Opened 7 months ago

Closed 7 months ago

#15845 closed enhancement (fixed)

jdk-17.0.1

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: high Milestone: 11.1
Component: BOOK Version: git
Severity: critical Keywords:
Cc:

Description

New major version.

Note that this is a supported LTS release until at least April 2022, with a major distribution like RedHat taking support after that.

We should update this to assist with preventing attacks with Log4j, like ones that have been described using Minecraft. I have personally confirmed this update to prevent remote code execution using the Minecraft 1.18 server and a client running 1.18.1.

Some news articles:

https://www.wired.com/story/log4j-flaw-hacking-internet/

https://www.zdnet.com/article/security-warning-new-zero-day-in-the-log4j-java-library-is-already-being-exploited/

https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/

https://arstechnica.com/information-technology/2021/12/the-critical-log4shell-zero-day-affects-a-whos-who-of-big-cloud-services/

https://www.theverge.com/2021/12/10/22828303/log4j-library-vulnerability-log4shell-zero-day-exploit

https://www.bleepingcomputer.com/news/security/new-zero-day-exploit-for-log4j-java-library-is-an-enterprise-nightmare/

U.S. Government Advisory: https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce

Since 16.0.2 is unsupported anyway, and we'd have to create new binaries, I don't really feel like it's worth the trouble to patch it at this time. Updating to 17.0.2 is the best way.

Quote from Cloudflare: "When I look back over the last 10 years, there are only two other exploits I can think of with a similar severity: Heartbleed, which allowed you to get information from servers that should have been secure, and Shellshock, which allowed you to run code on a remote machine."

Change History (7)

comment:1 by Douglas R. Reno, 7 months ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:2 by Douglas R. Reno, 7 months ago

This also contains fixes for:

CVE-2021-35567 - Medium, remote code execution, may allow for access to "privileged and critical system data"

CVE-2021-35586 - Medium, application crash

CVE-2021-35564 - Medium, unauthorized creation, modification, or deletion of data

CVE-2021-35556 - Medium, application crash

CVE-2021-35559 - Medium, application crash

CVE-2021-35561 - Medium, application crash

CVE-2021-35578 - Medium, application crash

CVE-2021-35603 - Low, unauthorized access of data via TLS bypass

comment:3 by Douglas R. Reno, 7 months ago

We need a new jtreg. Just grabbed the sources from GitHub and built it (sh make/build.sh --jdk /opt/jdk). Waiting to see now if jdk-17 accepts it

comment:4 by Douglas R. Reno, 7 months ago

Test results: passed: 6,231; failed: 49; error: 8

JDK-17 accepts it with my new jtreg tarball.

comment:5 by Douglas R. Reno, 7 months ago

The 64-bit binary is done, just testing it with fop, libreoffice, graphviz, subversion, ant, and opencv. I found a bunch of dependencies that are no longer valid, so I'm going to commit those shortly.

Progress on i686 is going very smoothly.

comment:6 by Douglas R. Reno, 7 months ago

64-bit binary confirmed good with all packages in the book. Shifting focus to other packages once the i686 system is at a point where it can run on its own for a bit.

comment:7 by Douglas R. Reno, 7 months ago

Resolution: fixed
Status: assignedclosed

Fixed at 172f41cfa0ffefbe4331a4ba66a1121d26e623cf and a security advisory has been issued.

Note: See TracTickets for help on using tickets.