java 21 distroless base images contain unpatched CVEs (CVE-2025-53066, CVE-2025-53057)

[Harguer]

Hello team,

We’ve noticed that the latest Java 21 distroless images appear to include an outdated OpenJDK version (21.0.8+9-LTS), which is flagged by multiple vulnerability scanners as affected by recent CVEs that should be fixed in 21.0.9.

openjdk 21.0.8+9-LTS  CVE-2025-53066  High
openjdk 21.0.8+9-LTS  CVE-2025-53057  Medium
openjdk 21.0.8+9-LTS  CVE-2025-61748  Low

CVE disclosure
A link to a public CVE disclosure
https://nvd.nist.gov/vuln/detail/CVE-2025-53066
https://nvd.nist.gov/vuln/detail/CVE-2025-53057

Name of image
java21

Link to updated package
seems there is new version 21.0.9 available?

[loosebazooka]

Hrmm lemme check our updater

[loosebazooka]

it looks like temurin hasn't updated the jre-aarch64-linux builds, it seems like there's typically a few day delay. We'll pick up all updates for all architectures at once (unfortunate because of how our updater works). I'm hoping that in the future as we move to using their deb repos instead of gh releases, we'll do a better job of faster updates as seen in #1902

[Harguer]

Thank you, @loosebazooka for the quick update, seems it is same for amd64 arch, isn't it ?

[loosebazooka]

you can see all available builds here: https://github.com/adoptium/temurin21-binaries/releases/tag/jdk-21.0.9%2B10

the problem is mostly that we update all at once, even though the amd64 (x64) binary is available, our updater wants all binaries to be available before updated (not ideal, but is what it is).

[Harguer]

Ah! That makes sense, so we just need to wait for the aarch64 build then. Thanks again for looking into it! 🙂

[loosebazooka]

This really isn't moving much, but you can try the java21-debian13 images now if you want to see if those work for you (or java 25)

[phoval]

I can see recent changes in the repository related to java21-debian13, but I’m unable to find the corresponding tag or image in the registry.
Was there an issue during the build or publishing process for this image?

[loosebazooka]

oof, yeah I messed up the tagging, should be fixed with #1919

[huakaibird]

yesterday when we pull gcr.io/distroless/java21-debian12, found it's actually debian13. Now seems it fixed

[ksiczek]

It seems the gcr.io/distroless/java21-debian12:debug@sha256:42a16bbdb089f318e38764c99b552df12cb65a52bcf9e35df8841194e261b141 is still 13.1. We tried upgrading

but it failed (we copy the /bin from Debian 12 distro where it was a folder and in the 42a16bb the /bin seems to be a symlink)

Anyway, is 42a16bb something we could use, or is it just broken and we need to wait for the next one?

[loosebazooka]

okay sorry, these should be okay now, please re-open if you're still seeing issues.

[ShunichirouKamino]

This has been completed. Thank you for your assistance!

$ docker run --rm gcr.io/distroless/java21-debian12 -version
Unable to find image 'gcr.io/distroless/java21-debian12:latest' locally
latest: Pulling from distroless/java21-debian12
~~
Status: Downloaded newer image for gcr.io/distroless/java21-debian12:latest
openjdk version "21.0.9" 2025-10-21 LTS
OpenJDK Runtime Environment Temurin-21.0.9+10 (build 21.0.9+10-LTS)
OpenJDK 64-Bit Server VM Temurin-21.0.9+10 (build 21.0.9+10-LTS, mixed mode, sharing)