Bug 1982879 (CVE-2021-2369)

Summary:	CVE-2021-2369 OpenJDK: Incorrect verification of JAR files with multiple MANIFEST.MF files (Library, 8260967)
Product:	[Other] Security Response	Reporter:	Tomas Hoger <thoger>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED ERRATA	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	ahughes, chazlett, java-qa, jochrist, jvanek, neugens, pjindal, security-response-team
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2021-07-21 09:54:46 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1972397, 1972399, 1972400, 1972401, 1972402, 1972406, 1972407, 1972408, 1972409, 1972410, 1995015, 1995016, 1995017, 1995502
Bug Blocks:	1972396

Description Tomas Hoger 2021-07-15 21:42:15 UTC

A flaw was found in the way the Library component of OpenJDK handled JAR files containing multiple MANIFEST.MF files.  Such JAR files could cause signature verification process to return an incorrect result, possibly allowing tampering with signed JAR files.  After the fix, all JAR files with multiple MANIFEST.MF files are treated as unsigned.

Comment 1 Tomas Hoger 2021-07-20 20:46:42 UTC

Public now via Oracle CPU July 2021:

https://www.oracle.com/security-alerts/cpujul2021.html#AppendixJAVA

Fixed in Oracle Java SE 16.0.2, 11.0.12, 8u301, and 7u311.

Comment 2 errata-xmlrpc 2021-07-21 08:02:41 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:2783 https://access.redhat.com/errata/RHSA-2021:2783

Comment 3 errata-xmlrpc 2021-07-21 08:40:15 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2782 https://access.redhat.com/errata/RHSA-2021:2782

Comment 4 errata-xmlrpc 2021-07-21 08:44:50 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2781 https://access.redhat.com/errata/RHSA-2021:2781

Comment 5 errata-xmlrpc 2021-07-21 09:36:28 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:2784 https://access.redhat.com/errata/RHSA-2021:2784

Comment 6 errata-xmlrpc 2021-07-21 09:37:10 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2776 https://access.redhat.com/errata/RHSA-2021:2776

Comment 7 Product Security DevOps Team 2021-07-21 09:54:46 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-2369

Comment 9 errata-xmlrpc 2021-07-21 11:48:32 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:2775 https://access.redhat.com/errata/RHSA-2021:2775

Comment 10 errata-xmlrpc 2021-07-21 12:02:41 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2774 https://access.redhat.com/errata/RHSA-2021:2774

Comment 11 errata-xmlrpc 2021-07-21 12:50:17 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:2845 https://access.redhat.com/errata/RHSA-2021:2845

Comment 12 errata-xmlrpc 2021-07-22 15:02:53 UTC

This issue has been addressed in the following products:

  Red Hat Build of OpenJDK

Via RHSA-2021:2778 https://access.redhat.com/errata/RHSA-2021:2778

Comment 13 errata-xmlrpc 2021-07-22 15:03:13 UTC

This issue has been addressed in the following products:

  Red Hat Build of OpenJDK

Via RHSA-2021:2777 https://access.redhat.com/errata/RHSA-2021:2777

Comment 14 errata-xmlrpc 2021-07-22 15:10:17 UTC

This issue has been addressed in the following products:

  Red Hat Build of OpenJDK

Via RHSA-2021:2780 https://access.redhat.com/errata/RHSA-2021:2780

Comment 15 errata-xmlrpc 2021-07-22 15:10:56 UTC

This issue has been addressed in the following products:

  Red Hat Build of OpenJDK

Via RHSA-2021:2779 https://access.redhat.com/errata/RHSA-2021:2779

Comment 16 Tomas Hoger 2021-08-05 12:41:00 UTC

OpenJDK-11 upstream commit:
http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/e23ebe923867

OpenJDK-8 upstream commit:
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/465a2d03f9b0

Comment 17 errata-xmlrpc 2021-08-30 08:02:26 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2021:3292 https://access.redhat.com/errata/RHSA-2021:3292

Comment 18 errata-xmlrpc 2021-08-30 08:04:26 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2021:3293 https://access.redhat.com/errata/RHSA-2021:3293

Comment 19 errata-xmlrpc 2021-11-02 10:19:10 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4089 https://access.redhat.com/errata/RHSA-2021:4089