CVE-2022-21426

2022-04-19T21:15:00

Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Affected Software

CPE Name	Name	Version
oracle:graalvm	oracle graalvm	20.3.5
oracle:graalvm	oracle graalvm	21.3.1
oracle:graalvm	oracle graalvm	22.0.0.2
oracle:jdk	oracle jdk	18
oracle:jdk	oracle jdk	17.0.2
oracle:jdk	oracle jdk	11.0.14
oracle:jre	oracle jre	17.0.2
oracle:jre	oracle jre	11.0.14
oracle:jre	oracle jre	18
oracle:jre	oracle jre	1.7.0
oracle:jre	oracle jre	1.8.0
oracle:jdk	oracle jdk	1.7.0
oracle:jdk	oracle jdk	1.8.0
debian:debian_linux	debian debian linux	9.0
debian:debian_linux	debian debian linux	10.0
debian:debian_linux	debian debian linux	11.0
netapp:oncommand_insight	netapp oncommand insight	-
netapp:e-series_santricity_storage_manager	netapp e-series santricity storage manager	-
netapp:solidfire_\&_hci_management_node	netapp solidfire \& hci management node	-
netapp:santricity_unified_manager	netapp santricity unified manager	-
netapp:e-series_santricity_web_services	netapp e-series santricity web services	-
netapp:7-mode_transition_tool	netapp 7-mode transition tool	-
netapp:hci_compute_node_firmware	netapp hci compute node firmware	-
netapp:active_iq_unified_manager	netapp active iq unified manager	-
netapp:e-series_santricity_os_controller	netapp e-series santricity os controller	11.70.1
netapp:cloud_insights_acquisition_unit	netapp cloud insights acquisition unit	-
netapp:cloud_secure_agent	netapp cloud secure agent	-
netapp:solidfire\,_enterprise_sds_\&_hci_storage_node	netapp solidfire\, enterprise sds \& hci storage node	-
azul:zulu	azul zulu	7.52
azul:zulu	azul zulu	8.60
azul:zulu	azul zulu	11.54
azul:zulu	azul zulu	13.46
azul:zulu	azul zulu	15.38
azul:zulu	azul zulu	17.32
azul:zulu	azul zulu	6.45
azul:zulu	azul zulu	18.28

{"id": "CVE-2022-21426", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2022-21426", "description": "Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).", "published": "2022-04-19T21:15:00", "modified": "2023-04-27T17:53:00", "epss": [{"cve": "CVE-2022-21426", "epss": 0.00072, "percentile": 0.29406, "modified": "2023-06-14"}], "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0}, "severity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 3.9, "impactScore": 1.4}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21426", "reporter": "secalert_us@oracle.com", "references": ["https://www.oracle.com/security-alerts/cpuapr2022.html", "https://security.netapp.com/advisory/ntap-20220429-0006/", "https://www.debian.org/security/2022/dsa-5128", "https://www.debian.org/security/2022/dsa-5131", "https://lists.debian.org/debian-lts-announce/2022/05/msg00017.html"], "cvelist": ["CVE-2022-21426"], "immutableFields": [], "lastseen": "2023-06-14T14:16:26", "viewCount": 216, "enchantments": {"twitter": {"counter": 4, "tweets": [{"link": "https://twitter.com/threatintelctr/status/1525456715914919937", "text": " NEW: CVE-2022-21426 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.... (click for more) Severity: MEDIUM https://t.co/xhAOvFL9wY", "author": "threatintelctr", "author_photo": "https://pbs.twimg.com/profile_images/904224973987840000/dMy1x9Ho_400x400.jpg"}, {"link": "https://twitter.com/threatintelctr/status/1525720959365390336", "text": " NEW: CVE-2022-21426 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.... (click for more) Severity: MEDIUM https://t.co/xhAOvFL9wY", "author": "threatintelctr", "author_photo": "https://pbs.twimg.com/profile_images/904224973987840000/dMy1x9Ho_400x400.jpg"}, {"link": "https://twitter.com/micsieg/status/1560056600014077959", "text": "Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU \u2013 Apr 2022 \u2013 Includes Oracle April 2022 CPU (minus CVE-2022-21426)affects IBM Security Verify Governance, Identity Manager virtual appliance component", "author": "micsieg", "author_photo": "https://pbs.twimg.com/profile_images/941241322064830465/bbH-XJ4h_400x400.jpg"}]}, "score": {"value": 2.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "aix", "idList": ["JAVA_MAY2023_ADVISORY.ASC"]}, {"type": "almalinux", "idList": ["ALSA-2022:1442", "ALSA-2022:1445", "ALSA-2022:1491"]}, {"type": "alpinelinux", "idList": ["ALPINE:CVE-2022-21426"]}, {"type": "altlinux", "idList": ["11C08B8C28C751E471AEE6CC5818AAAD", "50050394FAC75271D4CBCC5BDF6F2E95"]}, {"type": "amazon", "idList": ["ALAS-2022-1631", "ALAS-2022-1633", "ALAS2-2022-1778", "ALAS2-2022-1790", "ALAS2-2022-1791", "ALAS2-2022-1835"]}, {"type": "centos", "idList": ["CESA-2022:1440", "CESA-2022:1487"]}, {"type": "cloudlinux", "idList": ["CLSA-2022:1654174749", "CLSA-2022:1661176564"]}, {"type": "debian", "idList": ["DEBIAN:DLA-3006-1:837AC", "DEBIAN:DSA-5128-1:74A9E", "DEBIAN:DSA-5131-1:B4168"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2022-21426"]}, {"type": "f5", "idList": ["F5:K32172755"]}, {"type": "ibm", "idList": ["01A50703477A1B666E966BF1B72B350DC27813F59907D29FAE3903822284A578", "0427E6AA646DE077D9A0FABE9729FECFF5A0C7757BA113C348506FCB5410F3B3", "0800FED45015812CA59F3FB2B71E7EBC02028DD8D4576D54E210A3FF45EC494B", "1550D8200201461EC49D4AE69DCCF18DB21420A03A569C1221D5BF7158B80766", "1E4854A903497616A9D2E489883B7097A216137D8A9C20DACDE93B4250B7ADEF", "2086D78578107C87118705CD43C5319ABE0509F632BBA56B836AF909B50F1A9F", "23E8421E36730ABF053F73AB99A0740D1C577B2DF0EEC94B55CAF5BE760F31AB", "25BB8EE478BAB36FA7FCE8080766EC4C78D22510783D2348090CF2F616F77A70", "2BD5EB1610BFB9D059F9C086849D8EBB4229D9076E95833FFFD115789209904F", "2FFAA17CE193A68550F9DD0D2CC3796647948BC829C6055DFDE457A57C0AAF0B", "408C74D95484E93E05D0B99834A53E6E9E970957DE240B861F1293CA7C8A6A1C", "4C86B8395A615C191CCBC8EE216129A475EC6F0EC9C347C3B9B3755117EF4CBD", "4E89B826442329F84F608AEBC62A661FE54088D85110F141977090AA4AB8678E", "5952692D49B58BD246695C217C8F0489556BAB8A5670C5400570111E98BA4543", "720FFD587B98E297434100A5E59FD063FF0989312C276C749CA94B05459D58CD", "78A698C4CF4ED7512CDC3542D745C570A2C31751FB3CD8B1F65E1C4ABB0FC834", "7982C52AF077A07BEAB1AD0AFD759C1371882F030BAA768E2647C18AF085104C", "7A53E045806377D0DF2549379624E563D5C8E0F408F19CDEB870A714153397FE", "7C4B6FB72EEDDAA73870EA526178830E841CB976F691BA86301DF8577A709CF5", "86277132501DAD58BB2ACB4C64FD60B259D2C0AD43248122C43F0A9DA4CD1368", "8C5187EDAE3F30F7A01C23E8A3AAEFAA66BC89E92713C66FE4606F1B1870BA63", "916385E416A757BD73E3CDE6A483117ED060F434AFC177A023624D5B1E8C6CE9", "91C2B88975760C09E6FF306FEBBACC31916618B9AD886FB44932558DBAC9C9BB", "96FAFF3C7D07405C90F28D7AA8785DE391620CE306F0F728B816138795273CE1", "9F58E7FFDA8D80A4FD56687BE4C1BE660093DD7C72AE18A03F5320F8B7E0C1F0", "A62622AACE3EDEE7C0685473486C2416A776458E05DC1E5DCDF6CAEDC18554F3", "A9D23D6BF534301222123D9B10700AAE50EE9A370B9B48EBF9F771708759C2CE", "AD07FBFE41C71959BA164DC477AA5C9937143E243C7EA2C9CB72779238BB5E2B", "AD3C91C9E37A5C20144E0684A93E665E701EC4602A4275E6CB679E8ABF67832C", "AD95CA7C23870D3804DD52C9A6B346994AFF4FE894A7AB9E451D67947633D8B0", "B9051747F88831192F96587848768281C92A21A5454B834EF436587B70A065DE", "C078ABAA6E4D80D641295C64101FDA8E9D886F6111077E1C84B7D25B9218FF32", "C5F628240DB4B1EAE3DA0AE709FE38C5E457D2CF3B13A8612B5AB159E298A3B3", "CC6EC6642F504040F49FD6C9B2F8ED7A7B6193435EC54E02906DCB6C0648A228", "CFCC2C58BF1AD2C952636D656CF06F0EFD78FE99D3B9906329BFD0F9AF6AB31D", "D709D9AEFFEA65B5D2B3F250EAA35B7567EA2C85B722CBD20CA9AEC1783BC300", "ECFAD8E6C02ED1FDC660B7F94B3208DFF757AAB82DA3254B7ACBC8A758CB95BF", "EF9079290B88737FC8A621793C98EB82287DB53AD77BEA20CCA44251326E2BB9", "EFF110BCB9EDCBDB618BE8EC7DF42715A87607794FE8143FE35FE864675727A5", "F1A3C1D97DA756217EC632D6907F150A84B75091EECA5C387606676B94FB2E66", "F68AB9809A9ED0BF2F7F7D45080968ACBD941A3E4FB54AE4EF30774448A70284"]}, {"type": "kaspersky", "idList": ["KLA12516"]}, {"type": "mageia", "idList": ["MGASA-2022-0261"]}, {"type": "nessus", "idList": ["AL2_ALAS-2022-002.NASL", "AL2_ALAS-2022-1778.NASL", "AL2_ALAS-2022-1790.NASL", "AL2_ALAS-2022-1791.NASL", "AL2_ALAS-2022-1835.NASL", "AL2_ALASCORRETTO8-2022-002.NASL", "AL2_ALASJAVA-OPENJDK11-2022-002.NASL", "ALA_ALAS-2022-1631.NASL", "ALA_ALAS-2022-1633.NASL", "ALMA_LINUX_ALSA-2022-1728.NASL", "ALMA_LINUX_ALSA-2022-1729.NASL", "ALMA_LINUX_ALSA-2022-2137.NASL", "AMAZON_CORRETTO_11_0_15_9_1.NASL", "AMAZON_CORRETTO_17_0_3_6_1.NASL", "AMAZON_CORRETTO_18_0_1_10_1.NASL", "AMAZON_CORRETTO_8_332_08_1.NASL", "AZUL_ZULU_18_30_12.NASL", "CENTOS_RHSA-2022-1440.NASL", "DEBIAN_DLA-3006.NASL", "DEBIAN_DSA-5128.NASL", "DEBIAN_DSA-5131.NASL", "NUTANIX_NXSA-AOS-5_20_4_5.NASL", "NUTANIX_NXSA-AOS-5_20_5.NASL", "NUTANIX_NXSA-AOS-6_1_1_5.NASL", "NUTANIX_NXSA-AOS-6_6.NASL", "OPENJDK_2022-04-19.NASL", "ORACLELINUX_ELSA-2022-1440.NASL", "ORACLELINUX_ELSA-2022-1442.NASL", "ORACLELINUX_ELSA-2022-1445.NASL", "ORACLELINUX_ELSA-2022-1487.NASL", "ORACLELINUX_ELSA-2022-1491.NASL", "ORACLELINUX_ELSA-2022-1728.NASL", "ORACLELINUX_ELSA-2022-1729.NASL", "ORACLELINUX_ELSA-2022-2137.NASL", "ORACLE_JAVA_CPU_2022_APR.NASL", "ORACLE_JAVA_CPU_APR_2022.NASL", "ORACLE_JAVA_CPU_APR_2022_UNIX.NASL", "REDHAT-RHSA-2022-1440.NASL", "REDHAT-RHSA-2022-1441.NASL", "REDHAT-RHSA-2022-1442.NASL", "REDHAT-RHSA-2022-1443.NASL", "REDHAT-RHSA-2022-1444.NASL", "REDHAT-RHSA-2022-1445.NASL", "REDHAT-RHSA-2022-1487.NASL", "REDHAT-RHSA-2022-1488.NASL", "REDHAT-RHSA-2022-1489.NASL", "REDHAT-RHSA-2022-1490.NASL", "REDHAT-RHSA-2022-1491.NASL", "REDHAT-RHSA-2022-1728.NASL", "REDHAT-RHSA-2022-1729.NASL", "REDHAT-RHSA-2022-2137.NASL", "REDHAT-RHSA-2023-3136.NASL", "SL_20220420_JAVA_11_OPENJDK_ON_SL7_X.NASL", "SUSE_SU-2022-1474-1.NASL", "SUSE_SU-2022-1513-1.NASL", "SUSE_SU-2022-2530-1.NASL", "SUSE_SU-2022-2531-1.NASL", "SUSE_SU-2022-2539-1.NASL", "SUSE_SU-2022-2540-1.NASL", "SUSE_SU-2022-2650-1.NASL", "SUSE_SU-2022-3092-1.NASL", "SUSE_SU-2023-1850-1.NASL", "UBUNTU_USN-5388-1.NASL", "UBUNTU_USN-5388-2.NASL", "UBUNTU_USN-5546-1.NASL", "UBUNTU_USN-5546-2.NASL"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2022"]}, {"type": "oraclelinux", "idList": ["ELSA-2022-1440", "ELSA-2022-1442", "ELSA-2022-1445", "ELSA-2022-1487", "ELSA-2022-1491", "ELSA-2022-1728", "ELSA-2022-1729", "ELSA-2022-2137"]}, {"type": "osv", "idList": ["OSV:DLA-3006-1", "OSV:DSA-5128-1", "OSV:DSA-5131-1"]}, {"type": "redhat", "idList": ["RHSA-2022:1435", "RHSA-2022:1436", "RHSA-2022:1437", "RHSA-2022:1438", "RHSA-2022:1439", "RHSA-2022:1440", "RHSA-2022:1441", "RHSA-2022:1442", "RHSA-2022:1443", "RHSA-2022:1444", "RHSA-2022:1445", "RHSA-2022:1487", "RHSA-2022:1488", "RHSA-2022:1489", "RHSA-2022:1490", "RHSA-2022:1491", "RHSA-2022:1492", "RHSA-2022:1622", "RHSA-2022:1679", "RHSA-2022:1699", "RHSA-2022:1713", "RHSA-2022:1728", "RHSA-2022:1729", "RHSA-2022:1747", "RHSA-2022:2137", "RHSA-2022:2216", "RHSA-2022:2217", "RHSA-2022:2218", "RHSA-2022:2272", "RHSA-2022:2281", "RHSA-2023:3136"]}, {"type": "redhatcve", "idList": ["RH:CVE-2022-21426"]}, {"type": "rocky", "idList": ["RLSA-2022:1442", "RLSA-2022:1445", "RLSA-2022:1491"]}, {"type": "rosalinux", "idList": ["ROSA-SA-2023-2139"]}, {"type": "suse", "idList": ["SUSE-SU-2022:1513-1", "SUSE-SU-2022:2530-1", "SUSE-SU-2022:2650-1", "SUSE-SU-2022:3092-1"]}, {"type": "ubuntu", "idList": ["USN-5388-1", "USN-5388-2", "USN-5546-1", "USN-5546-2"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2022-21426"]}, {"type": "veracode", "idList": ["VERACODE:35226"]}]}, "epss": [{"cve": "CVE-2022-21426", "epss": 0.00059, "percentile": 0.22699, "modified": "2023-05-02"}], "vulnersScore": 2.3}, "_state": {"twitter": 0, "score": 1686752353, "dependencies": 1686763837, "affected_software_major_version": 0, "epss": 0}, "_internal": {"score_hash": "b1a814c81702dc3a9846cd0b013afee1"}, "cna_cvss": {"cna": "Oracle", "cvss": {"3": {"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "score": 5.3}}}, "cpe": ["cpe:/o:netapp:hci_compute_node_firmware:-", "cpe:/a:azul:zulu:11.54", "cpe:/a:azul:zulu:6.45", "cpe:/a:netapp:e-series_santricity_storage_manager:-", "cpe:/a:oracle:jdk:17.0.2", "cpe:/a:azul:zulu:17.32", "cpe:/a:oracle:graalvm:22.0.0.2", "cpe:/a:oracle:jre:1.8.0", "cpe:/a:oracle:graalvm:21.3.1", "cpe:/a:oracle:jdk:1.7.0", "cpe:/o:debian:debian_linux:11.0", "cpe:/a:netapp:santricity_unified_manager:-", "cpe:/a:oracle:graalvm:20.3.5", "cpe:/a:oracle:jdk:18", "cpe:/o:debian:debian_linux:10.0", "cpe:/o:debian:debian_linux:9.0", "cpe:/a:azul:zulu:8.60", "cpe:/a:netapp:7-mode_transition_tool:-", "cpe:/a:netapp:active_iq_unified_manager:-", "cpe:/a:oracle:jdk:1.8.0", "cpe:/a:netapp:cloud_secure_agent:-", "cpe:/a:netapp:oncommand_insight:-", "cpe:/a:netapp:solidfire_\\&_hci_management_node:-", "cpe:/a:netapp:cloud_insights_acquisition_unit:-", "cpe:/a:oracle:jre:11.0.14", "cpe:/a:oracle:jre:1.7.0", "cpe:/a:azul:zulu:15.38", "cpe:/a:azul:zulu:18.28", "cpe:/a:oracle:jdk:11.0.14", "cpe:/a:oracle:jre:18", "cpe:/a:netapp:e-series_santricity_os_controller:11.70.1", "cpe:/a:azul:zulu:7.52", "cpe:/a:netapp:solidfire\\,_enterprise_sds_\\&_hci_storage_node:-", "cpe:/a:netapp:e-series_santricity_web_services:-", "cpe:/a:azul:zulu:13.46", "cpe:/a:oracle:jre:17.0.2"], "cpe23": ["cpe:2.3:a:netapp:e-series_santricity_os_controller:11.70.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:17.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:graalvm:21.3.1:*:*:*:enterprise:*:*:*", "cpe:2.3:a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:e-series_santricity_web_services:-:*:*:*:*:web_services_proxy:*:*", "cpe:2.3:a:netapp:cloud_insights_acquisition_unit:-:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:e-series_santricity_storage_manager:-:*:*:*:*:*:*:*", "cpe:2.3:a:azul:zulu:13.46:*:*:*:*:*:*:*", "cpe:2.3:a:azul:zulu:11.54:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update331:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.8.0:update321:*:*:*:*:*:*", "cpe:2.3:a:netapp:solidfire\\,_enterprise_sds_\\&_hci_storage_node:-:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:11.0.14:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.8.0:update321:*:*:*:*:*:*", "cpe:2.3:a:oracle:graalvm:22.0.0.2:*:*:*:enterprise:*:*:*", "cpe:2.3:a:azul:zulu:7.52:*:*:*:*:*:*:*", "cpe:2.3:o:netapp:hci_compute_node_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vsphere:*:*", "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:santricity_unified_manager:-:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:graalvm:20.3.5:*:*:*:enterprise:*:*:*", "cpe:2.3:a:oracle:jdk:18:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:18:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:7-mode_transition_tool:-:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update331:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "cpe:2.3:a:azul:zulu:17.32:*:*:*:*:*:*:*", "cpe:2.3:a:azul:zulu:18.28:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", "cpe:2.3:a:azul:zulu:6.45:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:solidfire_\\&_hci_management_node:-:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:11.0.14:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:17.0.2:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:azul:zulu:8.60:*:*:*:*:*:*:*", "cpe:2.3:a:azul:zulu:15.38:*:*:*:*:*:*:*"], "cwe": ["NVD-CWE-noinfo"], "affectedSoftware": [{"cpeName": "oracle:graalvm", "version": "20.3.5", "operator": "eq", "name": "oracle graalvm"}, {"cpeName": "oracle:graalvm", "version": "21.3.1", "operator": "eq", "name": "oracle graalvm"}, {"cpeName": "oracle:graalvm", "version": "22.0.0.2", "operator": "eq", "name": "oracle graalvm"}, {"cpeName": "oracle:jdk", "version": "18", "operator": "eq", "name": "oracle jdk"}, {"cpeName": "oracle:jdk", "version": "17.0.2", "operator": "eq", "name": "oracle jdk"}, {"cpeName": "oracle:jdk", "version": "11.0.14", "operator": "eq", "name": "oracle jdk"}, {"cpeName": "oracle:jre", "version": "17.0.2", "operator": "eq", "name": "oracle jre"}, {"cpeName": "oracle:jre", "version": "11.0.14", "operator": "eq", "name": "oracle jre"}, {"cpeName": "oracle:jre", "version": "18", "operator": "eq", "name": "oracle jre"}, {"cpeName": "oracle:jre", "version": "1.7.0", "operator": "eq", "name": "oracle jre"}, {"cpeName": "oracle:jre", "version": "1.8.0", "operator": "eq", "name": "oracle jre"}, {"cpeName": "oracle:jdk", "version": "1.7.0", "operator": "eq", "name": "oracle jdk"}, {"cpeName": "oracle:jdk", "version": "1.8.0", "operator": "eq", "name": "oracle jdk"}, {"cpeName": "debian:debian_linux", "version": "9.0", "operator": "eq", "name": "debian debian linux"}, {"cpeName": "debian:debian_linux", "version": "10.0", "operator": "eq", "name": "debian debian linux"}, {"cpeName": "debian:debian_linux", "version": "11.0", "operator": "eq", "name": "debian debian linux"}, {"cpeName": "netapp:oncommand_insight", "version": "-", "operator": "eq", "name": "netapp oncommand insight"}, {"cpeName": "netapp:e-series_santricity_storage_manager", "version": "-", "operator": "eq", "name": "netapp e-series santricity storage manager"}, {"cpeName": "netapp:solidfire_\\&_hci_management_node", "version": "-", "operator": "eq", "name": "netapp solidfire \\& hci management node"}, {"cpeName": "netapp:santricity_unified_manager", "version": "-", "operator": "eq", "name": "netapp santricity unified manager"}, {"cpeName": "netapp:e-series_santricity_web_services", "version": "-", "operator": "eq", "name": "netapp e-series santricity web services"}, {"cpeName": "netapp:7-mode_transition_tool", "version": "-", "operator": "eq", "name": "netapp 7-mode transition tool"}, {"cpeName": "netapp:hci_compute_node_firmware", "version": "-", "operator": "eq", "name": "netapp hci compute node firmware"}, {"cpeName": "netapp:active_iq_unified_manager", "version": "-", "operator": "eq", "name": "netapp active iq unified manager"}, {"cpeName": "netapp:e-series_santricity_os_controller", "version": "11.70.1", "operator": "le", "name": "netapp e-series santricity os controller"}, {"cpeName": "netapp:cloud_insights_acquisition_unit", "version": "-", "operator": "eq", "name": "netapp cloud insights acquisition unit"}, {"cpeName": "netapp:cloud_secure_agent", "version": "-", "operator": "eq", "name": "netapp cloud secure agent"}, {"cpeName": "netapp:solidfire\\,_enterprise_sds_\\&_hci_storage_node", "version": "-", "operator": "eq", "name": "netapp solidfire\\, enterprise sds \\& hci storage node"}, {"cpeName": "azul:zulu", "version": "7.52", "operator": "eq", "name": "azul zulu"}, {"cpeName": "azul:zulu", "version": "8.60", "operator": "eq", "name": "azul zulu"}, {"cpeName": "azul:zulu", "version": "11.54", "operator": "eq", "name": "azul