OpenJDK Vulnerability Advisory: 2021/10/19

The following vulnerabilities in OpenJDK source code were fixed in this release. The affected versions are 16.0.2, 15.0.4, 13.0.8, 11.0.12, 8u302, 7u311, and earlier. Please note that defense-in-depth issues are not assigned CVEs. We recommend that you upgrade as soon as possible.

The current and previous advisories are available for reference.

OpenJDK Risk matrix

Affects ...
CVE ID Component CVSSv3.1
Vector		 7 8 11 13 15 17
CVE-2021-35567 security-libs/
java.security		 6.8
NLLRCHNN
CVE-2021-35550 security-libs/
javax.net.ssl		 5.9
NHNNUHNN
CVE-2021-35586 client-libs/
javax.imageio		 5.3
NLNNUNNL
CVE-2021-35564 security-libs/
java.security		 5.3
NLNNUNLN
CVE-2021-35561 core-libs/
java.util		 5.3
NLNNUNNL
CVE-2021-35565 core-libs/
java.net		 5.3
NLNNUNNL
CVE-2021-35559 client-libs/
javax.swing		 5.3
NLNNUNNL
CVE-2021-35578 security-libs/
javax.net.ssl		 5.3
NLNNUNNL
CVE-2021-35556 client-libs/
javax.swing		 5.3
NLNNUNNL
CVE-2021-35603 security-libs/
javax.net.ssl		 3.7
NHNNULNN
CVE-2021-35588 hotspot/
runtime		 3.1
NHNRUNNL

OpenJFX Risk matrix

Affects ...
CVE ID Component CVSSv3.1
Vector		 7 8 11 13 15 17
CVE-2021-3517 javafx/
web		 8.6
NLNNULLH
CVE-2021-3522 javafx/
media		 5.5
LLNRUNNH

Acknowledgements

We acknowledge the following parties for their reports and contributions: Artem Smotrakov, Asaf Greenholts, Chuck Hunley, Dhananjay Arunesh, Fabian Meumertzheim, Juho Nurminen, Markus Loewe, Paul Fiterau-Brostean, and Tristen Hayfield.

We also thank the Leads of the JDK 7 Updates, JDK 8 Updates, JDK 11 Updates, JDK 13 Updates, JDK 15 Updates, and OpenJFX Projects for providing the risk-matrix information for their releases.

How to report a vulnerability

Please see the reporting instructions for information about how to report a vulnerability.

Last update: 2021/10/19 17:43 UTC