OpenJDK 8 has major security vulnerabilities

[willtconq]

Hello,

It appears OpenJDK 8 u212 has some major security issues. The build in question is AdoptOpenJDK 8 u212 b03 Hotspot.

Windows
Component | Version | Latest version | Major
freetype | 2.5.3 | 2.10.0 | 10
freetype | 2.5.3 | 2.10.0 | 10
xerces-j | 2.7.1 | 2.12.0 | 1

Linux
Component | Version | Latest version | Major
giflib | 5.1.1 | 5.1.9 | 2
lcms | 2.9 | 2.9 | 1
xerces-j | 2.7.1 | 2.12.0 | 1

Component | Version | Latest version | CVE
giflib | 5.1.1 | 5.1.9 | CVE-2016-3977
giflib | 5.1.1 | 5.1.9 | CVE-2015-7555
lcms | 2.9 | 2.9 | CVE-2018-16435
xerces-j | 2.7.1 | 2.12.0 | CVE-2018-2799
freetype | 2.5.3 | 2.10.0 | CVE-2014-9746
freetype | 2.5.3 | 2.10.0 | CVE-2014-9674
freetype | 2.5.3 | 2.10.0 | CVE-2014-9668
freetype | 2.5.3 | 2.10.0 | CVE-2014-9665
freetype | 2.5.3 | 2.10.0 | CVE-2014-9663
freetype | 2.5.3 | 2.10.0 | CVE-2014-9662
freetype | 2.5.3 | 2.10.0 | CVE-2014-9661
freetype | 2.5.3 | 2.10.0 | CVE-2014-9660
freetype | 2.5.3 | 2.10.0 | CVE-2014-9659
freetype | 2.5.3 | 2.10.0 | CVE-2014-9658
freetype | 2.5.3 | 2.10.0 | CVE-2014-9657
freetype | 2.5.3 | 2.10.0 | CVE-2014-9656
freetype | 2.5.3 | 2.10.0 | CVE-2014-9673
freetype | 2.5.3 | 2.10.0 | CVE-2014-9669
freetype | 2.5.3 | 2.10.0 | CVE-2014-9667
freetype | 2.5.3 | 2.10.0 | CVE-2014-9666
freetype | 2.5.3 | 2.10.0 | CVE-2014-9664
freetype | 2.5.3 | 2.10.0 | CVE-2014-9672
freetype | 2.5.3 | 2.10.0 | CVE-2014-9747
freetype | 2.5.3 | 2.10.0 | CVE-2014-9675
freetype | 2.5.3 | 2.10.0 | CVE-2014-9671
freetype | 2.5.3 | 2.10.0 | CVE-2014-9670

For more information on the specific CVE, please see https://nvd.nist.gov

I believe openJDK 11 is on a later version of FreeType. Is there any plans to update any of these components to a later version?

Thanks

[karianna]

Much of this is a case of OpenJDK 8 being pinned to older versions of those libs. That said, we should explore them on a case by case basis and document the risk

[tony--]

@karianna you had recently checked this for me and the freetype used for jdk8u212-b03 is 2.9.1 which is not vulnerable to any of the listed CVEs.
I don't have the evidence handy, but I believe that
lcms is 2.9.1
xerces-j is 2.10.0
giflib is 5.1.4
None of these are vulnerable to the listed CVEs.

@willtconq how did you generate this list? AFAIK it is not possible to identify the version of freetype from the distribution.

If it would help I can provide the evidence for these versions - might need some pointers from @karianna about where to find the correct build on AdoptOpenJDK Jenkins.

[karianna]

@karianna you had recently checked this for me and the freetype used for jdk8u212-b03 is 2.9.1 which is not vulnerable to any of the listed CVEs.
I don't have the evidence handy, but I believe that
lcms is 2.9.1
xerces-j is 2.10.0
giflib is 5.1.4
None of these are vulnerable to the listed CVEs.

@willtconq how did you generate this list? AFAIK it is not possible to identify the version of freetype from the distribution.

If it would help I can provide the evidence for these versions - might need some pointers from @karianna about where to find the correct build on AdoptOpenJDK Jenkins.

Thanks, @tony-- for digging in. Our Jenkins builds and the build scripts are all OSS so you can check the exact versions (and if you can't it's a bug!). https://ci.adoptopenjdk.net is our build farm URL - Please do spelunk through as you like and if you get stuck then that's also a bug and so send us a Q on the #general channel in the adopt slack

[tony--]

@karianna I looked into the freetype version a bit more and found the default setting is 2.9.1:
https://github.com/AdoptOpenJDK/openjdk-build/blob/master/sbin/common/config_init.sh#L324

However it appears that windows builds get overridden to 2.5.3:
https://github.com/AdoptOpenJDK/openjdk-build/blob/master/build-farm/platform-specific-configurations/windows.sh

Am I reading it correctly?

[karianna]

I think you are correct - @ali-ince can you give us some insight as to why we're on 2.5.3?

[ali-ince]

@karianna Freetype was explicitly set as 2.5.3 in infrastructure scripts (https://github.com/AdoptOpenJDK/openjdk-infrastructure/blob/master/ansible/playbooks/AdoptOpenJDK_Windows_Playbook/roles/Freetype/tasks/main.yml) even before when I joined the project and I always thought that it was a requirement. Later versions of freetype include significant changes regarding its rendering engine (which can be defaulted to previous engine implementations) but we need to take special consideration while upgrading (if we'll upgrade).

Yes, for JDK11u and later freetype is bundled inside the jdk source code and we're using whatever version included (currently it's 2.9.1).

[karianna]

OK, thanks - not something to change last minute this release cycle. We can always push out a security release if we really need to.

[M-Davies]

See #1757 for upgrading freetype to 2.10.2 (currently blocked by JDK8 since we don't build it with VS2017)

[junyuanz1]

Quick question. So why we can't build freetype in advance and just use --with-freetype with configure?

[karianna]

Quick question. So why we can't build freetype in advance and just use --with-freetype with configure?

I think we can (which is what the infrastructure scripts do for us - provide a pre-built freetype). I think the question is what version is safe to run for Java 8 and then Java 11+.

https://hg.openjdk.java.net/jdk-updates/jdk9u/raw-file/tip/common/doc/building.html#freetype is the guide for Java 9+ - it doesn't seem to suggest restricting us to 2.5.3, I suspect folks just copied from the example which is why that one is on 2.5.3.

I think we'd need to build a Java 8 on Windows (but override the provided 2.5.3 freetype with a supplied 2.10.2) and then run that through the full AQA pipelines and see what (if anything) fails. Grab @gdams or @johnoliver if you want to see how to run a one-off Java 8 build on the Adopt CI.