USN-7339-1: CRaC JDK 21 vulnerabilities

11 March 2025

Several security issues were fixed in CRaC JDK 21.

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Releases

Packages

  • openjdk-21-crac - Open Source Java implementation with Coordinated Restore at Checkpoints

Details

Andy Boothe discovered that the Networking component of CRaC JDK 21 did not
properly handle access under certain circumstances. An unauthenticated
attacker could possibly use this issue to cause a denial of service.
(CVE-2024-21208)

It was discovered that the Hotspot component of CRaC JDK 21 did not
properly handle vectorization under certain circumstances. An
unauthenticated attacker could possibly use this issue to access
unauthorized resources and expose sensitive information.
(CVE-2024-21210, CVE-2024-21235)

It was discovered that the Serialization component of CRaC JDK 21 did not
properly handle deserialization under certain circumstances. An
unauthenticated attacker could possibly use this issue to cause a denial
of service. (CVE-2024-21217)

It was discovered that the Hotspot component of CRaC JDK 21 did not
properly handle API access under certain circumstances. An unauthenticated
attacker could possibly use this issue to access unauthorized resources
and expose sensitive information. (CVE-2025-21502)

In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.

Please see the following for more information:
https://openjdk.org/groups/vulnerability/advisories/2024-10-15
https://openjdk.org/groups/vulnerability/advisories/2025-01-21

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 24.10

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart Java
applications to make all the necessary changes.

References

Related notices

Join the discussion

Need help with your security needs?

Ubuntu Pro provides up to ten-year security coverage for over 23,000 open-source packages within the Ubuntu Main and Universe repositories.

Talk to an expert to find out what would work best for you

Further reading