REDHAT-BUG-1889274
First published: Mon Oct 19 2020(Updated: )
It was discovered that the LDAP client implementation in the JNDI component of OpenJDK did not properly track whether a connection to a server uses TLS encryption, and consequently did not properly restrict the set of authentication mechanisms that were allowed to be used over an unencrypted connection. This could possibly lead to sending of plain text authentication credentials over an unencrypted connection.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| OpenJDK |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.oracle.com/security-alerts/cpuoct2020.html#AppendixJAVA
- https://www.oracle.com/java/technologies/javase/15-0-1-relnotes.html
- https://www.oracle.com/java/technologies/javase/11-0-9-relnotes.html
- https://www.oracle.com/java/technologies/javase/8u271-relnotes.html
- https://www.oracle.com/java/technologies/javase/7-support-relnotes.html#R170_281
- https://mail.openjdk.java.net/pipermail/security-dev/2020-October/022920.html
- https://access.redhat.com/errata/RHSA-2020:4306
- https://access.redhat.com/errata/RHSA-2020:4305
- https://access.redhat.com/security/cve/cve-2020-14781
- https://access.redhat.com/errata/RHSA-2020:4307
- https://access.redhat.com/errata/RHSA-2020:4316
- http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/e8b4096c7091
- http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/ccf97104b8ea
- https://access.redhat.com/errata/RHSA-2020:4349
- https://access.redhat.com/errata/RHSA-2020:4347
- https://access.redhat.com/errata/RHSA-2020:4352
- https://access.redhat.com/errata/RHSA-2020:4348
- https://access.redhat.com/errata/RHSA-2020:4350
- https://access.redhat.com/errata/RHSA-2020:5586
- https://access.redhat.com/errata/RHSA-2021:0717
- https://access.redhat.com/errata/RHSA-2021:0736
- https://bugzilla.redhat.com/show_bug.cgi?id=1889274
Frequently Asked Questions
What is the severity of REDHAT-BUG-1889274?
The severity of REDHAT-BUG-1889274 is considered high due to potential security risks in authentication mechanisms.
How do I fix REDHAT-BUG-1889274?
To fix REDHAT-BUG-1889274, update the OpenJDK JNDI component to the latest version provided by your vendor.
What vulnerabilities are associated with REDHAT-BUG-1889274?
REDHAT-BUG-1889274 is associated with vulnerabilities in TLS encryption and unencrypted connection risks.
Which versions of OpenJDK are affected by REDHAT-BUG-1889274?
All versions of OpenJDK JNDI prior to the patch are affected by REDHAT-BUG-1889274.
Is there a workaround for REDHAT-BUG-1889274?
A possible workaround for REDHAT-BUG-1889274 is to enforce TLS on all LDAP connections as a temporary measure.
- agent/references
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-14781
- agent/source
- agent/severity
- agent/description
- agent/event
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/openjdk
- canonical/openjdk