client has been enhanced to reject an address sent by a server, in response to a PASV command from the FTP Client, when that address differs from the address which the FTP Client initially connected. To revert to the prior behavior, the jdk.net.ftp.trustPasvAddress system property can be set to true. The affect of setting this property is that the FTP Client accepts and uses the address value returned in reply to a PASV command JDK-8258432 (not public) https://www.oracle.com/java/technologies/javase/11-0-12-relnotes.html https://www.oracle.com/java/technologies/javase/8u301-relnotes.html https://www.oracle.com/java/technologies/javase/7-support-relnotes.html#R170_311 Public now via Oracle CPU July 2021: https://www.oracle.com/security-alerts/cpujul2021.html#AppendixJAVA Fixed in Oracle Java SE 16.0.2, 11.0.12, 8u301, and 7u311. This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:2783 https://access.redhat.com/errata/RHSA-2021:2783 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:2782 https://access.redhat.com/errata/RHSA-2021:2782 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2781 https://access.redhat.com/errata/RHSA-2021:2781 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:2784 https://access.redhat.com/errata/RHSA-2021:2784 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2776 https://access.redhat.com/errata/RHSA-2021:2776 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-2341 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:2775 https://access.redhat.com/errata/RHSA-2021:2775 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:2774 https://access.redhat.com/errata/RHSA-2021:2774 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:2845 https://access.redhat.com/errata/RHSA-2021:2845 This issue has been addressed in the following products: Red Hat Build of OpenJDK Via RHSA-2021:2778 https://access.redhat.com/errata/RHSA-2021:2778 This issue has been addressed in the following products: Red Hat Build of OpenJDK Via RHSA-2021:2777 https://access.redhat.com/errata/RHSA-2021:2777 This issue has been addressed in the following products: Red Hat Build of OpenJDK Via RHSA-2021:2780 https://access.redhat.com/errata/RHSA-2021:2780 This issue has been addressed in the following products: Red Hat Build of OpenJDK Via RHSA-2021:2779 https://access.redhat.com/errata/RHSA-2021:2779 OpenJDK-11 upstream commit: http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/ca23657dc7da OpenJDK-8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/2464c9fe4c11 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Via RHSA-2021:3292 https://access.redhat.com/errata/RHSA-2021:3292 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Via RHSA-2021:3293 https://access.redhat.com/errata/RHSA-2021:3293 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4089 https://access.redhat.com/errata/RHSA-2021:4089 |