Opened 2 years ago
Closed 2 years ago
#15845 closed enhancement (fixed)
jdk-17.0.1
| Reported by: | Douglas R. Reno | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | high | Milestone: | 11.1 |
| Component: | BOOK | Version: | git |
| Severity: | critical | Keywords: | |
| Cc: |
Description
New major version.
Note that this is a supported LTS release until at least April 2022, with a major distribution like RedHat taking support after that.
We should update this to assist with preventing attacks with Log4j, like ones that have been described using Minecraft. I have personally confirmed this update to prevent remote code execution using the Minecraft 1.18 server and a client running 1.18.1.
Some news articles:
https://www.wired.com/story/log4j-flaw-hacking-internet/
https://www.theverge.com/2021/12/10/22828303/log4j-library-vulnerability-log4shell-zero-day-exploit
U.S. Government Advisory: https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce
Since 16.0.2 is unsupported anyway, and we'd have to create new binaries, I don't really feel like it's worth the trouble to patch it at this time. Updating to 17.0.2 is the best way.
Quote from Cloudflare: "When I look back over the last 10 years, there are only two other exploits I can think of with a similar severity: Heartbleed, which allowed you to get information from servers that should have been secure, and Shellshock, which allowed you to run code on a remote machine."
Change History (7)
comment:1 by , 2 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 2 years ago
comment:3 by , 2 years ago
We need a new jtreg. Just grabbed the sources from GitHub and built it (sh make/build.sh --jdk /opt/jdk). Waiting to see now if jdk-17 accepts it
comment:4 by , 2 years ago
Test results: passed: 6,231; failed: 49; error: 8
JDK-17 accepts it with my new jtreg tarball.
comment:5 by , 2 years ago
The 64-bit binary is done, just testing it with fop, libreoffice, graphviz, subversion, ant, and opencv. I found a bunch of dependencies that are no longer valid, so I'm going to commit those shortly.
Progress on i686 is going very smoothly.
comment:6 by , 2 years ago
64-bit binary confirmed good with all packages in the book. Shifting focus to other packages once the i686 system is at a point where it can run on its own for a bit.
comment:7 by , 2 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed at 172f41cfa0ffefbe4331a4ba66a1121d26e623cf and a security advisory has been issued.
This also contains fixes for:
CVE-2021-35567 - Medium, remote code execution, may allow for access to "privileged and critical system data"
CVE-2021-35586 - Medium, application crash
CVE-2021-35564 - Medium, unauthorized creation, modification, or deletion of data
CVE-2021-35556 - Medium, application crash
CVE-2021-35559 - Medium, application crash
CVE-2021-35561 - Medium, application crash
CVE-2021-35578 - Medium, application crash
CVE-2021-35603 - Low, unauthorized access of data via TLS bypass