|
|
Log in / Subscribe / Register

Ubuntu alert USN-8002-1 (openjdk-21)



From:
              noreply+usn-bot@canonical.com


To:
              ubuntu-security-announce@lists.ubuntu.com


Subject:
              [USN-8002-1] OpenJDK 21 vulnerabilities


Date:
              Tue, 03 Feb 2026 03:34:23 +0000


Message-ID:
              <E1vn7BH-0004bw-LK@lists.ubuntu.com>


==========================================================================
Ubuntu Security Notice USN-8002-1
February 02, 2026

openjdk-21 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in OpenJDK 21.

Software Description:
- openjdk-21: Open Source Java implementation

Details:

It was discovered that the RMI component of OpenJDK 21 would establish
RMI TCP endpoint connections to a remote host without setting an
endpoint identification algorithm. An unauthenticated remote attacker
could possibly use this issue to steal sensitive information.
(CVE-2026-21925)

Mingijung discovered that the AWT and JavaFX componenets of OpenJDK 21
could run programs if Desktop.browse() was supplied a filename as a
URI. An unauthenticated remote attacker could possibly use this issue
to execute arbitrary code. (CVE-2026-21932)

Zhihui Chen discovered that the Networking component of OpenJDK 21
was suceptible to a CRLF injection vulnerability via the HttpServer
class. An unauthenticated remote attacker could possibly use this
issue to modify files or leak sensitive information. (CVE-2026-21933)

Ireneusz Pastusiak discovered that the Security component of OpenJDK 21
failed to verify provided URIs point to a legitimate source when
AIA is enabled. An unauthenticated remote attacker could possibly
use this issue to redirect users to malicious hosts.
(CVE-2026-21945)

In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.

Please see the following for more information:
https://openjdk.org/groups/vulnerability/advisories/2026-...

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.10
  openjdk-21-jdk                  21.0.10+7-1~25.10
  openjdk-21-jdk-headless         21.0.10+7-1~25.10
  openjdk-21-jre                  21.0.10+7-1~25.10
  openjdk-21-jre-headless         21.0.10+7-1~25.10
  openjdk-21-jre-zero             21.0.10+7-1~25.10

Ubuntu 24.04 LTS
  openjdk-21-jdk                  21.0.10+7-1~24.04
  openjdk-21-jdk-headless         21.0.10+7-1~24.04
  openjdk-21-jre                  21.0.10+7-1~24.04
  openjdk-21-jre-headless         21.0.10+7-1~24.04
  openjdk-21-jre-zero             21.0.10+7-1~24.04

Ubuntu 22.04 LTS
  openjdk-21-jdk                  21.0.10+7-1~22.04
  openjdk-21-jdk-headless         21.0.10+7-1~22.04
  openjdk-21-jre                  21.0.10+7-1~22.04
  openjdk-21-jre-headless         21.0.10+7-1~22.04
  openjdk-21-jre-zero             21.0.10+7-1~22.04

Ubuntu 20.04 LTS
  openjdk-21-jdk                  21.0.10+7-1~20.04
                                  Available with Ubuntu Pro
  openjdk-21-jdk-headless         21.0.10+7-1~20.04
                                  Available with Ubuntu Pro
  openjdk-21-jre                  21.0.10+7-1~20.04
                                  Available with Ubuntu Pro
  openjdk-21-jre-headless         21.0.10+7-1~20.04
                                  Available with Ubuntu Pro
  openjdk-21-jre-zero             21.0.10+7-1~20.04
                                  Available with Ubuntu Pro

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart Java
applications to make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-8002-1
  CVE-2026-21925, CVE-2026-21932, CVE-2026-21933, CVE-2026-21945

Package Information:
  https://launchpad.net/ubuntu/+source/openjdk-21/21.0.10+7...
  https://launchpad.net/ubuntu/+source/openjdk-21/21.0.10+7...
  https://launchpad.net/ubuntu/+source/openjdk-21/21.0.10+7...




Attachment: signature.asc (type=application/pgp-signature)

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmmBbGYACgkQcpJm3tlz
hgEleQ/+OdxJVaHEfPH8YU4ieFCbtG3nOOKIXXrNb9/XGdeqrie0ku36/PoS19LF
uwsN91Hqq1nV1xy3h7SwOZz3Idji3j9we3utps2oISleMdMaLccQyWa63uHyNPDy
PDH63FVxv48oiuNZexGD12NmtIsRO8PtteGsUxNYs7fm87jmnezbd/6livZ6X7j5
QzeoGvbPcx0wO2cQZwD/0KQbA59yuGy3UOR0QHx5IpNjTwbq/vsTXNSH0G+Blcte
/Blf7Q1VabbSEt5HmTo8PZThqkSU3JsVDzyxcuwJRK5r+dnwHe5oLEKXSPNv/3R2
9dCpSbBgSQDGpomsYTf//1+oaz170G3aDU6vtklOOSzOpSGwGEHiU+TfoJnq2JSH
6gKJPCG3N0M6Drszx3lr4DRghn2wNmJYUsi239LWq7UzcQxjl9xu9n98MiQInlxj
PQ1SZkW6orxCNYvLtxZvY5l6ZCt3f2ZJJ6iGJhAcALWnriR5aztxx6Ps1M/xxYme
IgF7UUUFUFozpvlRy1J2KriioNFipXhxY/KuggJZzjEQrvSNtxwdSJL7H07GPduI
SInnpHpyrrbotrMrsDo4zi/YJEef7uBrBCCseTjvzHF+0TqlVtfbbjmEXv8tMWhf
JoKJ7gTXmfjrQ1+7nNjf6SS7JrQDEaNTQnJZ9yYb717hq8TJaYI=
=JMBJ
-----END PGP SIGNATURE-----
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds