Hide Forgot
A flaw was found in the way the FtpClient implementation in the Networking component of OpenJDK handled responses to the FTP PASV command. A malicious FTP server could cause a Java application using FtpClient to connect to a host and port that is not accessible from the FTP server and perform port scanning or banner extraction. The fix for this issue prevents FtpClient from connecting to hosts different form the server used for the main FTP connection. As this fix may break certain FTP deployments, a newly introduced system property jdk.net.ftp.trustPasvAddress can be used to make FtpClient connect to any host specified in the PASV command response.
Oracle JDK release notes include the following note related to this fix: core-libs/java.net ➜ URL FTP Protocol Handler: IPv4 Address Validation in Passive Mode Client-side FTP support in the Java platform is available through the FTP URL stream protocol handler, henceforth referred to as the FTP Client. The following system property has been added for validation of server addresses in FTP passive mode. jdk.net.ftp.trustPasvAddress. In this release, the FTP Client has been enhanced to reject an address sent by a server, in response to a PASV command from the FTP Client, when that address differs from the address which the FTP Client initially connected. To revert to the prior behavior, the jdk.net.ftp.trustPasvAddress system property can be set to true. The affect of setting this property is that the FTP Client accepts and uses the address value returned in reply to a PASV command JDK-8258432 (not public) https://www.oracle.com/java/technologies/javase/11-0-12-relnotes.html https://www.oracle.com/java/technologies/javase/8u301-relnotes.html https://www.oracle.com/java/technologies/javase/7-support-relnotes.html#R170_311
Public now via Oracle CPU July 2021: https://www.oracle.com/security-alerts/cpujul2021.html#AppendixJAVA Fixed in Oracle Java SE 16.0.2, 11.0.12, 8u301, and 7u311.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:2783 https://access.redhat.com/errata/RHSA-2021:2783
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:2782 https://access.redhat.com/errata/RHSA-2021:2782
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2781 https://access.redhat.com/errata/RHSA-2021:2781
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:2784 https://access.redhat.com/errata/RHSA-2021:2784
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2776 https://access.redhat.com/errata/RHSA-2021:2776
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-2341
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:2775 https://access.redhat.com/errata/RHSA-2021:2775
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:2774 https://access.redhat.com/errata/RHSA-2021:2774
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:2845 https://access.redhat.com/errata/RHSA-2021:2845
This issue has been addressed in the following products: Red Hat Build of OpenJDK Via RHSA-2021:2778 https://access.redhat.com/errata/RHSA-2021:2778
This issue has been addressed in the following products: Red Hat Build of OpenJDK Via RHSA-2021:2777 https://access.redhat.com/errata/RHSA-2021:2777
This issue has been addressed in the following products: Red Hat Build of OpenJDK Via RHSA-2021:2780 https://access.redhat.com/errata/RHSA-2021:2780
This issue has been addressed in the following products: Red Hat Build of OpenJDK Via RHSA-2021:2779 https://access.redhat.com/errata/RHSA-2021:2779
OpenJDK-11 upstream commit: http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/ca23657dc7da OpenJDK-8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/2464c9fe4c11
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Via RHSA-2021:3292 https://access.redhat.com/errata/RHSA-2021:3292
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Via RHSA-2021:3293 https://access.redhat.com/errata/RHSA-2021:3293
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4089 https://access.redhat.com/errata/RHSA-2021:4089