zulu"}, {"cpeName": "azul:zulu", "version": "13.46", "operator": "eq", "name": "azul zulu"}, {"cpeName": "azul:zulu", "version": "15.38", "operator": "eq", "name": "azul zulu"}, {"cpeName": "azul:zulu", "version": "17.32", "operator": "eq", "name": "azul zulu"}, {"cpeName": "azul:zulu", "version": "6.45", "operator": "eq", "name": "azul zulu"}, {"cpeName": "azul:zulu", "version": "18.28", "operator": "eq", "name": "azul zulu"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:graalvm:20.3.5:*:*:*:enterprise:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:graalvm:21.3.1:*:*:*:enterprise:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:graalvm:22.0.0.2:*:*:*:enterprise:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:jdk:18:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:jdk:17.0.2:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:jdk:11.0.14:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:jre:17.0.2:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:jre:11.0.14:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:jre:18:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:jre:1.7.0:update331:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:jre:1.8.0:update321:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:jdk:1.7.0:update331:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:oracle:jdk:1.8.0:update321:*:*:*:*:*:*", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:netapp:e-series_santricity_storage_manager:-:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:netapp:solidfire_\\&_hci_management_node:-:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:netapp:santricity_unified_manager:-:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:netapp:e-series_santricity_web_services:-:*:*:*:*:web_services_proxy:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:netapp:7-mode_transition_tool:-:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:netapp:hci_compute_node_firmware:-:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:netapp:e-series_santricity_os_controller:11.70.1:*:*:*:*:*:*:*", "versionStartIncluding": "11.0.0", "versionEndIncluding": "11.70.1", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:netapp:cloud_insights_acquisition_unit:-:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:netapp:solidfire\\,_enterprise_sds_\\&_hci_storage_node:-:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vsphere:*:*", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:azul:zulu:7.52:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:azul:zulu:8.60:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:azul:zulu:11.54:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:azul:zulu:13.46:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:azul:zulu:15.38:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:azul:zulu:17.32:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:azul:zulu:6.45:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:azul:zulu:18.28:*:*:*:*:*:*:*", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://security.netapp.com/advisory/ntap-20220429-0006/", "name": "https://security.netapp.com/advisory/ntap-20220429-0006/", "refsource": "CONFIRM", "tags": ["Third Party Advisory"]}, {"url": "https://www.debian.org/security/2022/dsa-5128", "name": "DSA-5128", "refsource": "DEBIAN", "tags": ["Third Party Advisory"]}, {"url": "https://www.debian.org/security/2022/dsa-5131", "name": "DSA-5131", "refsource": "DEBIAN", "tags": ["Third Party Advisory"]}, {"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00017.html", "name": "[debian-lts-announce] 20220514 [SECURITY] [DLA 3006-1] openjdk-8 security update", "refsource": "MLIST", "tags": ["Mailing List", "Third Party Advisory"]}], "product_info": [{"vendor": "Oracle Corporation", "product": "Java SE JDK and JRE"}], "solutions": [], "workarounds": [], "impacts": [], "problemTypes": [{"descriptions": [{"description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition.", "lang": "en", "type": "text"}]}], "exploits": [], "assigned": "1976-01-01T00:00:00"}

{"ibm": [{"lastseen": "2023-06-02T17:34:34", "description": "## Summary\n\nA flaw in the XML component of IBM Java Technology Edition used by IBM Tivoli System Automation Application Manager has been identified. These issues were disclosed as part of the IBM Java SDK updates in Apr 2022.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Tivoli System Automation Application Manager| 4.1 \n \n\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the corresponding fix to IBM Tivoli System Automation Application Manager. To select the fix you need to apply in your environment, click on 'Download link' in the table below. \n\n * If you are running IBM Tivoli System Automation Application Manager 4.1.0.2, please apply interim fix \"**4.1.0.2-TIV-SAAMR-<OS>-IF0014**\" where <OS> represents the operating system for which you want to install the interim fix of this product version. You can apply this interim fix on top of any fixpack of version 4.1.0.2.\n * If you are running IBM Tivoli System Automation Application Manager 4.1.0.3, please apply interim fix \"**4.1.0.3-TIV-SAAMR-<OS>-IF0010**\" where <OS> represents the operating system for which you want to install the interim fix of this product version. You can apply this interim fix on top of any fixpack of version 4.1.0.3.\n * If you are running IBM Tivoli System Automation Application Manager 4.1.0.4, please apply interim fix \"**4.1.0.4-TIV-SAAMR-<OS>-IF0007**\" where <OS> represents the operating system for which you want to install the interim fix of this product version. You can apply this interim fix on top of any fixpack of version 4.1.0.4.\n * If you are running IBM Tivoli System Automation Application Manager 4.1.0.5, please apply interim fix \"**4.1.0.5-TIV-SAAMR-<OS>-IF0005**\" where <OS> represents the operating system for which you want to install the interim fix of this product version. You can apply this interim fix on top of any fixpack of version 4.1.0.5.\n**Product**| **VRMF**| **APAR** \n---|---|--- \nIBM Tivoli System Automation Application Manager| 4.1| [Download Link](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Tivoli&product=ibm/Tivoli/Tivoli+System+Automation+Application+Manager&release=All&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2023-06-02T15:17:22", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java XML affect IBM Tivoli System Automation Application Manager deferred from Oracle Apr 2022 CPU (CVE-2022-21426)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-21426"], "modified": "2023-06-02T15:17:22", "id": "8C5187EDAE3F30F7A01C23E8A3AAEFAA66BC89E92713C66FE4606F1B1870BA63", "href": "https://www.ibm.com/support/pages/node/7000997", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-05T17:35:02", "description": "## Summary\n\nA flaw in the XML component of IBM Java Technology Edition used by v4.1.0.4 to v4.1.1.0 of IBM Tivoli System Automation for Multiplatforms has been identified. These issues were disclosed as part of the IBM Java SDK updates in Apr 2022.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Tivoli System Automation for Multiplatforms| 4.1 \n \n## Remediation/Fixes\n\nThe recommended solution is to apply the corresponding fix to IBM Tivoli System Automation for Multiplatforms. To select the fix you need to apply in your environment, click on 'Download link' in the table below. \n\n * If you are running IBM Tivoli System Automation for Multiplatforms 4.1.0.4, please apply interim fix \"**4.1.0.4-TIV-ITSAMP-<OS>-IF0018**\" where <OS> represents the operating system for which you want to install the interim fix of this product version. You can apply this interim fix on top of 4.1.0.4.\n * If you are running IBM Tivoli System Automation for Multiplatforms 4.1.0.5, please apply interim fix \"**4.1.0.5-TIV-ITSAMP-<OS>-IF0012**\" where <OS> represents the operating system for which you want to install the interim fix of this product version. You can apply this interim fix on top of 4.1.0.5.\n * If you are running IBM Tivoli System Automation for Multiplatforms 4.1.0.6, please apply interim fix \"**4.1.0.6-TIV-ITSAMP-<OS>-IF0007**\" where <OS> represents the operating system for which you want to install the interim fix of this product version. You can apply this interim fix on top of 4.1.0.6.\n * If you are running IBM Tivoli System Automation for Multiplatforms 4.1.0.7, please apply interim fix \"**4.1.0.7-TIV-ITSAMP-<OS>-IF0005**\" where <OS> represents the operating system for which you want to install the interim fix of this product version. You can apply this interim fix on top of 4.1.0.7.\n * If you are running IBM Tivoli System Automation for Multiplatforms 4.1.1.0, please apply interim fix \"**4.1.1.0-TIV-ITSAMP-<OS>-IF0001**\" where <OS> represents the operating system for which you want to install the interim fix of this product version. You can apply this interim fix on top of 4.1.1.0.\n\n**Product**| **VRMF**| **APAR** \n---|---|--- \nIBM Tivoli System Automation for Multiplatforms| 4.1| [Download Link](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Tivoli&product=ibm/Tivoli/Tivoli+System+Automation+for+Multiplatforms&release=All&platform=All&function=all> \"\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2023-06-05T15:18:48", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java XML affect IBM Tivoli System Automation for Multiplatforms deferred from Oracle Apr 2022 CPU (CVE-2022-21426)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-21426"], "modified": "2023-06-05T15:18:48", "id": "A62622AACE3EDEE7C0685473486C2416A776458E05DC1E5DCDF6CAEDC18554F3", "href": "https://www.ibm.com/support/pages/node/7000999", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-14T17:36:37", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Versions. Sterling Connect:Direct Browser User Interface has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21426](<https://vulners.com/cve/CVE-2022-21426>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nSterling Connect Direct Browser| 1.5.0.2 \nSterling Connect Direct Browser| 1.4.1.1 \n \n\n\n## Remediation/Fixes\n\n**Product**| **Version**| **Fix/Remediation \n** \n---|---|--- \nIBM Sterling Connect:Direct Browser User Interface| 1.5.0.2| Apply 1.5.0.2 iFix-35, available in cumulative iFix035 on [Fix Central](<https://www.ibm.com/support/fixcentral/options?selectionBean.selectedTab=find&selection=ibm%2fOther+software%3bibm%2fOther+software%2fSterling+Connect%3aDirect+Browser+User+Interface> \"\" ) \nIBM Sterling Connect:Direct Browser User Interface| 1.4.1.1| Apply 1.5.0.2 iFix-35, available in cumulative iFix035 on [Fix Central](<https://www.ibm.com/support/fixcentral/options?selectionBean.selectedTab=find&selection=ibm%2fOther+software%3bibm%2fOther+software%2fSterling+Connect%3aDirect+Browser+User+Interface> \"\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-05-26T03:41:20", "type": "ibm", "title": "Security Bulletin: : IBM Sterling Connect:Direct Browser User Interface vulnerable to multiple issues due to IBM Runtime Environment Java", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426"], "modified": "2023-05-26T03:41:20", "id": "F1A3C1D97DA756217EC632D6907F150A84B75091EECA5C387606676B94FB2E66", "href": "https://www.ibm.com/support/pages/node/6998677", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-16T21:36:17", "description": "## Summary\n\nThere is a vulnerability in IBM SDK Java Technology Editioni, Version 1.8 and IBM Runtime Environment Java Version 1.8 used by Rational Performance Tester. Rational Performance Tester has addressed the applicable CVE.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21426](<https://vulners.com/cve/CVE-2022-21426>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nRPT| 9.5 \n \n## Remediation/Fixes\n\nProduct| VRMF| APAR| Remediation/First Fix \n---|---|---|--- \nRPT| 9.5| None| [https://www.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=Rational-RPT-JavaPatch-Java8SR7FP20&continue=1&source=SAR](<https://www.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=Rational-RPT-JavaPatch-Java8SR7FP20&continue=1&source=SAR>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-06-16T19:15:13", "type": "ibm", "title": "Security Bulletin: A vulnerability in IBM Java SDK and IBM Java Runtime affects Rational Performance Tester.", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426"], "modified": "2023-06-16T19:15:13", "id": "C059E6471C5CA981A5CB491F3D5A4861F2BA605A6C837BB0F27E344C67B16950", "href": "https://www.ibm.com/support/pages/node/7004709", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-16T21:37:04", "description": "## Summary\n\nThere is a vulnerability in IBM SDK Java Technology Edition, Version 1.8 and IBM Runtime Environment Java Version 1.8 used by Rational Service Tester. Rational Service Tester has addressed the applicable CVE.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21426](<https://vulners.com/cve/CVE-2022-21426>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nRST| 9.5 \n \n## Remediation/Fixes\n\nProduct| VRMF| APAR| Remediation/First Fix \n---|---|---|--- \nRST| 9.5| None| [https://www.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=Rational-RST-JavaPatch-Java8SR7FP20&continue=1&source=SAR](<https://www.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=Rational-RST-JavaPatch-Java8SR7FP20&continue=1&source=SAR>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-06-16T19:18:14", "type": "ibm", "title": "Security Bulletin: A vulnerability in IBM Java SDK and IBM Java Runtime affect Rational Service Tester.", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426"], "modified": "2023-06-16T19:18:14", "id": "0C4F33B9834BE4DCCBB315C6A51D7A6C22168F3238B03C20F333D6AA3D1001BD", "href": "https://www.ibm.com/support/pages/node/7004711", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-14T17:36:35", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Versions. IBM Sterling Connect:Direct Web Services has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21426](<https://vulners.com/cve/CVE-2022-21426>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Connect Direct Web Services| 1.0 \nIBM Sterling Connect:Direct Web Services| 6.1.0 \nIBM Sterling Connect:Direct Web Services| 6.2.0 \nIBM Connect:Direct Web Services| 6.0 \n \n\n\n## Remediation/Fixes\n\n**Product(s)**| **Version(s)**| **Remediation/Fix \n** \n---|---|--- \nIBM Connect Direct Web Services| 1.0| Apply 6.0.0.14, available on** **[Fix Central](<https://www.ibm.com/support/fixcentral/options?selectionBean.selectedTab=find&selection=ibm%2fOther+software%3bibm%2fOther+software%2fIBM+Connect%3aDirect+Web+Services> \"\" ) \nIBM Connect:Direct Web Services| 6.0| Apply 6.0.0.14, available on [Fix Central](<https://www.ibm.com/support/fixcentral/options?selectionBean.selectedTab=find&selection=ibm%2fOther+software%3bibm%2fOther+software%2fIBM+Connect%3aDirect+Web+Services> \"\" ) \nIBM Sterling Connect:Direct Web Services| 6.1.0| Apply 6.1.0.18, available on [Fix Central](<https://www.ibm.com/support/fixcentral/options?selectionBean.selectedTab=find&selection=ibm%2fOther+software%3bibm%2fOther+software%2fIBM+Connect%3aDirect+Web+Services> \"\" ) \nIBM Sterling Connect:Direct Web Services| 6.2.0| Apply 6.2.0.15, available on [Fix Central](<https://www.ibm.com/support/fixcentral/options?selectionBean.selectedTab=find&selection=ibm%2fOther+software%3bibm%2fOther+software%2fIBM+Connect%3aDirect+Web+Services> \"\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-05-26T03:47:56", "type": "ibm", "title": "Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to multiple vulnerabilities due to IBM Java", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426"], "modified": "2023-05-26T03:47:56", "id": "2BD5EB1610BFB9D059F9C086849D8EBB4229D9076E95833FFFD115789209904F", "href": "https://www.ibm.com/support/pages/node/6998685", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-14T17:36:36", "description": "## Summary\n\nIBM Java is used by Power Hardware Management Console (HMC). HMC has addressed the applicable CVE.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21426](<https://vulners.com/cve/CVE-2022-21426>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nHMC V10.1.1010.0| V10.1.1010.0 \nHMC V9.2.950.0| V9.2.950.0 \n \n\n\n## Remediation/Fixes\n\nThe following fixes are available on IBM Fix Central at: <http://www-933.ibm.com/support/fixcentral/>\n\nProduct\n\n| \n\nVRMF\n\n| \n\nAPAR\n\n| \n\nRemediation/Fix \n \n---|---|---|--- \n \nPower HMC\n\n| \n\nV9.2.950.0 SP3 ppc\n\n| \n\nMB04397\n\n| \n\n[MH01954](<https://www.ibm.com/support/fixcentral/main/selectFixes?parent=powersysmgmntcouncil&product=ibm~hmc~vHMCppc&release=V9R2&platform=All> \"MH01954\" ) \n \nPower HMC\n\n| \n\nV9.2.950.0 SP3 x86\n\n| \n\nMB04396\n\n| \n\n[MH01953](<https://www.ibm.com/support/fixcentral/main/selectFixes?parent=powersysmgmntcouncil&product=ibm~hmc~vHMC&release=V9R2&platform=All> \"MH01953\" ) \n \nPower HMC\n\n| \n\nV10.1.1020.0 SP1 ppc\n\n| \n\nMB04403\n\n| \n\n[MF70892](<https://www.ibm.com/support/fixcentral/main/selectFixes?parent=powersysmgmntcouncil&product=ibm~hmc~vHMCppc&release=V9R2&platform=All> \"MF70892\" ) \n \nPower HMC\n\n| \n\nV10.1.1020.0 SP1 x86\n\n| \n\nMB04402\n\n| \n\n[MF70891](<https://www.ibm.com/support/fixcentral/main/selectFixes?parent=powersysmgmntcouncil&product=ibm~hmc~vHMC&release=V10R1&platform=All> \"MF70891\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-05-26T05:21:51", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Java (CVE-2022-21426) affects Power HMC", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426"], "modified": "2023-05-26T05:21:51", "id": "408C74D95484E93E05D0B99834A53E6E9E970957DE240B861F1293CA7C8A6A1C", "href": "https://www.ibm.com/support/pages/node/6998705", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-07-06T17:37:14", "description": "## Summary\n\nThere are multiple vulnerabilities in the IBM SDK Java Technology used by App Connect Professional. These issue were disclosed as part of the IBM Java SDK updates in April 2022, App Connect Professional have addressed the applicable CVEs.