It was discovered that the implementation of ProcesBuilder in the Libraries component of OpenJDK on the Windows platform did not properly detect command arguments that were not quoted correctly. This could lead to manipulation of command arguments when executing processes with arguments from untrusted sources. Note: This issue did not affect OpenJDK builds on the Linux platform.
Further details about this change can be found in the Oracle Java SE release notes: core-libs/java.lang ➜ Less Ambiguous Processing of ProcessBuilder Quotes on Windows In the java.lang.ProcessBuilder implementation on Windows, the system property jdk.lang.process.allowAmbiguousCommands=false ensures, for each argument, that double-quotes are properly encoded in the command string passed to Windows CreateProcess. An argument with a final trailing double-quote preceded by a backslash is encoded as a literal double-quote; previously, the argument including the double-quote would be joined with the next argument. An empty argument is encoded as a pair of double-quotes ("") resulting in a zero length string passed for the argument to the process; previously, it was silently ignored. An argument containing double-quotes, other than first and last, is encoded to preserve the double-quotes when passed to the process; previously, the embedded double-quotes would be dropped and not passed to the process. There is no change to existing behavior when the jdk.lang.process.allowAmbiguousCommands property is set to true: jdk.lang.process.allowAmbiguousCommands=true. JDK-8250568 (not public) https://www.oracle.com/java/technologies/javase/16-0-1-relnotes.html https://www.oracle.com/java/technologies/javase/11-0-11-relnotes.html https://www.oracle.com/java/technologies/javase/8u291-relnotes.html
Public now via Oracle CPU April 2021: https://www.oracle.com/security-alerts/cpuapr2021.html#AppendixJAVA Fixed in Oracle Java SE 16.0.1, 11.0.11, 8u291, and 7u301.
OpenJDK-11 upstream commit: http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/c73fe2a0141e OpenJDK-8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/b423d9afa01f
This issue has been addressed in the following products: Red Hat Build of OpenJDK Via RHSA-2021:1445 https://access.redhat.com/errata/RHSA-2021:1445
This issue has been addressed in the following products: Red Hat Build of OpenJDK Via RHSA-2021:1447 https://access.redhat.com/errata/RHSA-2021:1447
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-2161