Bug 1951231 (CVE-2021-2161) - CVE-2021-2161 OpenJDK: Incorrect handling of partially quoted arguments in ProcessBuilder on Windows (Libraries, 8250568)
Summary: CVE-2021-2161 OpenJDK: Incorrect handling of partially quoted arguments in Pr...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-2161
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1938202
TreeView+ depends on / blocked
 
Reported: 2021-04-19 21:13 UTC by Tomas Hoger
Modified: 2021-12-13 09:15 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-04-28 16:46:34 UTC
Embargoed:


Attachments (Terms of Use)

Description Tomas Hoger 2021-04-19 21:13:04 UTC
It was discovered that the implementation of ProcesBuilder in the Libraries component of OpenJDK on the Windows platform did not properly detect command arguments that were not quoted correctly.  This could lead to manipulation of command arguments when executing processes with arguments from untrusted sources.

Note: This issue did not affect OpenJDK builds on the Linux platform.

Comment 1 Tomas Hoger 2021-04-20 20:13:38 UTC
Further details about this change can be found in the Oracle Java SE release notes:

core-libs/java.lang
➜ Less Ambiguous Processing of ProcessBuilder Quotes on Windows

In the java.lang.ProcessBuilder implementation on Windows, the system property jdk.lang.process.allowAmbiguousCommands=false ensures, for each argument, that double-quotes are properly encoded in the command string passed to Windows CreateProcess. An argument with a final trailing double-quote preceded by a backslash is encoded as a literal double-quote; previously, the argument including the double-quote would be joined with the next argument. An empty argument is encoded as a pair of double-quotes ("") resulting in a zero length string passed for the argument to the process; previously, it was silently ignored. An argument containing double-quotes, other than first and last, is encoded to preserve the double-quotes when passed to the process; previously, the embedded double-quotes would be dropped and not passed to the process. There is no change to existing behavior when the jdk.lang.process.allowAmbiguousCommands property is set to true: jdk.lang.process.allowAmbiguousCommands=true.

JDK-8250568 (not public)

https://www.oracle.com/java/technologies/javase/16-0-1-relnotes.html
https://www.oracle.com/java/technologies/javase/11-0-11-relnotes.html
https://www.oracle.com/java/technologies/javase/8u291-relnotes.html

Comment 2 Tomas Hoger 2021-04-20 20:18:56 UTC
Public now via Oracle CPU April 2021:

https://www.oracle.com/security-alerts/cpuapr2021.html#AppendixJAVA

Fixed in Oracle Java SE 16.0.1, 11.0.11, 8u291, and 7u301.

Comment 3 Tomas Hoger 2021-04-23 19:26:53 UTC
OpenJDK-11 upstream commit:
http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/c73fe2a0141e

OpenJDK-8 upstream commit:
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/b423d9afa01f

Comment 4 errata-xmlrpc 2021-04-28 12:34:27 UTC
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK

Via RHSA-2021:1445 https://access.redhat.com/errata/RHSA-2021:1445

Comment 5 errata-xmlrpc 2021-04-28 12:34:56 UTC
This issue has been addressed in the following products:

  Red Hat Build of OpenJDK

Via RHSA-2021:1447 https://access.redhat.com/errata/RHSA-2021:1447

Comment 6 Product Security DevOps Team 2021-04-28 16:46:34 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-2161


Note You need to log in before you can comment on or make changes to this bug.