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21426](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nApp connect professional| 755 \n \n## Remediation/Fixes\n\nAffected Product(s)| Version(s)| APAR| 7550 Fixcentral link \n---|---|---|--- \nApp Connect Professional| 7.5.5.0| LI82988| [7550 Fixcentral link](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm%2FWebSphere%2FApp+Connect+Professional&release=7.5.5.0&platform=All&function=fixId&fixids=7.5.5.0-WS-ACP-20230621-1152_H30_64-CUMUIFIX-020.builtDockerImage,7.5.5.0-WS-ACP-20230621-1152_H30_64-CUMUIFIX-020.docker,7.5.5.0-WS-ACP-20230621-1152_H30_64-CUMUIFIX-020.vcrypt2,7.5.5.0-WS-ACP-20230621-1152_H30_64-CUMUIFIX-020.sc-linux,7.5.5.0-WS-ACP-20230621-1152_H30_64-CUMUIFIX-020.32bit.sc-linux,7.5.5.0-WS-ACP-20230621-1153_H8_64-CUMUIFIX-020.studio,7.5.5.0-WS-ACP-20230621-1152_H30_64-CUMUIFIX-020.ova,7.5.5.0-WS-ACP-20230621-1153_H8_64-CUMUIFIX-020.32bit.studio,7.5.5.0-WS-ACP-20230621-1152_H30_64-CUMUIFIX-020.32bit.sc-win,7.5.5.0-WS-ACP-20230621-1152_H30_64-CUMUIFIX-020.sc-win,&includeSupersedes=0> \"7550 Fixcentral link\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-07-06T17:18:39", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects App Connect Professional.", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426"], "modified": "2023-07-06T17:18:39", "id": "68F7F2AEEE8CE9C25FC795CC19BC1C2B3688AF19BF6FD0F38D6FB1B223ED5A15", "href": "https://www.ibm.com/support/pages/node/7010059", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-27T09:38:20", "description": "## Summary\n\nA vulnerability exists in IBM\u00ae SDK Java\u2122 Technology Edition, Version 8.0.7.20 and earlier, which is used by IBM Tivoli Network Configuration Manager IP Edition v6.4.2.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nITNCM| 6.4.2 \n \n## Remediation/Fixes\n\nNote that only standalone worker servers and compliance servers (i.e. those which are not co-located on the same machine as a presentation server) need to have their JRE updated. To update the Java Runtime Environment (JRE), complete the following steps.\n\n1\\. Locate the appropriate IBM JRE for your operating system on the IBM Fix Central website.\n\nAIX: [IBM Java 8.0.8.0 for AIX](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7EWebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=8.0.0.0&platform=AIX+64-bit,+pSeries&function=fixId&fixids=8.0.8.0-JavaTech-JavaSE-AIXpSeries64-ServiceRefresh8&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"\" )\n\nLinux: [IBMJava 8.0.8.0 for 64-bit Linux](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7EWebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=8.0.0.0&platform=Linux+64-bit,x86_64&function=fixId&fixids=8.0.8.0-JavaTech-JavaSE-Linuxx86_6464-ServiceRefresh8&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"\" )\n\nzLinux: [IBM Java 8.0.8.0 for Linux for z/OS](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7EWebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=8.0.0.0&platform=Linux+64-bit,zSeries&function=fixId&fixids=8.0.8.0-JavaTech-JavaSE-LinuxzSeries64-ServiceRefresh8&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"\" )\n\n2\\. Download version 8.0.8.0 in archive, rather than binary, form and install it.\n\n3\\. Back up the directory $NCMHOME/jre.\n\n4\\. Stop all running processes of the compliance or worker server by using the \u201citncm.sh stop\u201d command.\n\n5\\. Delete the contents of the $NCMHOME/jre/bin and $NCMHOME/jre/lib directory.\n\n6\\. Copy the contents of the bin and lib directories from the JRE that you installed in step 2 to $NCMHOME/jre/bin and $NCHOME/jre/lib, respectively.\n\n7\\. Restart the compliance or worker server by using the \u201citncm.sh start\u201d command.\n\nTo roll back to the previous Netcool Configuration Manager compliance or worker server JRE, restore the backup that you made in step 3. Perform the rollback, then perform steps 4 to 7 again.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2023-06-27T07:54:58", "type": "ibm", "title": "Security Bulletin: A vulnerabbility exists in the IBM\u00ae SDK, Java\u2122 Technology Edition affect IBM Tivoli Network Configuration Manager (CVE-2022-21426).", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-21426"], "modified": "2023-06-27T07:54:58", "id": "17566E28965DC61A276C9A063E8C37A2A5F8A6A9ACF149A1FFA4C315A9A9DE63", "href": "https://www.ibm.com/support/pages/node/7007317", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-14T17:40:11", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 8 that are used by Maximo Asset Management, Maximo Industry Solutions (including Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas and Maximo for Utilities) and IBM Control Desk. These issues were disclosed as part of the IBM Java SDK updates in January 2023. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nIBM Maximo Asset Management | 7.6.1.2 \nIBM Maximo Asset Management | 7.6.1.3 \n \n## Remediation/Fixes\n\nThere are three areas where the vulnerabilities in the Java SDK/JDK or JRE may require remediation: \n \n1\\. Application Server \u2013 Update the Websphere Application Server. Refer to [Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to January 2023 CPU plus deferred CVE-2022-21426](<https://www.ibm.com/support/pages/node/6980375> \"Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to January 2023 CPU plus deferred CVE-2022-21426\" ) for additional information on updating and maintaining the JDK component within Websphere. Customers with Oracle Weblogic Server, which is not an IBM product and is not shipped by IBM, will also want to update their server. \n \n2\\. Browser Client - Update the Java plug-in used by the browser on client systems, using the remediated JRE version referenced on [developerWorks JavaTM Technology Security Alerts](<http://www.ibm.com/developerworks/java/jdk/alerts/>) or referenced on [Oracle\u2019s latest Critical Patch Update](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) (which can be accessed via [developerWorks JavaTM Technology Security Alerts](<http://www.ibm.com/developerworks/java/jdk/alerts/>)). Updating the browser Java plug-in may impact some applets such as Maximo Asset Management Scheduler. Download from IBM FixCentral the latest [Maximo Asset Management Fix Pack](<http://www-933.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ETivoli&product=ibm/Tivoli/IBM+Maximo+Asset+Management&release=All&platform=All&function=all&source=fc>).\n\n3\\. Admin Tools - Update the JRE version in the <MAXIMO_HOME>/tools/java directory using the remediated JRE version referenced on [Java SDK downloads, version 8.0](<https://www.ibm.com/support/pages/java-sdk-downloads-version-80> \"Java SDK downloads, version 8.0\" ).\n\n \nDue to the threat posed by a successful attack, IBM strongly recommends that customers apply fixes as soon as possible.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-05-02T21:34:55", "type": "ibm", "title": "Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - January 2023 - Includes Oracle January 2023 CPU", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426"], "modified": "2023-05-02T21:34:55", "id": "25BB8EE478BAB36FA7FCE8080766EC4C78D22510783D2348090CF2F616F77A70", "href": "https://www.ibm.com/support/pages/node/6987835", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-23T01:36:12", "description": "## Summary\n\nJava SE is used by the IBM Storage Protect Server and may be affected by this vulnerability.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21426](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Storage Protect Server| 8.1 \n \n## Remediation/Fixes\n\n**IBM Storage Protect Server Affected Versions**| **Fixing Level**| **Platform**| **Link to Fix and Instructions** \n---|---|---|--- \n8.1.0.000 - 8.1.18.xxx| 8.1.19| AIX, Linux, Windows| <https://www.ibm.com/support/pages/node/6988821> \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-06-22T18:30:31", "type": "ibm", "title": "Security Bulletin: IBM Storage Protect Server is vulnerable to denial of service due to Java SE (CVE-2022-21426)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426"], "modified": "2023-06-22T18:30:31", "id": "872702CED8F809873181556FCDABD834505891905F84F9FD73AD4986528D55FF", "href": "https://www.ibm.com/support/pages/node/7006391", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-14T17:42:44", "description": "## Summary\n\nWebsphere Application Server (WAS) is shipped as a component of Tivoli Netcool/OMNIbus WebGUI. Information about security vulnerabilities affecting WAS has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version** \n---|--- \nWebGUI 8.1.0 GA and FP| Websphere Application Server V8.5 and V9 \n \n\n\n## Remediation/Fixes\n\nPlease consult the security bulletin [Multiple vulnerabilities in IBM\u00ae Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to January 2023 CPU plus deferred CVE-2022-21426](<https://www.ibm.com/support/pages/node/6980375>) for vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-04-13T02:14:04", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool/OMNIbus WebGUI - January 2023 CPU plus deferred CVE-2022-21426", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426"], "modified": "2023-04-13T02:14:04", "id": "1E4854A903497616A9D2E489883B7097A216137D8A9C20DACDE93B4250B7ADEF", "href": "https://www.ibm.com/support/pages/node/6983454", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-23T01:36:44", "description": "## Summary\n\nThere was a vulnerability in IBM\u00ae SDK Java\u2122 Technology Edition, Version 8 and IBM\u00ae Runtime Environment Java\u2122 Version 8 used by Rational Business Developer. Rational Business Developer has addressed the applicable CVE. This issue was disclosed as part of the IBM Java XML vulnerability CVE-2022-21426, deferred from Oracle Apr 2022 CPU\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21426](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nRBD| 9.5 - 9.5.1.2 \nRBD| 9.6 - 9.6.0.1 \nRBD| 9.7 \n \n## Remediation/Fixes\n\n**Product**| **VRMF**| **APAR**| **Remediation / First Fix**| **File Name** \n---|---|---|---|--- \n_Rational Business Developer_| 9.5 - 9.5.1.2| None| \n\n[https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/Rational+Business+Developer&release=9.5.0&platform=All&function=all](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Business+Developer&release=9.5.0&platform=All&function=all> \"https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Business+Developer&release=9.5.0&platform=All&function=all\" )\n\n| \nRBD_9.5_IBM_JDK8_SR8_FP0 \n_Rational Business Developer_| 9.6 - 9.6.0.1| None| \n\n[https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/Rational+Business+Developer&release=9.6&platform=All&function=all](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Business+Developer&release=9.6&platform=All&function=all> \"https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Business+Developer&release=9.6&platform=All&function=all\" )\n\n| RBD_9.6_IBM_JDK8_SR8_FP0 \n_Rational Business Developer_| 9.7| None| [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/Rational+Business+Developer&release=9.7.0&platform=All&function=all](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Business+Developer&release=9.7.0&platform=All&function=all> \"https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Business+Developer&release=9.7.0&platform=All&function=all\" )| RBD_9.7_IBM_JDK8_SR8_FP0 \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-06-22T19:35:12", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Java SDK and IBM Java Runtime affects Rational Business Developer", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426"], "modified": "2023-06-22T19:35:12", "id": "52D70CB06062F15D668F053C1F8E44D682C68BD8E9555E5DD80D2C6DE18685EC", "href": "https://www.ibm.com/support/pages/node/7006407", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-28T17:37:32", "description": "## Summary\n\nCVE-2022-21426 may affect IBM\u00ae SDK, Java\u2122 Technology Edition shipped with IBM TXSeries for Multiplatforms. IBM TXSeries for Multiplatforms has addressed the applicable CVE.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21426](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM TXSeries for Multiplatforms| 8.1 \nIBM TXSeries for Multiplatforms| 8.2 \nIBM TXSeries for Multiplatforms| 9.1 \n \n## Remediation/Fixes\n\nProduct| Version| Platform| Remediation/Fix \n---|---|---|--- \nIBM TXSeries for Multiplatforms| \n\n8.1\n\n| Linux, AIX| PSIRT fixes for IBM TXSeries for Multiplatforms 8.1 will only be provided for extended support customers on request through Salesforce case. \nIBM TXSeries for Multiplatforms| \n\n8.2\n\n| Linux, AIX| [Fix Central Link](<https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FTXSeries+for+Multiplatforms&fixids=TXSeries_82_SpecialFIX_Java_062023&source=SAR>) \nIBM TXSeries for Multiplatforms| \n\n9.1\n\n| Linux, AIX| [Fix Central Link](<https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FTXSeries+for+Multiplatforms&fixids=TXSeries_91_SpecialFIX_Java_062023&source=SAR>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-06-28T12:35:33", "type": "ibm", "title": "Security Bulletin: CVE-2022-21426 may affect IBM\u00ae SDK, Java\u2122 Technology Edition shipped with IBM TXSeries for Multiplatforms", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426"], "modified": "2023-06-28T12:35:33", "id": "F84D486AA810B46EE5EE6FC3DBA9BFFD8D5E302380DF519189BF06A5D4E97BA8", "href": "https://www.ibm.com/support/pages/node/7007763", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-24T06:00:04", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped with IBM Security Identity Manager (ISIM). Information about security vulnerabilities affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Security Verify Governance, Identity Manager software component| 10.0 \nISIM| 6.0.0 \nISIM| 6.0.2 \n \n\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version(s)| Affected Supporting Product Security Bulletin \n---|---|--- \nISIM 6.0.0 ISIM 6.0.2 \n\nISIM ISVG 10.0.4\n\n| \n\nWAS 7, 8.5\n\nWAS 9.0\n\nWAS 9.0\n\n| [IBM SDK, Java Technology Edition Quarterly CPU - Apr 2022 - Includes Oracle April 2022 CPU (minus CVE-2022-21426)](<https://www.ibm.com/support/pages/node/6594523> \"IBM SDK, Java Technology Edition Quarterly CPU - Apr 2022 - Includes Oracle April 2022 CPU \$minus CVE-2022-21426\$\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-08-31T20:09:38", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Security Identity Manager", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426"], "modified": "2022-08-31T20:09:38", "id": "01A50703477A1B666E966BF1B72B350DC27813F59907D29FAE3903822284A578", "href": "https://www.ibm.com/support/pages/node/6616707", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-22T17:35:57", "description": "## Summary\n\nJava SE is used by IBM Storage Protect Operations Center and may be affected by this vulnerability.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21426](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Storage Protect Operations Center| 8.1 \n \n## Remediation/Fixes\n\n**IBM Storage Protect Operations Center Affected Versions**| **Fixing Level**| **Platform**| **Link to Fix and Instructions** \n---|---|---|--- \n8.1.0.000 - 8.1.18.xxx| 8.1.19| AIX, Linux, Windows| <https://www.ibm.com/support/pages/node/6988821> \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-06-22T18:12:37", "type": "ibm", "title": "Security Bulletin: IBM Storage Protect Operations Center is vulnerable to denial of service due to Java SE (CVE-2022-21426)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426"], "modified": "2023-06-22T18:12:37", "id": "C0276662C689772637EAF0F1EA697AAE7618A640211E05E14816B6C45314B710", "href": "https://www.ibm.com/support/pages/node/7006377", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-27T21:36:05", "description": "## Summary\n\nIBM\u00ae SDK Java\u2122 Technology Edition is shipped as a component of IBM Tivoli Business Service Manager. IBM Tivoli Business Service Manager has addressed the applicable issue, CVE-2022-21426.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21426](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Tivoli Business Service Manager| 6.2.0 \n \n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerability now.**\n\nProduct| VRMF| APAR| Remediation \n---|---|---|--- \nIBM Tivoli Business Service Manager 6.2.0.0 - 6.2.0.4| 6.2.0.5| IJ46859| Upgrade to [IBM Tivoli Business Service Manager 6.2.0.5](<https://www.ibm.com/support/pages/node/6967337> \"IBM Tivoli Business Service Manager 6.2.0.5\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-06-27T20:34:28", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Java SDK affects IBM Tivoli Business Service Manager (CVE-2022-21426)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426"], "modified": "2023-06-27T20:34:28", "id": "429FC4FA5EEB95C5495D7813A60D40A63DB4599EB3153E48A61C40D14067F43D", "href": "https://www.ibm.com/support/pages/node/7007581", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-14T17:42:47", "description": "## Summary\n\nCVE-2022-21426 was disclosed as part of the Oracle April 2022 Critical Patch Update.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21426](<https://vulners.com/cve/CVE-2022-21426>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\n7.1.0.0 - 7.1.5.16 \n8.0.0.0 - 8.0.7.20\n\n## Remediation/Fixes\n\n7.1.5.17 (restricted access) \n8.0.8.0\n\nIBM SDK, Java Technology Edition releases can be downloaded, subject to the terms of the developerWorks license, from the [Java Developer Center](<https://developer.ibm.com/javasdk/downloads/>).\n\nIBM customers requiring an update for an SDK shipped with an IBM product should contact [IBM support](<http://www.ibm.com/support/>), and/or refer to the appropriate product security bulletin.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-04-11T17:14:46", "type": "ibm", "title": "Security Bulletin: CVE-2022-21426 may affect IBM\u00ae SDK, Java\u2122 Technology Edition", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426"], "modified": "2023-04-11T17:14:46", "id": "4E89B826442329F84F608AEBC62A661FE54088D85110F141977090AA4AB8678E", "href": "https://www.ibm.com/support/pages/node/6967221", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-28T13:36:14", "description": "## Summary\n\nCVE-2022-21426 may affect IBM\u00ae SDK, Java\u2122 Technology Edition shipped with IBM CICS TX Advanced. IBM CICS TX Advanced has addressed the applicable CVE. