OpenJDK 21.0.5 Vulnerability CVE-2025-21502 in Distroless Image #1745
Description
Describe the bug
Hello!
We are encountering a security vulnerability in the OpenJDK 21.0.5 version of the Google Distroless Java base image. Our nightly vulnerability scans flagged CVE-2025-21502 as present in OpenJDK 21.0.5, and it appears that a fix is now available in later versions (21.0.6, 17.0.14, 11.0.26, etc.).
Scan Output:
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
openjdk 21.0.5+11-LTS 1.8.0_441, 11.0.26, 17.0.14, 21.0.6, 23.0.2, 8.0.441 binary CVE-2025-21502 Medium
Vulnerability Details:
-
Package: openjdk -
Version: 21.0.5+11-LTS -
Fixed in: 21.0.6 -
CVE ID: CVE-2025-21502 -
Severity: Medium
To Reproduce
run grype scan
Expected behavior
Could you confirm when the updated OpenJDK 21.0.6 version will be available in the distroless images? We understand that GCP commits to updating within 48 hours of a fix being available, but it does not appear to have been addressed yet.
Console Output
If applicable, add information from your container run
Additional context
Add any other context about the problem here.