It was discovered that the Kerberos protocol implementation in the Libraries component of OpenJDK did not correctly report subject principals when using Kerberos Constrained Delegation. This could lead to the use of wrong Kerberos tickets.
Public now via Oracle CPU October 2021: https://www.oracle.com/security-alerts/cpuoct2021.html#AppendixJAVA Fixed in Oracle Java SE 17.0.1, 11.0.13, 8u311, and 7u321.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:3886 https://access.redhat.com/errata/RHSA-2021:3886
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:3884 https://access.redhat.com/errata/RHSA-2021:3884
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:3885 https://access.redhat.com/errata/RHSA-2021:3885
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3893 https://access.redhat.com/errata/RHSA-2021:3893
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:3887 https://access.redhat.com/errata/RHSA-2021:3887
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3891 https://access.redhat.com/errata/RHSA-2021:3891
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-35567
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:3889 https://access.redhat.com/errata/RHSA-2021:3889
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:3892 https://access.redhat.com/errata/RHSA-2021:3892
This issue has been addressed in the following products: Red Hat Build of OpenJDK 8u312 Via RHSA-2021:3960 https://access.redhat.com/errata/RHSA-2021:3960
This issue has been addressed in the following products: Red Hat Build of OpenJDK 8u312 Via RHSA-2021:3961 https://access.redhat.com/errata/RHSA-2021:3961
This issue has been addressed in the following products: Red Hat Build of OpenJDK 11.0.13 Via RHSA-2021:3967 https://access.redhat.com/errata/RHSA-2021:3967
This issue has been addressed in the following products: Red Hat Build of OpenJDK 11.0.13 Via RHSA-2021:3968 https://access.redhat.com/errata/RHSA-2021:3968
OpenJDK-11 upstream commit: https://github.com/openjdk/jdk11u-dev/commit/4ad48d913910b5f9972b92bbefcbf894f4ba08eb OpenJDK-8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/d336b7025712
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4135 https://access.redhat.com/errata/RHSA-2021:4135
This issue has been addressed in the following products: Red Hat Build of OpenJDK 17.0.1 Via RHSA-2021:4532 https://access.redhat.com/errata/RHSA-2021:4532
This issue has been addressed in the following products: Red Hat Build of OpenJDK 17.0.1 Via RHSA-2021:4531 https://access.redhat.com/errata/RHSA-2021:4531