CVE-2021-2369
First published: Thu Jul 15 2021(Updated: )
A flaw was found in the way the Library component of OpenJDK handled JAR files containing multiple MANIFEST.MF files. Such JAR files could cause signature verification process to return an incorrect result, possibly allowing tampering with signed JAR files. After the fix, all JAR files with multiple MANIFEST.MF files are treated as unsigned.
Credit: secalert_us@oracle.com secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/openjdk-11 | 11.0.16+8-1~deb10u1 11.0.20+8-1~deb10u1 11.0.20+8-1~deb11u1 11.0.21+9-1 | |
| debian/openjdk-8 | 8u382-ga-2 | |
| Oracle GraalVM | =20.3.2 | |
| Oracle GraalVM | =21.1.0 | |
| Oracle Java SE | =7u301 | |
| Oracle Java SE | =8u291 | |
| Oracle JDK | =11.0.11 | |
| Oracle JDK | =16.0.1 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| IBM DRM | <=2.0.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://security-tracker.debian.org/tracker/CVE-2021-2369
- https://www.oracle.com/security-alerts/cpujul2021.html#AppendixJAVA
- https://access.redhat.com/errata/RHSA-2021:2783
- https://access.redhat.com/errata/RHSA-2021:2782
- https://access.redhat.com/errata/RHSA-2021:2781
- https://access.redhat.com/errata/RHSA-2021:2784
- https://access.redhat.com/errata/RHSA-2021:2776
- https://access.redhat.com/security/cve/cve-2021-2369
- https://access.redhat.com/errata/RHSA-2021:2775
- https://access.redhat.com/errata/RHSA-2021:2774
- https://access.redhat.com/errata/RHSA-2021:2845
- https://access.redhat.com/errata/RHSA-2021:2778
- https://access.redhat.com/errata/RHSA-2021:2777
- https://access.redhat.com/errata/RHSA-2021:2780
- https://access.redhat.com/errata/RHSA-2021:2779
- http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/e23ebe923867
- http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/465a2d03f9b0
- https://access.redhat.com/errata/RHSA-2021:3292
- https://access.redhat.com/errata/RHSA-2021:3293
- https://access.redhat.com/errata/RHSA-2021:4089
- https://bugzilla.redhat.com/show_bug.cgi?id=1982879
- https://lists.debian.org/debian-lts-announce/2021/08/msg00011.html
- https://security.gentoo.org/glsa/202209-05
- https://security.netapp.com/advisory/ntap-20210723-0002/
- https://www.debian.org/security/2021/dsa-4946
- https://www.oracle.com/security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/205796
- https://www.ibm.com/support/pages/node/6497499 (Advisory)
Frequently Asked Questions
What is CVE-2021-2369?
CVE-2021-2369 is an unspecified vulnerability in Java SE related to the Library component.
Which versions of Java SE are affected by CVE-2021-2369?
Java SE versions 7u301, 8u291, 11.0.11, and 16.0.1 are affected by CVE-2021-2369.
Which versions of Oracle GraalVM Enterprise Edition are affected by CVE-2021-2369?
Oracle GraalVM Enterprise Edition versions 20.3.2 and 21.1.0 are affected by CVE-2021-2369.
What is the severity of CVE-2021-2369?
CVE-2021-2369 has a severity value of 4.3, indicating a medium severity.
How do I fix CVE-2021-2369?
To fix CVE-2021-2369, apply the recommended patches or updates provided by Oracle and Debian.
- collector/security-tracker-debian
- agent/author
- agent/type
- agent/remedy
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-2369
- agent/first-publish-date
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/references
- agent/event
- agent/softwarecombine
- agent/tags
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- package-manager/debian
- vendor/oracle
- canonical/oracle graalvm
- version/oracle graalvm/20.3.2
- version/oracle graalvm/21.1.0
- canonical/oracle java se
- version/oracle java se/7u301
- version/oracle java se/8u291
- canonical/oracle jdk
- version/oracle jdk/11.0.11
- version/oracle jdk/16.0.1
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- vendor/ibm
- canonical/ibm drm
- version/ibm drm/2.0.6