Mitigation of CVE-2025-21502 in Carbon Black EDR server
search cancel

Mitigation of CVE-2025-21502 in Carbon Black EDR server

book

Article ID: 390753

calendar_today

Updated On: 03-13-2025

Products

Carbon Black EDR Carbon Black EDR (formerly Cb Response)

Issue/Introduction

How to mitigate CVE-2025-21502 in Carbon Black EDR server using adoptium temurin java (jdk-11.0.26).

Environment

Carbon Black EDR Server: 7.8.1 and below. 

Cause

openjdk-11 is now end of life and not all sources are providing patches. RedHat has patch available for ELS-1 subscriber only. At the time of writing this article, there was one medium vulnerability made public against openjdk-11 (CVE-2025-21502)
EDR 7.9.0 server is moving to JDK 17 but in the interim, alternative repository can be used to mitigate open vulnerability on 11.0.25 version (available as latest via most of the providers)

Resolution

In order to have EDR standalone server or cluster use java-11.0.26, we could use openjdk provided by adoptium:
https://adoptium.net/temurin/release-notes/?version=jdk-11.0.26+4 
It includes commit against mentioned CVE-2025-21502 (JDK-8330045)
commit: commit: https://github.com/openjdk/jdk11u-dev/commit/7cee7d037e664fcf84f58d1ae22f96520ef62cff 

To use this version of openjdk, follow below steps:

  1. Add new yum repo:
    [root@linux tmp]# cat /etc/yum.repos.d/adoptium.repo
    [Adoptium]
    name=Adoptium
    baseurl=https://packages.adoptium.net/artifactory/rpm/rocky/$releasever/$basearch
    enabled=1
    gpgcheck=1
    gpgkey=https://packages.adoptium.net/artifactory/api/gpg/key/public

    NOTE: The baseurl above needs to be modified to one of the supported OS from list provided here: https://packages.adoptium.net/ui/native/rpm/ 
  2. Install jdk-11
    yum install temurin-11-jdk  # (This needs to be done on all nodes in case of cluster)
  3. Update cb.conf (on all nodes in case of cluster)
    [root@linux tmp]# /usr/lib/jvm/temurin-11-jdk//bin/java -version
    openjdk version "11.0.26" 2025-01-21
    OpenJDK Runtime Environment Temurin-11.0.26+4 (build 11.0.26+4)
    OpenJDK 64-Bit Server VM Temurin-11.0.26+4 (build 11.0.26+4, mixed mode)

    [root@linux tmp]# cat /etc/cb/cb.conf  | grep CbJavaHome
    #CbJavaHome=/usr/lib/jvm/jre-11/
    CbJavaHome=/usr/lib/jvm/temurin-11-jdk/
  4. Restart EDR server (or cluster) and JAVA from new location will be used
    How to Restart Server Services

Additional Information

  • The change from standard openjdk-11 repo to temurin jdk-11 is still going on various integration and functional testing for 7.9.0. Nevertheless, we don't foresee any issues, it would be appreciated if any observation can be shared back to Broadcom Support.
  • It is recommended to not remove current openjdk-11 for now, just point CbJavaHome to new JDK in phase-1 – That way, change can be reverted if needed.
Powered by Wolken Software