OpenJDK 8 has major security vulnerabilities

[willtconq]

Hello,

It appears OpenJDK 8 u212 has some major security issues. The build in question is AdoptOpenJDK 8 u212 b03 Hotspot.

Windows Component | Version | Latest version | Major freetype | 2.5.3 | 2.10.0 | 10 freetype | 2.5.3 | 2.10.0 | 10 xerces-j | 2.7.1 | 2.12.0 | 1

Linux Component | Version | Latest version | Major giflib | 5.1.1 | 5.1.9 | 2 lcms | 2.9 | 2.9 | 1 xerces-j | 2.7.1 | 2.12.0 | 1

Component | Version | Latest version | CVE giflib | 5.1.1 | 5.1.9 | CVE-2016-3977 giflib | 5.1.1 | 5.1.9 | CVE-2015-7555 lcms | 2.9 | 2.9 | CVE-2018-16435 xerces-j | 2.7.1 | 2.12.0 | CVE-2018-2799 freetype | 2.5.3 | 2.10.0 | CVE-2014-9746 freetype | 2.5.3 | 2.10.0 | CVE-2014-9674 freetype | 2.5.3 | 2.10.0 | CVE-2014-9668 freetype | 2.5.3 | 2.10.0 | CVE-2014-9665 freetype | 2.5.3 | 2.10.0 | CVE-2014-9663 freetype | 2.5.3 | 2.10.0 | CVE-2014-9662 freetype | 2.5.3 | 2.10.0 | CVE-2014-9661 freetype | 2.5.3 | 2.10.0 | CVE-2014-9660 freetype | 2.5.3 | 2.10.0 | CVE-2014-9659 freetype | 2.5.3 | 2.10.0 | CVE-2014-9658 freetype | 2.5.3 | 2.10.0 | CVE-2014-9657 freetype | 2.5.3 | 2.10.0 | CVE-2014-9656 freetype | 2.5.3 | 2.10.0 | CVE-2014-9673 freetype | 2.5.3 | 2.10.0 | CVE-2014-9669 freetype | 2.5.3 | 2.10.0 | CVE-2014-9667 freetype | 2.5.3 | 2.10.0 | CVE-2014-9666 freetype | 2.5.3 | 2.10.0 | CVE-2014-9664 freetype | 2.5.3 | 2.10.0 | CVE-2014-9672 freetype | 2.5.3 | 2.10.0 | CVE-2014-9747 freetype | 2.5.3 | 2.10.0 | CVE-2014-9675 freetype | 2.5.3 | 2.10.0 | CVE-2014-9671 freetype | 2.5.3 | 2.10.0 | CVE-2014-9670

For more information on the specific CVE, please see https://nvd.nist.gov

I believe openJDK 11 is on a later version of FreeType. Is there any plans to update any of these components to a later version?

Thanks

[karianna]

Much of this is a case of OpenJDK 8 being pinned to older versions of those libs. That said, we should explore them on a case by case basis and document the risk

[tony--]

@karianna you had recently checked this for me and the freetype used for jdk8u212-b03 is 2.9.1 which is not vulnerable to any of the listed CVEs. I don't have the evidence handy, but I believe that lcms is 2.9.1 xerces-j is 2.10.0 giflib is 5.1.4 None of these are vulnerable to the listed CVEs.

@willtconq how did you generate this list? AFAIK it is not possible to identify the version of freetype from the distribution.

If it would help I can provide the evidence for these versions - might need some pointers from @karianna about where to find the correct build on AdoptOpenJDK Jenkins.

[karianna]

@karianna you had recently checked this for me and the freetype used for jdk8u212-b03 is 2.9.1 which is not vulnerable to any of the listed CVEs. I don't have the evidence handy, but I believe that lcms is 2.9.1 xerces-j is 2.10.0 giflib is 5.1.4 None of these are vulnerable to the listed CVEs.

@willtconq how did you generate this list? AFAIK it is not possible to identify the version of freetype from the distribution.

If it would help I can provide the evidence for these versions - might need some pointers from @karianna about where to find the correct build on AdoptOpenJDK Jenkins.

Thanks, @tony-- for digging in. Our Jenkins builds and the build scripts are all OSS so you can check the exact versions (and if you can't it's a bug!). https://ci.adoptopenjdk.net is our build farm URL - Please do spelunk through as you like and if you get stuck then that's also a bug and so send us a Q on the #general channel in the adopt slack

[tony--]

@karianna I looked into the freetype version a bit more and found the default setting is 2.9.1: https://github.com/AdoptOpenJDK/openjdk-build/blob/master/sbin/common/config_init.sh#L324

However it appears that windows builds get overridden to 2.5.3: https://github.com/AdoptOpenJDK/openjdk-build/blob/master/build-farm/platform-specific-configurations/windows.sh

Am I reading it correctly?

[karianna]

I think you are correct - @ali-ince can you give us some insight as to why we're on 2.5.3?

[ali-ince]

@karianna Freetype was explicitly set as 2.5.3 in infrastructure scripts (https://github.com/AdoptOpenJDK/openjdk-infrastructure/blob/master/ansible/playbooks/AdoptOpenJDK_Windows_Playbook/roles/Freetype/tasks/main.yml) even before when I joined the project and I always thought that it was a requirement. Later versions of freetype include significant changes regarding its rendering engine (which can be defaulted to previous engine implementations) but we need to take special consideration while upgrading (if we'll upgrade).

Yes, for JDK11u and later freetype is bundled inside the jdk source code and we're using whatever version included (currently it's 2.9.1).

[karianna]

OK, thanks - not something to change last minute this release cycle. We can always push out a security release if we really need to.

[M-Davies]

See https://github.com/AdoptOpenJDK/openjdk-build/pull/1757 for upgrading freetype to 2.10.2 (currently blocked by JDK8 since we don't build it with VS2017)

[junyuanz1]

Quick question. So why we can't build freetype in advance and just use --with-freetype with configure?

[karianna]

Quick question. So why we can't build freetype in advance and just use --with-freetype with configure?

I think we can (which is what the infrastructure scripts do for us - provide a pre-built freetype). I think the question is what version is safe to run for Java 8 and then Java 11+.

https://hg.openjdk.java.net/jdk-updates/jdk9u/raw-file/tip/common/doc/building.html#freetype is the guide for Java 9+ - it doesn't seem to suggest restricting us to 2.5.3, I suspect folks just copied from the example which is why that one is on 2.5.3.

I think we'd need to build a Java 8 on Windows (but override the provided 2.5.3 freetype with a supplied 2.10.2) and then run that through the full AQA pipelines and see what (if anything) fails. Grab @gdams or @johnoliver if you want to see how to run a one-off Java 8 build on the Adopt CI.