---

CVE-2021-2161 - log back

CVE-2021-2161 edited at 24 Apr 2021 09:26:05
Description	- A security issue was found in Java SE versions 7u291, 8u281, 11.0.10 and 16 on Windows. In the java.lang.ProcessBuilder implementation on Windows, the system property jdk.lang.process.allowAmbiguousCommands=false ensures, for each argument, that double-quotes are properly encoded in the command string passed to Windows CreateProcess. An argument with a final trailing double-quote preceded by a backslash is encoded as a literal double-quote; previously, the argument including the double-quote would be joined with the next argument. An empty argument is encoded as a pair of double-quotes ("") resulting in a zero length string passed for the argument to the process; previously, it was silently ignored. An argument containing double-quotes, other than first and last, is encoded to preserve the double-quotes when passed to the process; previously, the embedded double-quotes would be dropped and not passed to the process. There is no change to existing behavior when the jdk.lang.process.allowAmbiguousCommands property is set to true: jdk.lang.process.allowAmbiguousCommands=true. + It was discovered that the implementation of ProcesBuilder in the Libraries component of OpenJDK on the Windows platform did not properly detect command arguments that were not quoted correctly. This could lead to manipulation of command arguments when executing processes with arguments from untrusted sources. This issue did not affect OpenJDK builds on the Linux platform. It is fixed in versions 16.0.1, 11.0.11, 8u291, and 7u301.
References	https://www.oracle.com/security-alerts/cpuapr2021verbose.html#JAVA - https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2021-April/005860.html + https://bugzilla.redhat.com/show_bug.cgi?id=1951231 https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8250568 https://www.oracle.com/java/technologies/javase/16-0-1-relnotes.html https://www.oracle.com/java/technologies/javase/11-0-11-relnotes.html https://www.oracle.com/java/technologies/javase/8u291-relnotes.html https://www.oracle.com/java/technologies/javase/7-support-relnotes.html#R170_301 + http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/c73fe2a0141e + http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/b423d9afa01f

CVE-2021-2161 edited at 24 Apr 2021 09:04:33
Type	- Arbitrary filesystem access + Incorrect calculation
Description	+ A security issue was found in Java SE versions 7u291, 8u281, 11.0.10 and 16 on Windows. In the java.lang.ProcessBuilder implementation on Windows, the system property jdk.lang.process.allowAmbiguousCommands=false ensures, for each argument, that double-quotes are properly encoded in the command string passed to Windows CreateProcess. An argument with a final trailing double-quote preceded by a backslash is encoded as a literal double-quote; previously, the argument including the double-quote would be joined with the next argument. An empty argument is encoded as a pair of double-quotes ("") resulting in a zero length string passed for the argument to the process; previously, it was silently ignored. An argument containing double-quotes, other than first and last, is encoded to preserve the double-quotes when passed to the process; previously, the embedded double-quotes would be dropped and not passed to the process. There is no change to existing behavior when the jdk.lang.process.allowAmbiguousCommands property is set to true: jdk.lang.process.allowAmbiguousCommands=true. - Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16; Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and 21.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition accessible data. - - Note: This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. It can also be exploited by supplying untrusted data to APIs in the specified Component.
References	https://www.oracle.com/security-alerts/cpuapr2021verbose.html#JAVA + https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2021-April/005860.html + https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8250568 https://www.oracle.com/java/technologies/javase/16-0-1-relnotes.html https://www.oracle.com/java/technologies/javase/11-0-11-relnotes.html https://www.oracle.com/java/technologies/javase/8u291-relnotes.html https://www.oracle.com/java/technologies/javase/7-support-relnotes.html#R170_301

CVE-2021-2161 edited at 21 Apr 2021 12:17:39
References	https://www.oracle.com/security-alerts/cpuapr2021verbose.html#JAVA + https://www.oracle.com/java/technologies/javase/16-0-1-relnotes.html + https://www.oracle.com/java/technologies/javase/11-0-11-relnotes.html + https://www.oracle.com/java/technologies/javase/8u291-relnotes.html + https://www.oracle.com/java/technologies/javase/7-support-relnotes.html#R170_301

CVE-2021-2161 edited at 21 Apr 2021 12:06:49
Severity	- Unknown + Medium
Remote	- Unknown + Remote
Type	- Unknown + Arbitrary filesystem access
Description	+ Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16; Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and 21.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition accessible data. + + Note: This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. It can also be exploited by supplying untrusted data to APIs in the specified Component.
References	+ https://www.oracle.com/security-alerts/cpuapr2021verbose.html#JAVA
Notes

CVE-2021-2161 created at 21 Apr 2021 12:05:39