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21426](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM CICS TX Advanced| 10.1 \nIBM CICS TX Advanced| 11.1 \n \n## Remediation/Fixes\n\nProduct| Version| Platform| Remediation/Fix \n---|---|---|--- \nIBM CICS TX Advanced| \n\n10.1\n\n| Linux| [Fix Central Link](<https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FCICS+TX+on+Cloud&fixids=ibm-cics-tx-advanced-docker-image-10.1.0.0-ifix19&source=SAR>) \nIBM CICS TX Advanced| \n\n11.1\n\n| Linux| [Fix Central Link](<https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FCICS+TX+on+Cloud&fixids=ibm-cics-tx-advanced-image-11.1.0.0-ifix11&source=SAR>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-06-28T12:28:00", "type": "ibm", "title": "Security Bulletin: CVE-2022-21426 may affect IBM\u00ae SDK, Java\u2122 Technology Edition shipped with IBM CICS TX Advanced", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426"], "modified": "2023-06-28T12:28:00", "id": "A52A98EDDE1D6C0A6034F96CE62C30E3EEF3E309278235A82CB3223AEB327B9E", "href": "https://www.ibm.com/support/pages/node/7007755", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-27T13:42:45", "description": "## Summary\n\nCVE-2022-21426 vulnerability in JAXP component in Java SE could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21426](<https://vulners.com/cve/CVE-2022-21426>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nContent Collector for Microsoft SharePoint| 4.0.1 \nContent Collector for Email| 4.0.1 \nContent Collector for File Systems| 4.0.1 \n \n## Remediation/Fixes\n\n**Product**\n\n| **VRM**| **Remediation** \n---|---|--- \nContent Collector for Email| 4.0.1| Use Content Collector for Email 4.0.1.15 [Interim Fix IF005](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.15-IBM-ICC-IF005&source=SAR>) \nContent Collector for File Systems| 4.0.1| Use Content Collector for File Systems 4.0.1.15 [Interim Fix IF005](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.15-IBM-ICC-IF005&source=SAR>) \nContent Collector for Microsoft SharePoint| 4.0.1| Use Content Collector for Microsoft SharePoint 4.0.1.15 [Interim Fix IF005](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.15-IBM-ICC-IF005&source=SAR>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-06-27T12:26:04", "type": "ibm", "title": "Security Bulletin: CVE-2022-21426 may affect JAXP component in Java SE used by Content Collector for Email, Content Collector for File Systems and Content Collector for Microsoft SharePoint", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426"], "modified": "2023-06-27T12:26:04", "id": "8272C3C28C61C1E53D2F9385C1190611F387B7773B4464CDEBC68719D4A010B1", "href": "https://www.ibm.com/support/pages/node/7007387", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-14T17:42:43", "description": "## Summary\n\nWebSphere Application Server traditional and WebSphere Application Server Liberty profile are shipped as a component of IBM Business Automation Workflow. Information about a security vulnerability affecting IBM WebSphere Application Server Traditional and Liberty profile have been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s)| Status| Note \n---|---|---|--- \nIBM Business Automation Workflow traditional| V22.0.1 - V22.0.2 \nV21.0.1 - V21.0.3.1 \nV20.0.0.1 - V20.0.0.2 \nV19.0.0.1 - V19.0.0.3 \nV18.0.0.0 - V18.0.0.2| affected| Cumulative Fixes cannot automatically install interim fixes for the base Application Server. It is important to follow the complete installation instructions and manually ensure that recommended security fixes are installed. \nIBM Business Automation Workflow Enterprise Service Bus| V22.0.2| affected| Cumulative Fixes cannot automatically install interim fixes for the base Application Server. It is important to follow the complete installation instructions and manually ensure that recommended security fixes are installed. \n \nFor earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.\n\n \n\n\n## Remediation/Fixes\n\nPlease consult the [Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to January 2023 CPU plus deferred CVE-2022-21426](<https://www.ibm.com/support/pages/node/6980375>) for vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-04-13T12:30:24", "type": "ibm", "title": "Security Bulletin: A vulnerability has been identified in IBM WebSphere Application Server traditional and Liberty profile shipped with IBM Business Automation Workflow (IBM\u00ae Java SDK CPU January 2023)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426"], "modified": "2023-04-13T12:30:24", "id": "AD3C91C9E37A5C20144E0684A93E665E701EC4602A4275E6CB679E8ABF67832C", "href": "https://www.ibm.com/support/pages/node/6983492", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-07-07T21:40:18", "description": "## Summary\n\nCVE-2022-21426 may affect IBM\u00ae SDK, Java\u2122 Technology Edition shipped with IBM CICS TX Standard. IBM CICS TX Standard has addressed the applicable CVE. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21426](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM CICS TX Standard| 11.1 \n \n## Remediation/Fixes\n\nProduct| Version| Platform| Remediation/Fix \n---|---|---|--- \nIBM CICS TX Standard| \n\n11.1\n\n| Linux| [Fix Central Link](<https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FCICS+TX+Standard&fixids=ibm-cics-tx-standard-image-11.1.0.0-ifix11&source=SAR>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-06-28T12:30:28", "type": "ibm", "title": "Security Bulletin: CVE-2022-21426 may affect IBM\u00ae SDK, Java\u2122 Technology Edition shipped with IBM CICS TX Standard", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426"], "modified": "2023-06-28T12:30:28", "id": "B47E12F9B1159C7E12C18A61FA184BEA99E5D99C56221EB34EC436444551FDF1", "href": "https://www.ibm.com/support/pages/node/7007759", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-17T01:36:54", "description": "## Summary\n\nIBM Sterling Control Center uses Java SE. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21426](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Sterling Control Center| 6.1.3.0 \nIBM Sterling Control Center| 6.2.1.0 \nIBM Sterling Control Center| 6.3.0.0 \n \n## Remediation/Fixes\n\nProduct\n\n| \n\nVersion\n\n| \n\nRemediation \n \n---|---|--- \n \nIBM Sterling Control Center\n\n| \n\n6.1.3.0 GA through iFix16\n\n| \n\n6.1.3.0 iFix17 [Fix Central - 6.1.3.0](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Control+Center&release=6.1.3.0&platform=All&function=all>) \n \nIBM Sterling Control Center\n\n| \n\n6.2.1.0 GA through iFix11\n\n| \n\n6.2.1.0 iFix12 [Fix Central - 6.2.1.0](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Control+Center&release=6.2.1.0&platform=All&function=all>) \n \nIBM Sterling Control Center\n\n| \n\n6.3.0.0 GA through iFix02\n\n| \n\n6.3.0.0 iFix03 [Fix Central - 6.3.0.0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Control+Center&release=6.3.0.0&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-06-16T19:45:45", "type": "ibm", "title": "Security Bulletin: IBM Sterling Control Center is vulnerable to denial of service attack due to Java SE (CVE-2022-21426)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426"], "modified": "2023-06-16T19:45:45", "id": "3118493A71581AC954C4C2FEC569296F8E85DBAA3E998BAE5607C264EDCEDAC3", "href": "https://www.ibm.com/support/pages/node/7004723", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-27T21:37:04", "description": "## Summary\n\nIBM\u00ae SDK Java\u2122 Technology Edition is shipped as a component of IBM Tivoli Netcool Impact. IBM Tivoli Netcool Impact has addressed the applicable issue, CVE-2022-21426.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21426](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Tivoli Netcool Impact| 7.1.0 \n \n## Remediation/Fixes\n\n### Remediation/Fixes:\n\nProduct| VRMF| APAR| Remediation \n---|---|---|--- \nIBM Tivoli Netcool Impact 7.1.0.0 - 7.1.0.29| 7.1.0.30| IJ47133| Upgrade to IBM Tivoli Netcool Impact 7.1.0 FP30 \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-06-27T20:34:13", "type": "ibm", "title": "Security Bulletin: A security vulnerability in IBM Java SDK affects IBM Tivoli Netcool Impact (CVE-2022-21426)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426"], "modified": "2023-06-27T20:34:13", "id": "AF27D927E033F9A05944EF734E31C26BDC37F05372B123BB70E9C78AFEEEC60D", "href": "https://www.ibm.com/support/pages/node/7007579", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-09-05T21:40:14", "description": "## Summary\n\nA vulnerability have been identified in IBM Java which is shipped with IBM\u00ae Intelligent Operations Center. Information about this vulnerability affecting IBM\u00ae Intelligent Operations Center have been published and addressed the applicable CVEs.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21426](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIntelligent Operations Center (IOC)| 5.1.0, 5.1.0.2, 5.1.0.3, 5.1.0.4, 5.1.0.6, 5.2, 5.2.1, 5.2.2, 5.2.3 \n \n## Remediation/Fixes\n\nThe recommended solution is to apply an interim fix that contains the fix for this issue as soon as practical.\n\nDownload the IBM Intelligent Operations Center Version 5.2.4 is an upgrade to IBM Intelligent Operations Center Version 5.2.3 through IBM Intelligent Operations Center Version 5.2 from the following link:\n\n[IBM Intelligent Operations Center Version 5.2.4](<https://www.ibm.com/support/pages/node/7022369>)\n\nInstallation instructions for the fix are included in the readme document that is in the fix package.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-09-05T13:36:48", "type": "ibm", "title": "Security Bulletin: A vulnerability found in IBM Java which is shipped with IBM\u00ae Intelligent Operations Center(CVE-2022-21426)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426"], "modified": "2023-09-05T13:36:48", "id": "5AD5A28018AFE1C7EEED27348294C87054AC9399C243DBAD3FFCDE9C53307F2F", "href": "https://www.ibm.com/support/pages/node/7030641", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-14T17:40:40", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM Security Key Lifecycle Manager (SKLM/GKLM). Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM Security Key Lifecycle Manager (SKLM) v3.0 | WebSphere Application Server v9.0.0.5 \nIBM Security Key Lifecycle Manager (SKLM) v3.0.1 | WebSphere Application Server v9.0.0.5 \nIBM Security Key Lifecycle Manager (SKLM) v4.0 | WebSphere Application Server v9.0.5.0 \nIBM Security Guardium Key Lifecycle Manager (GKLM) v4.1 | WebSphere Application Server v9.0.5.5 \nIBM Security Guardium Key Lifecycle Manager (GKLM) v4.1.1 | Websphere Liberty 21.0.0.6 \nIBM Security Guardium Key Lifecycle Manager (GKLM) v4.2 | Websphere Liberty 22.0.0.12 \n \n## Remediation/Fixes\n\nPlease consult the [Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to January 2023 CPU plus deferred CVE-2022-21426 ](<https://www.ibm.com/support/pages/node/6980375>) for vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-04-28T10:03:25", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Security Guardium Key Lifecycle Manager (SKLM/GKLM) (CVE-2022-21426)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426"], "modified": "2023-04-28T10:03:25", "id": "A9D23D6BF534301222123D9B10700AAE50EE9A370B9B48EBF9F771708759C2CE", "href": "https://www.ibm.com/support/pages/node/6987031", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-08-31T10:13:14", "description": "## Summary\n\nIBM Java Runtime (JRE) security vulnerabilities CVE-2022-21426 in FileNet Content Manager, affected, not vulnerable\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21426](<https://vulners.com/cve/CVE-2022-21426>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nFileNet Content Manager| 5.5.4.0 \nFileNet Content Manager| 5.5.8.0 \nFileNet Content Manager| 5.5.9.0 \n \n## Remediation/Fixes\n\nTo resolve these vulnerabilities, install IBM Java 8.0.8.0 or higher.\n\n**Product**| **VRMF**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \nFileNet Content Manager| 5.5.4.0| [PJ47048](<https://www.ibm.com/support/pages/apar/PJ47048> \"PJ47048\" ) \n[PJ47048](<https://www.ibm.com/support/pages/apar/PJ47048> \"PJ47048\" )| 5.5.4.0-P8CPE-IF010 - 6/27/2023 \n5.5.4.0-P8CSS-IF010 - 6/27/2023 \nFileNet Content Manager| 5.5.8.0| [PJ47048](<https://www.ibm.com/support/pages/apar/PJ47048> \"PJ47048\" ) \n[PJ47048](<https://www.ibm.com/support/pages/apar/PJ47048> \"PJ47048\" )| 5.5.8.0-P8CPE-IF005 - 8/30/2023 \n5.5.8.0-P8CSS-IF005 - 8/30/2023 \nFileNet Content Manager| 5.5.9.0| [PJ47048](<https://www.ibm.com/support/pages/apar/PJ47048> \"\" ) \n[PJ47048](<https://www.ibm.com/support/pages/apar/PJ47048> \"PJ47048\" )| 5.5.9.0-P8CPE-IF003 - 7/14/2023 \n5.5.9.0-P8CSS-IF003 - 7/14/2023 \n \n \nIn the above table, the APAR links will provide more information about the fix.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-08-31T00:45:22", "type": "ibm", "title": "Security Bulletin: IBM Java Runtime (JRE) security vulnerabilities CVE-2022-21426 in FileNet Content Manager", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426"], "modified": "2023-08-31T00:45:22", "id": "62EDA7D9B8598A36B53A456850CF47D89AEAC5F96FE4326959694E056B4DB6B7", "href": "https://www.ibm.com/support/pages/node/6983442", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-14T17:42:38", "description": "## Summary\n\nA flaw in the XML component may lead to excessive memory consumption when compiling certain XPath expressions, which may in turn allow an attacker to inflict a denial-of-service. Following IBM\u00ae Engineering Lifecycle Engineering products are vulnerable to this attack, it has been addressed in this bulletin: Jazz Foundation, IBM Engineering Workflow Management, IBM Engineering Test Management, IBM Engineering Lifecycle Optimization - Engineering Insights, IBM Engineering Lifecycle Optimization - Publishing, IBM Jazz Reporting Service, IBM Engineering Requirements Management DOORS Next\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nJazz Foundation| 7.0 \nJazz Foundation| 7.0.1 \n7.0.2 \nIBM Jazz Reporting Service \nIBM Engineering Test Management \nIBM Engineering Requirements Management DOORS Next \nIBM Engineering Lifecycle Optimization - Publishing \nIBM Engineering Lifecycle Optimization - Engineering Insights \nIBM Engineering Workflow Management \n \n\n\n## Remediation/Fixes\n\nCVE-2022-21426 may affect IBM\u00ae Engineering Lifecycle Engineering products mentioned above. \n\nIf the Product is deployed on one of the above versions, Please follow the instruction given in the following article. \n\nLink - <https://www.ibm.com/support/pages/node/6967221>\n\nA flaw in the XML component may lead to excessive memory consumption when compiling certain XPath expressions, which may in turn allow an attacker to inflict a denial-of-service.\n\nThe fix adds new customisable limits to protect against this kind of attack.\n\nAffected Releases:\n\n\\- 7.1.5.16 and earlier \n\\- 8.0.7.20 and earlier\n\nFixed releases:\n\n\\- 7.1.5.17 and later \n\\- 8.0.8.0 and later\n\nHow to update the IBM SDK for Java of Engineering Lifecycle Management products? Please refer below article for more details.\n\n<https://www.ibm.com/support/pages/how-update-ibm-sdk-java-engineering-lifecycle-management-products>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-04-14T10:36:46", "type": "ibm", "title": "Security Bulletin: The IBM\u00ae Engineering Lifecycle Engineering product using IBM Java XML vulnerability CVE-2022-21426, deferred from Oracle Apr 2022 CPU - CVE-2022-21426", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426"], "modified": "2023-04-14T10:36:46", "id": "1550D8200201461EC49D4AE69DCCF18DB21420A03A569C1221D5BF7158B80766", "href": "https://www.ibm.com/support/pages/node/6983781", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-24T05:56:06", "description": "## Summary\n\nThere are vulnerabilities in IBM\u00ae Semeru Runtime Open Edition 11 used by SPSS Collaboration and Deployment Services. The issues have been addressed.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21496](<https://vulners.com/cve/CVE-2022-21496>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JNDI component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224777](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224777>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2022-21426](<https://vulners.com/cve/CVE-2022-21426>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nSPSS Collaboration and Deployment Services| 8.4 \n \n\n\n## Remediation/Fixes\n\nProduct | VRMF| Remediation/Fix \n---|---|--- \nSPSS Collaboration and Deployment Services| 8.4.0.0 \n| [8.4.0.0](<https://www.ibm.com/support/pages/node/6621953> \"8.4.0.0\" ) \n \n**Fixes for Components:**\n\nSPSS Collaboration and Deployment Services Repository Server deployed to WebSphere Liberty profile (8.4)\n\n**Important Notes:**\n\nFor the Repository Server deployed to WebSphere Application Server traditional, it uses JRE for Websphere, please refer to Websphere document and upgrade JRE from IBM Installation Manager.\n\nFor the Repository Server deployed to other Application Server, please contact vendor for vulnerability and remediation information.\n\nYou should verify applying this fix does not cause any compatibility issues in your environment.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-09-28T04:15:41", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in IBM Semeru Runtime affect SPSS Collaboration and Deployment Services (CVE-2022-21496, CVE-2022-21426)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2022-21496"], "modified": "2022-09-28T04:15:41", "id": "B9051747F88831192F96587848768281C92A21A5454B834EF436587B70A065DE", "href": "https://www.ibm.com/support/pages/node/6824717", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-24T06:01:06", "description": "## Summary\n\nIBM Security Verify Governance, Identity Manager virtual appliance component has addressed the applicable CVE.