Lucene search

K
cloudlinuxCloudLinuxCLSA-2022:1654174749
HistoryJun 02, 2022 - 12:59 p.m.

Fixed CVEs in java-1.8.0-openjdk: CVE-2022-21434, CVE-2022-21443, CVE-2022-21476, CVE-2022-21426, CVE-2022-21496

2022-06-0212:59:09
repo.cloudlinux.com
193
upgrade
apache santuario
uri parsing
annotationinvocationhandler
xpath expressions
objectidentifier
memory allocation
java 1.8

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.004

Percentile

75.5%

  • Upgrade to openjdk-shenandoah-jdk8u-shenandoah-jdk8u332-b09. That fixes following CVEs:
  • CVE-2022-21476: Defective secure validation in Apache Santuario
  • CVE-2022-21496: URI parsing inconsistencies
  • CVE-2022-21434: Improper object-to-string conversion in AnnotationInvocationHandler
  • CVE-2022-21426: Unbounded memory allocation when compiling crafted XPath expressions
  • CVE-2022-21443: Missing check for negative ObjectIdentifier
  • Remove patch files from previous change due to their presence in newer versions

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.004

Percentile

75.5%