Multiple Authentication Flaws Found in OpenJDK 25 and 26
Canonical has released security updates addressing five critical vulnerabilities across OpenJDK 25 and 26, affecting core components including JAXP, Networking, JSSE, JGSS, and 2D. Remote attackers could exploit these flaws to gain unauthorized access, cause denial of service, or extract sensitive information.
TL;DR
- Five CVEs affect OpenJDK 25 and 26, with authentication failures in JAXP, Networking, JSSE, and JGSS components
- CVE-2026-22016 (JAXP) and CVE-2026-22013 (JGSS) allow remote attackers to access sensitive information without authentication
- CVE-2026-34282 (Networking) and CVE-2026-22021 (JSSE) enable unauthenticated denial-of-service attacks
- CVE-2026-23865 (2D component) exploits integer arithmetic flaws via specially crafted files
- Ubuntu security updates USN-8339-1 and USN-8341-1 address all vulnerabilities across both Java versions
Canonical has released security advisories addressing multiple vulnerabilities in OpenJDK 25 and 26. Researcher Thomas Beckers discovered that several core components failed to properly authenticate certain APIs, creating pathways for remote attackers to compromise Java applications without requiring valid credentials.
The vulnerabilities span five distinct components and carry varying severity levels. While some flaws enable information disclosure, others facilitate denial-of-service attacks or require user interaction through malicious file handling. Both long-term support and current release versions of OpenJDK are affected.
Organizations running Java applications on Ubuntu systems should prioritize patching, as these authentication bypasses could be exploited in production environments to access sensitive data or disrupt service availability.
Affected Components and Attack Vectors
- JAXP (Java API for XML Processing): CVE-2026-22016 allows remote unauthenticated access to sensitive information
- JSSE (Java Secure Socket Extension): CVE-2026-22021 enables unauthenticated denial-of-service attacks
- Networking component: CVE-2026-34282 permits remote DoS via authentication bypass
- JGSS (Java Generic Security Service): CVE-2026-22013 allows remote attackers to obtain sensitive information
- 2D Graphics component: CVE-2026-23865 exploits integer arithmetic flaws when processing specially crafted files
Remediation and Impact
- Ubuntu security updates USN-8339-1 (OpenJDK 25) and USN-8341-1 (OpenJDK 26) address all five CVEs
- Patches correct API authentication logic across affected components
- Both versions require immediate updates to prevent exploitation in production environments
- No known public exploits reported at time of advisory, but authentication bypasses are typically high-priority targets
- Organizations should test patches in staging environments before production deployment
Sources
Fontes
Atualizações de segurança por e-mail
Um e-mail resumo quando publicarmos novos artigos de segurança (TL;DR e links para ler mais). Cancele a inscrição a qualquer momento no rodapé da mensagem. Veja nossa Política de Privacidade.