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21496](<https://vulners.com/cve/CVE-2022-21496>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JNDI component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224777](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224777>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Security Verify Governance, Identity Manager virtual appliance component| 10.0 \n \n\n\n## Remediation/Fixes\n\nAffected Product(s) | \n\nVersion(s)\n\n| \n\nFix Availability \n \n---|---|--- \n \nIBM Security Verify Governance, Identity Manager Virtual appliance component\n\n| \n\n10.0 FP4\n\n| \n\n[10.0.0.0-ISS-ISVG-IMVA-FP0004](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7ETivoli&product=ibm/Tivoli/IBM+Security+Verify+Governance&release=10.0.0.0&platform=Linux&function=fixId&fixids=10.0.0.0-ISS-ISVG-IMVA-FP0004&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-08-17T20:07:42", "type": "ibm", "title": "Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Apr 2022 - Includes Oracle April 2022 CPU (minus CVE-2022-21426)affects IBM Security Verify Governance, Identity Manager virtual appliance component", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2022-21496"], "modified": "2022-08-17T20:07:42", "id": "2086D78578107C87118705CD43C5319ABE0509F632BBA56B836AF909B50F1A9F", "href": "https://www.ibm.com/support/pages/node/6613317", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-07-29T17:52:02", "description": "## Summary\n\nThere are multiple vulnerabilities in the IBM\u00ae SDK Java\u2122 Technology Edition, Version 8 that is used by IBM InfoSphere Information Server. These issues were disclosed as part of the IBM Java SDK updates in January 2023 and April 2022.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2023-21830](<https://vulners.com/cve/CVE-2023-21830>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Serialization component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245038](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245038>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2022-21426](<https://vulners.com/cve/CVE-2022-21426>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nInfoSphere Information Server| 11.7 \n \n## Remediation/Fixes\n\n**_Product_**| \n\n**_VRMF_**\n\n| \n\n**_APAR_**\n\n| \n\n**_Remediation/First Fix_** \n \n---|---|---|--- \n \nInfoSphere Information Server, Information Server on Cloud\n\n| \n\n11.7\n\n| \n\n[DT209705](<https://www.ibm.com/mysupport/aCI3p000000Pbt8> \"DT209705\" )\n\n| \n\n\\--Follow instructions in the [README](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is117_DT209705_ISF_services_engine_*> \"README\" ) \n\\--If not previously addressed, for AIX installations, see [Technote ](<https://www.ibm.com/support/pages/node/6448522> \"Technote\" )for class not found errors related to ProviderExceptions, Failed to initialize IBMJCEPlus provider, and jgskit (Not found in java.library.path) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-05-05T16:58:23", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK (January 2023) affect IBM InfoSphere Information Server", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2023-21830"], "modified": "2023-05-05T16:58:23", "id": "7C4B6FB72EEDDAA73870EA526178830E841CB976F691BA86301DF8577A709CF5", "href": "https://www.ibm.com/support/pages/node/6988347", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-07-29T17:56:13", "description": "## Summary\n\nThere are multiple vulnerabilities in the IBM\u00ae SDK, Java\u2122 Technology Edition that is shipped with IBM WebSphere Application Server and IBM WebSphere Application Server Liberty. The CVE(s) listed in this document might affect some configurations of IBM WebSphere Application Server traditional and IBM WebSphere Application Server Liberty. These products have addressed the applicable CVE(s). If you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether the complete list of vulnerabilities is applicable to your code. For a complete list of vulnerabilities, refer to the link for \"IBM Java SDK Security Bulletin\" located in the References section for more information. HP fixes are on a delayed schedule.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2023-21830](<https://vulners.com/cve/CVE-2023-21830>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Serialization component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245038](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245038>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2022-21426](<https://vulners.com/cve/CVE-2022-21426>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM WebSphere Application Server Liberty| Continuous delivery \nIBM WebSphere Application Server| 8.5 \nIBM WebSphere Application Server| 9.0 \n \n\n\n## Remediation/Fixes\n\n**For IBM WebSphere Application Server Liberty:**\n\nUpgrade to IBM SDK, Java Technology Edition Version 8 SR8 refer to [IBM Java SDKs for Liberty ](<http://www-01.ibm.com/support/docview.wss?uid=swg27049903>)\n\n**For Version 9 IBM WebSphere Application Server traditional:**\n\nUpdate to the IBM SDK, Java Technology Edition, Version 8 Service Refresh 8 using the instructions in the IBM Documentation [Installing and updating IBM SDK, Java Technology Edition on distributed environments](<https://www.ibm.com/support/knowledgecenter/en/SSEQTP_9.0.5/com.ibm.websphere.installation.base.doc/ae/tins_installation_jdk.html> \"\" ) then use the IBM Installation Manager to access the [online product repositories](<https://www.ibm.com/support/knowledgecenter/SSEQTP_9.0.5/com.ibm.websphere.installation.base.doc/ae/cins_repositories.html> \"online product repositories\" ) to install the SDK or use IBM Installation Manager and access the [packages from Fixcentral](<http://www-01.ibm.com/support/docview.wss?uid=swg24042430>).\n\n \n**For Version 8.5.0.0 through 8.5.5.23 IBM WebSphere Application Server traditional: **\n\nFor the IBM SDK, Java Technology Version that you use, upgrade to the minimal fix pack level of IBM WebSphere Application Server as noted in the interim fix below then apply the interim fixes: \n \n\n\nFor IBM SDK Java Technology Edition Version 8\n\n * For environments that have been upgraded to use the new default IBM SDK Version 8 bundled with IBM WebSphere Application Server Fix Pack 8.5.5.11 or later: Apply interim fix [PH53088](<https://www.ibm.com/support/pages/node/6967319>): Will upgrade you to IBM SDK, Java Technology Edition, Version 8 Service Refresh 8. \n\nOR\n\n * Apply IBM Java SDK shipped with IBM WebSphere Application Server Fix pack 24 (8.5.5.24) or later (targeted availability 3Q 2023).\n\n**For Application Client for IBM WebSphere Application Server: **\n\nFollow instructions above for the IBM WebSphere Application Server to download the interim fix needed for your version of the Application Client.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-04-03T16:45:50", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to January 2023 CPU plus deferred CVE-2022-21426", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2023-21830"], "modified": "2023-04-03T16:45:50", "id": "91C2B88975760C09E6FF306FEBBACC31916618B9AD886FB44932558DBAC9C9BB", "href": "https://www.ibm.com/support/pages/node/6980375", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-07-29T17:54:16", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 1.8 and IBM\u00ae Runtime Environment Java\u2122 Version 1.8 used by Rational Functional Tester. Rational Functional Tester has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2023-21830](<https://vulners.com/cve/CVE-2023-21830>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Serialization component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245038](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245038>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-21843](<https://vulners.com/cve/CVE-2023-21843>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Sound component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245037](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245037>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2022-21426](<https://vulners.com/cve/CVE-2022-21426>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nRFT| 9.2 \nRFT| 9.5 \n \n\n\n## Remediation/Fixes\n\n**Product**| **Version**| **APAR**| **Remediation/ Fix** \n---|---|---|--- \nRFT| 9.2 - 9.5| None| Download IBM SDK, Java Technology Edition, Version 8R0 Service Refresh 7 Fix Pack 20 from the Fix Central and apply it. [https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Functional+Tester&platform=All&function=fixId&fixids=Rational-RFT-JavaPatch-Java8SR8FP0&includeRequisites=1&includeSupersedes=0&downloadMethod=http](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Functional+Tester&platform=All&function=fixId&fixids=Rational-RFT-JavaPatch-Java8SR8FP0&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-04-24T17:56:02", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2023-21830", "CVE-2023-21843"], "modified": "2023-04-24T17:56:02", "id": "CFCC2C58BF1AD2C952636D656CF06F0EFD78FE99D3B9906329BFD0F9AF6AB31D", "href": "https://www.ibm.com/support/pages/node/6985649", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-07-29T17:52:40", "description": "## Summary\n\nIBM Watson Discovery Cartridge for IBM Cloud Pak for Data contains a vulnerable version of Java . \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21426](<https://vulners.com/cve/CVE-2022-21426>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2023-21830](<https://vulners.com/cve/CVE-2023-21830>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Serialization component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245038](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245038>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-21843](<https://vulners.com/cve/CVE-2023-21843>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Sound component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245037](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245037>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nWatson Discovery| 4.0.0-4.6.3 \n \n## Remediation/Fixes\n\nUpgrade to IBM Watson Discovery 4.6.5\n\n<https://cloud.ibm.com/docs/discovery-data?topic=discovery-data-install>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-05-02T22:46:12", "type": "ibm", "title": "Security Bulletin: IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Java", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2023-21830", "CVE-2023-21843"], "modified": "2023-05-02T22:46:12", "id": "7A53E045806377D0DF2549379624E563D5C8E0F408F19CDEB870A714153397FE", "href": "https://www.ibm.com/support/pages/node/6985311", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-07-29T17:48:53", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Versions 8, which is used by the desktop version of IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow. IBM Process Designer has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2023-21830](<https://vulners.com/cve/CVE-2023-21830>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Serialization component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245038](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245038>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-21843](<https://vulners.com/cve/CVE-2023-21843>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Sound component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245037](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245037>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2022-21426](<https://vulners.com/cve/CVE-2022-21426>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nIBM Process Designer 8.5.7 is shipped with the following versions of IBM Business Automation Workflow:\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Business Automation Workflow| 19.0.0.3 - 22.0.2 \n \n\n\n## Remediation/Fixes\n\nInstall interim fix DT211177 for your version:\n\n * [IBM Business Automation Workflow 22.0.2](<https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FIBM+Business+Automation+Workflow&fixids=8.6.40022020-WS-BPMPCPD-IFDT211177&source=SAR>)\n * [IBM Business Automation Workflow 21.0.3](<https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FIBM+Business+Automation+Workflow&fixids=8.6.30021031-WS-BPMPCPD-IFDT211177&source=SAR>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-05-31T21:21:59", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affects IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2023-21830", "CVE-2023-21843"], "modified": "2023-05-31T21:21:59", "id": "720FFD587B98E297434100A5E59FD063FF0989312C276C749CA94B05459D58CD", "href": "https://www.ibm.com/support/pages/node/6999743", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-28T01:41:54", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 8 used by 4.1.0.4 to 4.1.0.7 of IBM Tivoli System Automation for Multiplatforms. These issues were disclosed as part of the IBM Java SDK updates in Apr 2022.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Tivoli System Automation for Multiplatforms| 4.1 \n \n\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the corresponding fix to IBM Tivoli System Automation for Multiplatforms. To select the fix you need to apply in your environment, click on 'Download link' in the table below. \n\n * If you are running IBM Tivoli System Automation for Multiplatforms 4.1.0.4, please apply interim fix \u201c**4.1.0.4-TIV-ITSAMP-<OS>-IF0016**\u201d where <OS> represents the operating system for which you want to install the interim fix of this product version. You can apply this interim fix on top of 4.1.0.4.\n * If you are running IBM Tivoli System Automation for Multiplatforms 4.1.0.5, please apply interim fix \u201c**4.1.0.5-TIV-ITSAMP-<OS>-IF0010**\u201d where <OS> represents the operating system for which you want to install the interim fix of this product version. You can apply this interim fix on top of 4.1.0.5.\n * If you are running IBM Tivoli System Automation for Multiplatforms 4.1.0.6, please apply interim fix \u201c**4.1.0.6-TIV-ITSAMP-<OS>-IF0005**\u201d where <OS> represents the operating system for which you want to install the interim fix of this product version. You can apply this interim fix on top of 4.1.0.6.\n * If you are running IBM Tivoli System Automation for Multiplatforms 4.1.0.7, please apply interim fix \u201c**4.1.0.7-TIV-ITSAMP-<OS>-IF0003**\u201d where <OS> represents the operating system for which you want to install the interim fix of this product version. You can apply this interim fix on top of 4.1.0.7.\nProduct| VRMF| APAR \n---|---|--- \nIBM Tivoli System Automation for Multiplatforms| 4.1| [Download Link](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Tivoli&product=ibm/Tivoli/Tivoli+System+Automation+for+Multiplatforms&release=All&platform=All&function=all> \"\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2022-09-13T12:52:18", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Apr 2022 CPU (CVE-2022-21434, CVE-2022-21443, CVE-2022-21426)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443"], "modified": "2022-09-13T12:52:18", "id": "9F58E7FFDA8D80A4FD56687BE4C1BE660093DD7C72AE18A03F5320F8B7E0C1F0", "href": "https://www.ibm.com/support/pages/node/6619957", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-28T01:41:56", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM SDK Java Technology Edition used by IBM Tivoli System Automation Application Manager. These issues were disclosed as part of the IBM Java SDK updates in Apr 2022.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Tivoli System Automation Application Manager| 4.1 \n \n\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the corresponding fix to IBM Tivoli System Automation Application Manager. To select the fix you need to apply in your environment, click on 'Download link' in the table below. \n\n * If you are running IBM Tivoli System Automation Application Manager 4.1.0.2, please apply interim fix \u201c**4.1.0.2-TIV-SAAMR-<OS>-IF0012**\u201d where <OS> represents the operating system for which you want to install the interim fix of this product version. You can apply this interim fix on top of any fixpack of version 4.1.0.2.\n * If you are running IBM Tivoli System Automation Application Manager 4.1.0.3, please apply interim fix \u201c**4.1.0.3-TIV-SAAMR-<OS>-IF0008**\u201d where <OS> represents the operating system for which you want to install the interim fix of this product version. You can apply this interim fix on top of any fixpack of version 4.1.0.3.\n * If you are running IBM Tivoli System Automation Application Manager 4.1.0.4, please apply interim fix \u201c**4.1.0.4-TIV-SAAMR-<OS>-IF0005**\u201d where <OS> represents the operating system for which you want to install the interim fix of this product version. You can apply this interim fix on top of any fixpack of version 4.1.0.4.\n * If you are running IBM Tivoli System Automation Application Manager 4.1.0.5, please apply interim fix \u201c**4.1.0.5-TIV-SAAMR-<OS>-IF0003**\u201d where <OS> represents the operating system for which you want to install the interim fix of this product version. You can apply this interim fix on top of any fixpack of version 4.1.0.5.\nProduct| VRMF| APAR \n---|---|--- \nIBM Tivoli System Automation Application Manager| 4.1| [Download Link](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Tivoli&product=ibm/Tivoli/Tivoli+System+Automation+Application+Manager&release=All&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2022-09-13T12:42:55", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Apr 2022 CPU (CVE-2022-21434, CVE-2022-21443, CVE-2022-21426)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443"], "modified": "2022-09-13T12:42:55", "id": "7982C52AF077A07BEAB1AD0AFD759C1371882F030BAA768E2647C18AF085104C", "href": "https://www.ibm.com/support/pages/node/6619955", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-29T17:49:13", "description": "## Summary\n\nThere are multiple vulnerabilities in the IBM\u00ae SDK, Java\u2122 Technology Edition that is shipped with Liberty for Java for IBM Cloud. This product has addressed the applicable CVEs. If you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether the complete list of vulnerabilities is applicable to your code. For a complete list of vulnerabilities, refer to the link for \"IBM Java SDK Security Bulletin\" located in the References section for more information.