Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Java CVEs related to authentication #2315

Closed
rasmi opened this issue Apr 20, 2022 · 0 comments
Closed

Java CVEs related to authentication #2315

rasmi opened this issue Apr 20, 2022 · 0 comments
Assignees
Labels
bug Something isn't working google.org-swe

Comments

@rasmi
Copy link
Contributor

rasmi commented Apr 20, 2022

Recent Java versions have a cryptography vulnerability allowing attackers to forge certain auth credentials/tokens, including OIDC and SAML. See details here and here.

CiviForm relies on OpenJDK 11, which is not affected by this specific auth issue, but is affected by other CVEs. We should upgrade OpenJDK to a version >11.0.14 to resolve those issues, and notify users to upgrade their CiviForm installations accordingly.

@rasmi rasmi added bug Something isn't working security needs-triage bugs that have not yet been triaged labels Apr 20, 2022
rasmi added a commit that referenced this issue Apr 20, 2022
See #2315. This only updates  the x86/amd64 version, and does not bump the arm64 version, since it is [not yet available](https://hub.docker.com/r/bellsoft/liberica-openjdk-alpine/tags). arm64 is not urgent (to my knowledge) since it is only used for local Mac M1 development.
@bion bion self-assigned this Apr 20, 2022
@glorialiou glorialiou removed the needs-triage bugs that have not yet been triaged label Apr 21, 2022
bion added a commit that referenced this issue Apr 26, 2022
* Update OpenJDK to 11.0.14.1

See #2315. This only updates  the x86/amd64 version, and does not bump the arm64 version, since it is [not yet available](https://hub.docker.com/r/bellsoft/liberica-openjdk-alpine/tags). arm64 is not urgent (to my knowledge) since it is only used for local Mac M1 development.

* Also update prod Dockerfile

Co-authored-by: bion <bionj@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working google.org-swe
Projects
None yet
Development

No branches or pull requests

3 participants