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2023-21830](<https://vulners.com/cve/CVE-2023-21830>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Serialization component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245038](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245038>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-21843](<https://vulners.com/cve/CVE-2023-21843>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Sound component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245037](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245037>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2022-21426](<https://vulners.com/cve/CVE-2022-21426>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nLiberty for Java for IBM Cloud| up to and including v4.0 \n \n \n\n\n## Remediation/Fixes\n\nTo upgrade to Liberty for Java for IBM Cloud v4.1-20230516-0914 or higher, you must re-stage or re-push your application \n\nTo find the current version of Liberty for Java for IBM Cloud being used, from the command-line Cloud Foundry client by running the following commands:\n\ncf ssh <appname> -c \"cat staging_info.yml\"\n\nLook for similar lines:\n\n{\u201cdetected_buildpack\u201d:\u201cLiberty for Java(TM) (WAR, liberty-xxx, v4.1-20230516-0914, xxx, env)\u201c,\u201dstart_command\u201d:\u201c.liberty/initial_startup.rb\u201d}\n\nTo re-stage your application using the command-line Cloud Foundry client, use the following command:\n\ncf restage <appname>\n\nTo re-push your application using the command-line Cloud Foundry client, use the following command:\n\ncf push <appname>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-05-30T18:17:38", "type": "ibm", "title": "Security Bulletin: Multiple Vulnerabilities in IBM\u00ae Java SDK affects Liberty for Java for IBM Cloud due to the January 2023 CPU plus deferred CVE-2022-21426", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2023-21830", "CVE-2023-21843"], "modified": "2023-05-30T18:17:38", "id": "916385E416A757BD73E3CDE6A483117ED060F434AFC177A023624D5B1E8C6CE9", "href": "https://www.ibm.com/support/pages/node/6999295", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-07-29T17:50:46", "description": "## Summary\n\nVulnerabilities in IBM\u00ae Java\u2122 Technology Edition that is shipped as part of multiple IBM Tivoli Monitoring (ITM) components. CVEs: CVE-2023-21830, CVE-2023-21843, CVE-2022-21426\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21426](<https://vulners.com/cve/CVE-2022-21426>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2023-21830](<https://vulners.com/cve/CVE-2023-21830>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Serialization component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245038](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245038>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-21843](<https://vulners.com/cve/CVE-2023-21843>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Sound component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245037](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245037>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Tivoli Monitoring| 6.3.0 - 6.3.0.7 (up to 6.3.0.7 Service Pack 14) \n \n\n\n## Remediation/Fixes\n\n**Java Tivoli Enterprise Portal Remediation:** \nThese vulnerabilities exist where the affected Java Runtime Environment (JRE) is installed on systems running the Tivoli Enterprise Portal Browser client or Java WebStart client. The affected JRE is installed on a system when logging in to the IBM Tivoli Enterprise Portal by using the Browser client or WebStart client and a JRE at the required level does not exist. The portal provides an option to download the provided JRE to the system. \n \nThis fix provides updated JRE packages for the portal server, which can be downloaded by new client systems. Once the fix is installed on the portal server, instructions in the readme file can be used to download the updated JRE from the portal to the portal clients. \n\n## Fix\n\n| \n\n## VRMF\n\n| \n\n## How to acquire fix \n \n---|---|--- \n6.X.X-TIV-ITM_JRE_TEP-20230628| 6.3.0 through 6.3.0 FP7 (including any service packs)| [IBM Tivoli Monitoring 6 JRE Update (6.X.X-TIV-ITM_JRE_TEP-20230628 )](<https://www.ibm.com/support/pages/node/6991267> \"IBM Tivoli Monitoring 6 JRE Update \$6.X.X-TIV-ITM_JRE_TEP-20230628 \$\" ) \n \n \n \n**Java (CANDLEHOME) Remediation:** \nThe patch can be installed and updates the shared Tivoli Enterprise-supplied JRE (jr component on UNIX/Linux) or embedded JVM (JM component on Windows).\n\n## Fix\n\n| \n\n## VRMF\n\n| \n\n## How to acquire fix \n \n---|---|--- \n6.X.X-TIV-ITM_JRE_CANDLEHOME-20230628| 6.3.0 FP7 Service Pack 6 or later| [IBM Tivoli Monitoring 6 JRE Update (6.X.X-TIV-ITM_JRE_CANDLEHOME-20230628 )](<https://www.ibm.com/support/pages/node/6991265> \"IBM Tivoli Monitoring 6 JRE Update \$6.X.X-TIV-ITM_JRE_CANDLEHOME-20230628\$\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-05-15T22:26:36", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in IBM Java included with IBM Tivoli Monitoring.", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2023-21830", "CVE-2023-21843"], "modified": "2023-05-15T22:26:36", "id": "23E8421E36730ABF053F73AB99A0740D1C577B2DF0EEC94B55CAF5BE760F31AB", "href": "https://www.ibm.com/support/pages/node/6991667", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-07-29T17:40:54", "description": "## Summary\n\nIBM Storage Protect Backup-Archive Client, IBM Storage Protect for Virtual Environments (Data Protection for Hyper-V and Data Protection for VMware), and IBM Storage Protect for Space Management can be affected by vulnerabilities in IBM Java. The vulnerabilities can lead to denial of service, as described by the CVEs in the \"Vulnerability Details\" section.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21426](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2023-21830](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245038>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Serialization component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245038](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245038>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-21843](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245037>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Sound component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245037](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245037>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Storage Protect Client| 8.1.0.0 - 8.1.17.2 \nIBM Storage Protect for Virtual Environments| 8.1.0.0 - 8.1.17.2 \nIBM Storage Protect for Space Management| 8.1.0.0 - 8.1.17.2 \n \n## Remediation/Fixes\n\n**Product \n**| **Fixing level**| **Platforms**| **Link to fix and instructions** \n---|---|---|--- \nIBM Storage Protect Backup-Archive Client| 8.1.19.0| AIX \nHP-UX \nLinux \nMacintosh \nSolaris \nWindows| <https://www.ibm.com/support/pages/node/6989101> \nIBM Storage Protect for Space Management| 8.1.19.0| AIX \nLinux| <https://www.ibm.com/support/pages/node/6989089> \nIBM Storage Protect for Virtual Environments: Data Protection for Microsoft Hyper-V| 8.1.19.0| Windows| <https://www.ibm.com/support/pages/node/6989083> \nIBM Storage Protect for Virtual Environments: Data Protection for VMware| 8.1.19.0| Linux \nWindows| <https://www.ibm.com/support/pages/node/6989083> \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-07-13T13:20:53", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in IBM Java affect IBM Storage Protect Backup-Archive Client, IBM Storage Protect for Virtual Environments, and IBM Storage Protect for Space Management (CVE-2022-21426, CVE-2023-21830, CVE-2023-21843)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2023-21830", "CVE-2023-21843"], "modified": "2023-07-13T13:20:53", "id": "D91605E64DFAEE8A32F73EC0EC9ED7EBC0261F11D34A19BC35970E6878F02001", "href": "https://www.ibm.com/support/pages/node/7011755", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-24T05:55:21", "description": "## Summary\n\nThere are multiple vulnerabilities in the IBM\u00ae SDK, Java\u2122 Technology Edition that is shipped with Liberty for Java for IBM Cloud. These might affect some configurations of Liberty for Java for IBM Cloud. These products have addressed the applicable CVEs. If you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether the complete list of vulnerabilities is applicable to your code. For a complete list of vulnerabilities, refer to the link for \"IBM Java SDK Security Bulletin\" located in the References section for more information.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21496](<https://vulners.com/cve/CVE-2022-21496>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JNDI component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224777](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224777>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2022-21434](<https://vulners.com/cve/CVE-2022-21434>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224718](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224718>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2022-21443](<https://vulners.com/cve/CVE-2022-21443>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224726](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224726>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nThese vulnerabilities affect all versions of Liberty for Java for IBM Cloud up to and including v3.70.\n\n \n\n\n## Remediation/Fixes\n\nTo upgrade to Liberty for Java for IBM Cloud v3.71-20220621-1017 or higher, you must re-stage or re-push your application \n\nTo find the current version of Liberty for Java for IBM Cloud being used, from the command-line Cloud Foundry client by running the following commands:\n\ncf ssh <appname> -c \"cat staging_info.yml\"\n\nLook for similar lines:\n\n{\u201cdetected_buildpack\u201d:\u201cLiberty for Java(TM) (WAR, liberty-xxx, v3.71-20220621-1017, xxx, env)\u201c,\u201dstart_command\u201d:\u201c.liberty/initial_startup.rb\u201d}\n\nTo re-stage your application using the command-line Cloud Foundry client, use the following command:\n\ncf restage <appname>\n\nTo re-push your application using the command-line Cloud Foundry client, use the following command:\n\ncf push <appname>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-10-07T16:01:56", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect Liberty for Java for IBM Cloud due to April 2022 CPU (minus CVE-2022-21426)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21496"], "modified": "2022-10-07T16:01:56", "id": "CC6EC6642F504040F49FD6C9B2F8ED7A7B6193435EC54E02906DCB6C0648A228", "href": "https://www.ibm.com/support/pages/node/6603159", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-24T06:02:44", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 8 used by IBM Tivoli Netcool Impact. IBM Tivoli Netcool Impact has addressed the applicable CVEs. These issues were disclosed in the Oracle April 2022 Critical Patch Update, minus CVE-2022-21426\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21496](<https://vulners.com/cve/CVE-2022-21496>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JNDI component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224777](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224777>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2022-21434](<https://vulners.com/cve/CVE-2022-21434>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224718](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224718>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2022-21443](<https://vulners.com/cve/CVE-2022-21443>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224726](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224726>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Tivoli Netcool Impact| 7.1.0 \n \n\n\n## Remediation/Fixes\n\nProduct| VRMF| APAR| Remediation \n---|---|---|--- \nIBM Tivoli Netcool Impact 7.1.0| 7.1.0.26| IJ40679| Upgrade to [IBM Tivoli Netcool Impact 7.1.0 FP26](<https://www.ibm.com/support/pages/node/6587919> \"IBM Tivoli Netcool Impact 7.1.0 FP26\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-07-06T05:36:01", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Netcool Impact (CVE-2022-21496, CVE-2022-21434, CVE-2022-21443)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21496"], "modified": "2022-07-06T05:36:01", "id": "D709D9AEFFEA65B5D2B3F250EAA35B7567EA2C85B722CBD20CA9AEC1783BC300", "href": "https://www.ibm.com/support/pages/node/6601533", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-07-29T17:48:38", "description": "## Summary\n\nMultiple vulnerabilities have been reported for IBM\u00ae Java SDK and WebSphere Application Server Liberty profile, which are shipped with IBM Business Automation Workflow containers.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2023-21830](<https://vulners.com/cve/CVE-2023-21830>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Serialization component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245038](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245038>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2022-21426](<https://vulners.com/cve/CVE-2022-21426>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2023-21843](<https://vulners.com/cve/CVE-2023-21843>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Sound component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245037](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245037>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-24998](<https://vulners.com/cve/CVE-2023-24998>) \n** DESCRIPTION: **Apache Commons FileUpload and Tomcat are vulnerable to a denial of service, caused by not limit the number of request parts to be processed in the file upload function. By sending a specially-crafted request with series of uploads, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/247895](<https://exchange.xforce.ibmcloud.com/vulnerabilities/247895>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s)| Status| Note \n---|---|---|--- \nIBM Business Automation Workflow containers| \n\nV22.0.2 - V22.0.2-IF004 \nV22.0.1 all fixes \nV21.0.3 - V21.0.3-IF020 \nV21.0.2 all fixes \nV20.0.0.2 all fixes \nV20.0.0.1 all fixes\n\n| affected| \nIBM Business Automation Workflow traditional| V22.0.1 \nV21.0.1 - V21.0.3.1 \nV20.0.0.1 - V20.0.0.2 \nV19.0.0.1 - V19.0.0.3 \nV18.0.0.0 - V18.0.0.2| affected| Cumulative Fixes cannot automatically install interim fixes for the base Application Server. It is important to follow the complete installation instructions and manually ensure that recommended security fixes are installed. \nIBM Business Automation Workflow Enterprise Service Bus| V22.0.2| affected| Cumulative Fixes cannot automatically install interim fixes for the base Application Server. It is important to follow the complete installation instructions and manually ensure that recommended security fixes are installed. \n \nFor earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.\n\n \n\n\n## Remediation/Fixes\n\nAffected Product(s)| Version(s)| Remediation / Fix \n---|---|--- \nIBM Business Automation Workflow containers| V22.0.2| Apply [22.0.2-IF005](<https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-containers-2202-interim-fixes> \"22.0.2-IF005\" ) \nIBM Business Automation Workflow containers| V22.0.1| Upgrade to Business Automation Workflow on Containers 22.0.2 and apply [22.0.2-IF005](<https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-containers-2202-interim-fixes> \"22.0.2-IF005\" ) \nIBM Business Automation Workflow containers| V21.0.3| Apply [21.0.3-IF021](<https://www.ibm.com/support/pages/node/6574109> \"21.0.3-IF021\" ) \nor upgrade to [22.0.2-IF005](<https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-containers-2202-interim-fixes> \"22.0.2-IF005\" ) or later \nIBM Business Automation Workflow containers| V21.0.2 \nV20.0.0.1 - V20.0.0.2| Upgrade to [21.0.3-IF021](<https://www.ibm.com/support/pages/node/6574109> \"21.0.3-IF021\" ) \nor upgrade to [22.0.2-IF005](<https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-containers-2202-interim-fixes> \"22.0.2-IF005\" ) or later \nIBM Business Automation Workflow traditional| V22.0.1 - V22.0.2 \nV21.0.1 - V21.0.3.1 \nV20.0.0.1 - V20.0.0.2| See [Security Bulletin: A vulnerability has been identified in IBM WebSphere Application Server traditional and Liberty profile shipped with IBM Business Automation Workflow (IBM\u00ae Java SDK CPU January 2023)](<https://www.ibm.com/support/pages/node/6983492>) and \n\n[Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server and IBM WebSphere Application Server Liberty profile shipped with IBM Business Automation Workflow (CVE-2023-24998)](<https://www.ibm.com/support/pages/node/6983486>) \n \nIBM Business Automation Workflow Enterprise Service Bus| \n\nV22.0.2 \n \n\n\n| See \n\n[Security Bulletin: A vulnerability has been identified in IBM WebSphere Application Server traditional and Liberty profile shipped with IBM Business Automation Workflow (IBM\u00ae Java SDK CPU January 2023)](<https://www.ibm.com/support/pages/node/6983492>) and\n\n[Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server and IBM WebSphere Application Server Liberty profile shipped with IBM Business Automation Workflow (CVE-2023-24998)](<https://www.ibm.com/support/pages/node/6983486>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-06-05T14:12:54", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK and WebSphere Application Server Liberty profile affect IBM Business Automation Workflow containers", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2023-21830", "CVE-2023-21843", "CVE-2023-24998"], "modified": "2023-06-05T14:12:54", "id": "ECFAD8E6C02ED1FDC660B7F94B3208DFF757AAB82DA3254B7ACBC8A758CB95BF", "href": "https://www.ibm.com/support/pages/node/7001287", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-07-29T17:50:06", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 8 used by AIX. AIX has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21426](<https://vulners.com/cve/CVE-2022-21426>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2023-21830](<https://vulners.com/cve/CVE-2023-21830>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Serialization component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245038](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245038>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-21843](<https://vulners.com/cve/CVE-2023-21843>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Sound component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245037](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245037>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-30441](<https://vulners.com/cve/CVE-2023-30441>) \n** DESCRIPTION: **IBM Runtime Environment, Java Technology Edition IBMJCEPlus and JSSE 8.0.7.0 through 8.0.7.11 components could expose sensitive information using a combination of flaws and configurations. IBM X-Force ID: 253188. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253188](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253188>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nAIX| 7.2 \nAIX| 7.3 \nVIOS| 3.1 \n \nThe following fileset levels (VRMF) are vulnerable, if the respective Java version is installed:\n\nFor Java8: Less than 8.0.0.800\n\nNote: To find out whether the affected Java filesets are installed on your systems, refer to the lslpp command found in AIX user's guide.\n\nExample: lslpp -L | grep -i java\n\n \n\n\n## Remediation/Fixes\n\nIBM strongly recommends addressing the vulnerability now. \n\nNote: Recommended remediation is to always install the most recent Java package available for the respective Java version.\n\nIBM SDK, Java Technology Edition, Version 8 Service Refresh 8 and subsequent releases:\n\n[32-bit](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=8.0.0.0&platform=AIX+32-bit,+pSeries&function=all>)\n\n[64-bit](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=8.0.0.0&platform=AIX+64-bit,+pSeries&function=all>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-05-19T17:05:37", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2023-21830", "CVE-2023-21843", "CVE-2023-30441"], "modified": "2023-05-19T17:05:37", "id": "96FAFF3C7D07405C90F28D7AA8785DE391620CE306F0F728B816138795273CE1", "href": "https://www.ibm.com/support/pages/node/6995887", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-09-26T07:29:03", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM Runtime Environment Java Version 8 used by WebSphere eXtreme Scale. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21426](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2023-21830](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245038>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Serialization component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245038](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245038>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-21967](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253166>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Hotspot component could allow a remote attacker to cause high confidentiality impact. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253166](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253166>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2023-21937](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253167>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Networking component could allow a remote attacker to cause integrity impact. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253167](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253167>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nWebSphere Extreme Scale| 8.6.1.0 - 8.6.1.5 \n \n## Remediation/Fixes\n\n_Product_| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nWebSphere eXtreme Scale| 8.6.1.0 - 8.6.1.5| PH55403| For older versions, upgrade to fix pack 8.6.1.5 and then apply the PH55403 iFix. \nIf you are using 8.6.1.5 directly apply the PH55403 iFix. \n \nRefer to the **Version 8.6.1** table in the [Recommended Fixes page for WebSphere eXtreme Scale](<http://www.ibm.com/support/docview.wss?uid=swg27018991>). \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-07-08T20:08:23", "type": "ibm", "title": "Security Bulletin: Multiple Vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition affects WebSphere eXtreme Scale", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2023-21830", "CVE-2023-21937", "CVE-2023-21967"], "modified": "2023-07-08T20:08:23", "id": "4842A84DBF0F5AFE24AA54FAF156B0DA36BA0ABD8F7EC41826F91C93ECDE9C49", "href": "https://www.ibm.com/support/pages/node/7010585", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-07-29T17:49:48", "description": "## Summary\n\nIBM Tivoli Application Dependency Discovery Manager is vulnerable to denial of service due to use of IBM Java and runtimes (CVE-2022-21426, CVE-2023-30441, CVE-2023-21830, CVE-2023-21843)\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21426](<https://vulners.com/cve/CVE-2022-21426>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2023-30441](<https://vulners.com/cve/CVE-2023-30441>) \n** DESCRIPTION: **IBM Runtime Environment, Java Technology Edition IBMJCEPlus and JSSE 8.0.7.0 through 8.0.7.11 components could expose sensitive information using a combination of flaws and configurations. IBM X-Force ID: 253188. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253188](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253188>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2023-21830](<https://vulners.com/cve/CVE-2023-21830>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Serialization component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245038](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245038>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-21843](<https://vulners.com/cve/CVE-2023-21843>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Sound component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245037](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245037>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Tivoli Application Dependency Discovery Manager| 7.3.0.0 -7.3.0.10 \n \n\n\n## Remediation/Fixes\n\nIn order to fix this vulnerability, Java needs to be upgraded to 8.0.8.0 for TADDM versions 7.3.0.5 - 7.3.0.10. \n\nCheck java version installed on TADDM servers using the below command:\n\n$COLLATION_HOME/external/<jdk- folder according to OS>/bin/java -version\n\n * For TADDM **7.3.0.5 - 7.3.0.10** (JAVA 8), if the above command output contains **\"SR6 FP10\"** or \"**8.0.6.10**\" or higher as build in Java(TM) SE Runtime Environment information, apply e-fix for the new IBM SDK only, **efix_jdk8.0.7.20_FP10221123.zip **given in Table-1 below.\n * For TADDM **7.3.0.0 - 7.3.0.4** (JAVA 7), Please upgrade to IBM Tivoli Application Dependency Discovery Manager Version 7.3.0.5 or later (Preferably to the latest release 7.3.0.10).\n\n * For all other cases: Please contact IBM Support and open a case with TADDM version and a link to this bulletin.\n\n**Table-1:**\n\nPlease review the eFix readme in etc/efix_readme.txt. The fixes for the respective FixPack(s) can be downloaded and applied directly.\n\n**Fix**| \n\n**VRMF **\n\n| **APAR**| **How to acquire fix** \n---|---|---|--- \nefix_jdk8.0.8.0_FP10221123.zip| \n\n7.3.0.5 - 7.3.0.10\n\n| None| [Download eFix](<https://www.secure.ecurep.ibm.com/download/?id=ZpZEjyPqF4Cne7fcRxU7YIZG9FA0bswhTz9CYLcnmE0> \"Download eFix\" ) \n \n**Table-2:**\n\nBelow are the JRE:\n\n**Fix**| \n\n**VRMF **\n\n| **APAR**| **How to acquire fix** \n---|---|---|--- \nibm-java-jre-80-win-i386| \n\n7.3.0.5 - 7.3.0.10\n\n| None| [Download eFix](<https://www.secure.ecurep.ibm.com/download/?id=M5qgrS8EL5rrYO3sETESXeqr6w111ds74KQCNOXuY2U> \"Download eFix\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-05-24T10:37:33", "type": "ibm", "title": "Security Bulletin: TADDM affected by multiple vulnerabilities due to IBM Java and its runtime", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2023-21830", "CVE-2023-21843", "CVE-2023-30441"], "modified": "2023-05-24T10:37:33", "id": "EFF110BCB9EDCBDB618BE8EC7DF42715A87607794FE8143FE35FE864675727A5", "href": "https://www.ibm.com/support/pages/node/6997919", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-07-29T17:53:08", "description": "## Summary\n\nVulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Version 8 used by IBM Integration Designer. IBM Integration Designer has addressed the following CVEs.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2023-30441](<https://vulners.com/cve/CVE-2023-30441>) \n** DESCRIPTION: **IBM Runtime Environment, Java Technology Edition IBMJCEPlus and JSSE components could expose sensitive information using a combination of flaws and configurations. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253188](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253188>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2022-21426](<https://vulners.com/cve/CVE-2022-21426>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2023-21830](<https://vulners.com/cve/CVE-2023-21830>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Serialization component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245038](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245038>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-21843](<https://vulners.com/cve/CVE-2023-21843>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Sound component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245037](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245037>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nBusiness Automation Workflow| 22.0.2 \nBusiness Automation Workflow| 22.0.1 \nBusiness Automation Workflow| 21.0.3 \nBusiness Automation Workflow| 20.0.0.2 \n \n \n\n\n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerability now.**\n\n[IBM Integration Designer 22.0.2](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FIBM+Integration+Designer&fixids=22.0.2-WS-IID-IFDT212288&source=SAR>)\n\n[IBM Integration Designer 22.0.1](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FIBM+Integration+Designer&fixids=22.0.1-WS-IID-IFDT212288&source=SAR>)\n\n[IBM Integration Designer 21.0.3](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FIBM+Integration+Designer&fixids=21.0.3-WS-IID-IFDT212288&source=SAR>)\n\n[IBM Integration Designer 20.0.0.2](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FIBM+Integration+Designer&fixids=20.0.0.2-WS-IID-IFDT212288&source=SAR>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-05-02T18:40:21", "type": "ibm", "title": "Security Bulletin: Multiple CVEs - Vulnerabilities in IBM Java Runtime affect IBM Integration Designer used in IBM Business Automation Workflow and IBM Business Process Manager", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2023-21830", "CVE-2023-21843", "CVE-2023-30441"], "modified": "2023-05-02T18:40:21", "id": "86277132501DAD58BB2ACB4C64FD60B259D2C0AD43248122C43F0A9DA4CD1368", "href": "https://www.ibm.com/support/pages/node/6987815", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-24T05:55:31", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 7 and 8 and IBM\u00ae Runtime Environment Java\u2122 Version 7 and 8 used by Rational Business Developer. Rational Business Developer has provided fixes for the applicable CVEs. These issues were disclosed as part of the IBM Java SDK and Runtime Environment updates in the Oracle April 2022 CPU (minus CVE-2022-21426).\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2022-21496](<https://vulners.com/cve/CVE-2022-21496>) \n**DESCRIPTION: **An unspecified vulnerability in Java SE related to the JNDI component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224777](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224777>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n**CVEID: **[CVE-2022-21434](<https://vulners.com/cve/CVE-2022-21434>) \n**DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224718](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224718>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n**CVEID: **[CVE-2022-21443](<https://vulners.com/cve/CVE-2022-21443>) \n**DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224726](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224726>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nRBD | 9.1 - 9.1.1.2 \nRBD | 9.5 - 9.5.1.2 \nRBD | 9.6 - 9.6.0.1 \nRBD | 9.7 \n \n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerability now by installing this fix or a newer iFix or Fix Pack.**\n\n**Product** | **VRMF** | **APAR** | **Remediation / First Fix** | **File Name** \n---|---|---|---|--- \n_Rational Business Developer_ | 9.1 - 9.1.1.2 | None | [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/Rational+Business+Developer&release=9.1.0&platform=All&function=all](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/Rational+Business+Developer&release=9.1.0&platform=All&function=all>) | RBD-9.1-PSIRT-JRE-7.1.5.10 \n_Rational Business Developer_ | 9.5 - 9.5.1.2 | None | \n\n[https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/Rational+Business+Developer&release=9.5.0&platform=All&function=all](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/Rational+Business+Developer&release=9.5.0&platform=All&function=all>)\n\n| RBD-9.5-PSIRT-JRE-8.0.7.10 \n_Rational Business Developer_ | 9.6 - 9.6.0.1 | None | \n\n[https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/Rational+Business+Developer&release=9.6&platform=All&function=all](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/Rational+Business+Developer&release=9.6&platform=All&function=all>)\n\n| RBD-9.6-PSIRT-JRE-8.0.7.10 \n_Rational Business Developer_ | 9.7 | None | [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Business+Developer&release=9.7.0&platform=All&function=all](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Business+Developer&release=9.7.0&platform=All&function=all>) | RBD-9.7-PSIRT-JRE-8.0.7.10 \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-10-06T04:51:40", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Business Developer", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21496"], "modified": "2022-10-06T04:51:40", "id": "AD95CA7C23870D3804DD52C9A6B346994AFF4FE894A7AB9E451D67947633D8B0", "href": "https://www.ibm.com/support/pages/node/6826659", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-24T06:04:32", "description": "## Summary\n\nThis bulletin covers all applicable Java SE CVEs published by Oracle as part of their April 2022 Critical Patch Update, except for CVE-2022-21426 which will be described in a future bulletin. For more information please refer to Oracle's April 2022 CPU Advisory and the X-Force database entries referenced below.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21496](<https://vulners.com/cve/CVE-2022-21496>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JNDI component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224777](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224777>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2022-21434](<https://vulners.com/cve/CVE-2022-21434>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224718](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224718>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2022-21443](<https://vulners.com/cve/CVE-2022-21443>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224726](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224726>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\n7.0.0.0 - 7.0.11.5 \n7.1.0.0 - 7.1.5.5 \n8.0.0.0 - 8.0.7.6 \n \nFor detailed information on which CVEs affect which releases, please refer to the [IBM SDK, Java Technology Edition Security Vulnerabilities page](<https://developer.ibm.com/javasdk/support/security-vulnerabilities/>).\n\n \n\n\n## Remediation/Fixes\n\n7.0.11.10 \n7.1.5.10 \n8.0.7.10 \n \nIBM SDK, Java Technology Edition releases can be downloaded, subject to the terms of the developerWorks license, from the [Java Developer Center](<https://developer.ibm.com/javasdk/downloads/>). \n \nIBM customers requiring an update for an SDK shipped with an IBM product should contact [IBM support](<http://www.ibm.com/support/>), and/or refer to the appropriate product security bulletin. \n\n**APAR numbers are as follows:**\n\n[IJ39998](<http://www-01.ibm.com/support/docview.wss?uid=swg1IJ39998>) (CVE-2022-21496) \n[IJ40000](<http://www-01.ibm.com/support/docview.wss?uid=swg1IJ40000>) (CVE-2022-21434) \n[IJ40004](<http://www-01.ibm.com/support/docview.wss?uid=swg1IJ40004>) (CVE-2022-21443)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-06-01T10:50:29", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities may affect IBM\u00ae SDK, Java\u2122 Technology Edition", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21496"], "modified": "2022-06-01T10:50:29", "id": "F68AB9809A9ED0BF2F7F7D45080968ACBD941A3E4FB54AE4EF30774448A70284", "href": "https://www.ibm.com/support/pages/node/6591179", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-24T05:48:44", "description": "## Summary\n\nThere are vulnerabilities in IBM SDK, Java Technology Edition Quarterly CPU - Apr 2022 - Includes Oracle Apr 2022 CPU minus CVE-2022-21426 vulnerability that affect IBM Sterling Transformation Extender. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21496](<https://vulners.com/cve/CVE-2022-21496>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JNDI component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224777](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224777>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2022-21434](<https://vulners.com/cve/CVE-2022-21434>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224718](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224718>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2022-21443](<https://vulners.com/cve/CVE-2022-21443>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224726](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224726>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Sterling Transformation Extender| 10.0 \nIBM Sterling Transformation Extender| 10.1 \nIBM Sterling Transformation Extender| 10.1.1 \nIBM Sterling Transformation Extender| 10.1.2 \n \n## Remediation/Fixes\n\n**Product(s)**| **Version(s)**| **APAR**| **Fix Link** \n---|---|---|--- \nIBM Sterling Transformation Extender| 10.0.0, 10.1, 10.1.1, 10.1.2| PH52038| [Link](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+Transformation+Extender&release=All&platform=All&function=aparId&apars=PH52038&source=fc> \"Link\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-01-30T17:29:11", "type": "ibm", "title": "Security Bulletin: IBM Sterling Transformation Extender vulnerable to multiple issues due to IBM SDK, Java Technology Edition", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21496"], "modified": "2023-01-30T17:29:11", "id": "C078ABAA6E4D80D641295C64101FDA8E9D886F6111077E1C84B7D25B9218FF32", "href": "https://www.ibm.com/support/pages/node/6890619", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-09-20T01:42:47", "description": "## Summary\n\nIBM Security Guardium has addressed these vulnerabilities.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-43909](<https://exchange.xforce.ibmcloud.com/vulnerabilities/240905>) \n** DESCRIPTION: **IBM Security Guardium is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. \nCVSS Base score: 4.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/240905](<https://exchange.xforce.ibmcloud.com/vulnerabilities/240905>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2022-21426](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2022-43907](<https://exchange.xforce.ibmcloud.com/vulnerabilities/240901>) \n** DESCRIPTION: **IBM Security Guardium could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. \nCVSS Base score: 7.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/240901](<https://exchange.xforce.ibmcloud.com/vulnerabilities/240901>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2023-21830](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245038>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Serialization component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245038](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245038>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-21843](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245037>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Sound component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245037](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245037>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Security Guardium| 10.6 \nIBM Security Guardium| 11.3 \nIBM Security Guardium| 11.4 \nIBM Security Guardium| 11.5 \n \n## Remediation/Fixes\n\n**IBM encourages customers to update their systems promptly.**\n\n** Product**| **Versions**| ** Fix** \n---|---|--- \nIBM Security Guardium| 10.6| | [https://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=10.0&platform=Linux&function=fixId&fixids=SqlGuard_10.0p1025_Bundle_Jul-20-2023&includeSupersedes=0&source=fc](<https://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=10.0&platform=Linux&function=fixId&fixids=SqlGuard_10.0p1025_Bundle_Jul-20-2023&includeSupersedes=0&source=fc>) \n--- \nIBM Security Guardium| 11.3| [https://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=11.0&platform=Linux&function=fixId&fixids=SqlGuard_11.0p389_Bundle_Aug-21-2023&includeSupersedes=0&source=fc](<https://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=11.0&platform=Linux&function=fixId&fixids=SqlGuard_11.0p389_Bundle_Aug-21-2023&includeSupersedes=0&source=fc>) \nIBM Security Guardium| 11.4| [https://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=11.0&platform=Linux&function=fixId&fixids=SqlGuard_11.0p475_Bundle_Jul-20-2023&includeSupersedes=0&source=fc](<https://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=11.0&platform=Linux&function=fixId&fixids=SqlGuard_11.0p475_Bundle_Jul-20-2023&includeSupersedes=0&source=fc>) \nIBM Security Guardium| 11.5| [https://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=11.0&platform=Linux&function=fixId&fixids=SqlGuard_11.0p530_Bundle_Aug-29-2023&includeSupersedes=0&source=fc](<https://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=11.0&platform=Linux&function=fixId&fixids=SqlGuard_11.0p530_Bundle_Aug-29-2023&includeSupersedes=0&source=fc>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-09-19T20:07:52", "type": "ibm", "title": "Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2022-43907", "CVE-2022-43909", "CVE-2023-21830", "CVE-2023-21843"], "modified": "2023-09-19T20:07:52", "id": "13DF93BE6568A723BC1B1099A6EB825A1766820CCBAA24882A8A0124557F6F8D", "href": "https://www.ibm.com/support/pages/node/7028511", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-07-29T17:53:16", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Version 1.8 used by IBM Sterling External Authentication Server. IBM Sterling External Authentication Server has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21628](<https://vulners.com/cve/CVE-2022-21628>) \n** DESCRIPTION: **Java SE is vulnerable to a denial of service, caused by a flaw in the Lightweight HTTP Server. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/238623](<https://exchange.xforce.ibmcloud.com/vulnerabilities/238623>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2022-21626](<https://vulners.com/cve/CVE-2022-21626>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/238689](<https://exchange.xforce.ibmcloud.com/vulnerabilities/238689>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2022-3676](<https://vulners.com/cve/CVE-2022-3676>) \n** DESCRIPTION: **Eclipse Openj9 could allow a remote attacker to bypass security restrictions, caused by improper runtime type check by the interface calls. By sending a specially-crafted request using bytecode, an attacker could exploit this vulnerability to access or modify memory. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/239608](<https://exchange.xforce.ibmcloud.com/vulnerabilities/239608>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2022-21426](<https://vulners.com/cve/CVE-2022-21426>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2023-21830](<https://vulners.com/cve/CVE-2023-21830>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Serialization component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245038](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245038>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Sterling External Authentication Server| 6.1.0 \nIBM Secure External Authentication Server| 6.0.3 \n \n\n\n## Remediation/Fixes\n\n**Product**| **Version**| **iFix**| **Remediation** \n---|---|---|--- \nIBM Sterling External Authentication Server | 6.1.0.0| iFix 03| [Fix Central](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther+software&product=ibm/Other+software/Sterling+External+Authentication+Server&release=6.1.0.0&platform=All&function=all> \"Fix Central\" ) \nIBM Sterling External Authentication Server | 6.0.3.0| iFix 07| [Fix Central](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther+software&product=ibm/Other+software/Sterling+External+Authentication+Server&release=6.0.3.0&platform=All&function=all> \"Fix Central\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2023-04-29T03:45:21", "type": "ibm", "title": "Security Bulletin: IBM Sterling External Authentication Server is vulnerable to multiple vulnerabilities due to IBM Java Runtime", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2022-21626", "CVE-2022-21628", "CVE-2022-3676", "CVE-2023-21830"], "modified": "2023-04-29T03:45:21", "id": "78A698C4CF4ED7512CDC3542D745C570A2C31751FB3CD8B1F65E1C4ABB0FC834", "href": "https://www.ibm.com/support/pages/node/6987177", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2023-07-29T17:53:23", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Version 1.8 used by IBM Sterling Secure Proxy. IBM Sterling Secure Proxy has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21426](<https://vulners.com/cve/CVE-2022-21426>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2022-21628](<https://vulners.com/cve/CVE-2022-21628>) \n** DESCRIPTION: **Java SE is vulnerable to a denial of service, caused by a flaw in the Lightweight HTTP Server. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/238623](<https://exchange.xforce.ibmcloud.com/vulnerabilities/238623>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2022-21626](<https://vulners.com/cve/CVE-2022-21626>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/238689](<https://exchange.xforce.ibmcloud.com/vulnerabilities/238689>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2023-21830](<https://vulners.com/cve/CVE-2023-21830>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Serialization component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245038](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245038>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2022-3676](<https://vulners.com/cve/CVE-2022-3676>) \n** DESCRIPTION: **Eclipse Openj9 could allow a remote attacker to bypass security restrictions, caused by improper runtime type check by the interface calls. By sending a specially-crafted request using bytecode, an attacker could exploit this vulnerability to access or modify memory. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/239608](<https://exchange.xforce.ibmcloud.com/vulnerabilities/239608>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\n**Affected Product**| **Version** \n---|--- \nIBM Sterling Secure Proxy| 6.0.3 \n \n\n\n## Remediation/Fixes\n\n**Product**| **Version**| **iFix**| **Remediation** \n---|---|---|--- \nIBM Sterling Secure Proxy| 6.0.3| iFix 07| [Fix Central](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other+software&product=ibm/Other+software/Sterling+Secure+Proxy&release=6.0.3.0&platform=All&function=all> \"Fix Central\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2023-04-28T21:26:21", "type": "ibm", "title": "Security Bulletin: IBM Sterling Secure Proxy is vulnerable to multiple vulnerabilities due to IBM Java Runtime", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2022-21626", "CVE-2022-21628", "CVE-2022-3676", "CVE-2023-21830"], "modified": "2023-04-28T21:26:21", "id": "4C86B8395A615C191CCBC8EE216129A475EC6F0EC9C347C3B9B3755117EF4CBD", "href": "https://www.ibm.com/support/pages/node/6987143", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2023-07-29T17:50:22", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, used by WebSphere Service Registry and Repository. These issues were disclosed as part of the IBM Java SDK updates in October 2022 and January 2023. These issues are addressed by WebSphere Application Server shipped with WebSphere Service Registry and Repository.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21426](<https://vulners.com/cve/CVE-2022-21426>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2022-21626](<https://vulners.com/cve/CVE-2022-21626>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/238689](<https://exchange.xforce.ibmcloud.com/vulnerabilities/238689>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2022-21624](<https://vulners.com/cve/CVE-2022-21624>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to update, insert or delete data resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/238699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/238699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-21830](<https://vulners.com/cve/CVE-2023-21830>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Serialization component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245038](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245038>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2022-3676](<https://vulners.com/cve/CVE-2022-3676>) \n** DESCRIPTION: **Eclipse Openj9 could allow a remote attacker to bypass security restrictions, caused by improper runtime type check by the interface calls. By sending a specially-crafted request using bytecode, an attacker could exploit this vulnerability to access or modify memory. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/239608](<https://exchange.xforce.ibmcloud.com/vulnerabilities/239608>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nWebSphere Service Registry and Repository| 8.5.x \nWebSphere Service Registry and Repository Studio| 8.5.x \n \n## Remediation/Fixes\n\nFor all versions of WebSphere Service Registry and Repository Studio:\n\n * Upgrade to WebSphere Service Registry and Repository Studio [V8.5.6.3_IJ46307](<https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FWebSphere+Service+Registry+and+Repository&fixids=8.5.6.3-WS-WSRR-Studio-Windows-IFIJ46307&source=SAR>)\n\nFor WebSphere Service Registry and Repository these issues are addressed by IBM WebSphere Application Server. Refer to the following security bulletins for vulnerability details and information about fixes:\n\n * [Security Bulletin: Multiple Vulnerabilities in IBM\u00ae Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to the October 2022 CPU](<https://www.ibm.com/support/pages/node/6839565> \"Security Bulletin: Multiple Vulnerabilities in IBM\u00ae Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to the October 2022 CPU\" )\n * [Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to January 2023 CPU plus deferred CVE-2022-21426](<https://www.ibm.com/support/pages/node/6980375>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2023-05-17T15:45:41", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Service Registry and Repository due to October 2022 CPU and January 2023 CPU plus deferred CVE-2022-21426 and CVE-2022-3676", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2022-21624", "CVE-2022-21626", "CVE-2022-3676", "CVE-2023-21830"], "modified": "2023-05-17T15:45:41", "id": "2FFAA17CE193A68550F9DD0D2CC3796647948BC829C6055DFDE457A57C0AAF0B", "href": "https://www.ibm.com/support/pages/node/6995185", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2023-06-24T05:55:36", "description": "## Summary\n\nJava is used by IBM Robotic Process Automation for Cloud Pak as part of several container services that run Java applications.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21496](<https://vulners.com/cve/CVE-2022-21496>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JNDI component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224777](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224777>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2022-21434](<https://vulners.com/cve/CVE-2022-21434>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224718](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224718>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2022-21443](<https://vulners.com/cve/CVE-2022-21443>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224726](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224726>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2022-21449](<https://vulners.com/cve/CVE-2022-21449>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224732](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224732>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2022-21426](<https://vulners.com/cve/CVE-2022-21426>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2022-21476](<https://vulners.com/cve/CVE-2022-21476>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224758](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224758>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Robotic Process Automation for Cloud Pak| < 21.0.3.1 \n \n \n\n\n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerability now.**\n\n**Product(s)**| **Version(s) number and/or range **| **Remediation/Fix/Instructions** \n---|---|--- \nIBM Robotic Process Automation for Cloud Pak| < 21.0.3.1| Update to 21.0.3.1 or higher using the following [instructions](<https://www.ibm.com/docs/en/rpa/21.0?topic=upgrading-rpa-openshift-container-platform> \"\" ). \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-10-06T04:10:57", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21449", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-10-06T04:10:57", "id": "0800FED45015812CA59F3FB2B71E7EBC02028DD8D4576D54E210A3FF45EC494B", "href": "https://www.ibm.com/support/pages/node/6825989", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-24T05:55:58", "description": "## Summary\n\njava vulnerability allows unauthenticated attacker with network access via multiple protocols\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21426](<https://vulners.com/cve/CVE-2022-21426>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2022-21434](<https://vulners.com/cve/CVE-2022-21434>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224718](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224718>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2022-21443](<https://vulners.com/cve/CVE-2022-21443>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224726](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224726>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2022-21449](<https://vulners.com/cve/CVE-2022-21449>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224732](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224732>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2022-21476](<https://vulners.com/cve/CVE-2022-21476>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224758](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224758>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2022-21496](<https://vulners.com/cve/CVE-2022-21496>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JNDI component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224777](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224777>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nUCV - UrbanCode Velocity| All \n \n\n\n## Remediation/Fixes\n\nUpgrade to 2.6.3 or later \n[https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+UrbanCode+Velocity&release=2.6.3&platform=All&function=all](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+UrbanCode+Velocity&release=2.6.3&platform=All&function=all>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-09-28T21:24:11", "type": "ibm", "title": "Security Bulletin: Multiple Java DOS vulnerabilities detected", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21449", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-09-28T21:24:11", "id": "EF9079290B88737FC8A621793C98EB82287DB53AD77BEA20CCA44251326E2BB9", "href": "https://www.ibm.com/support/pages/node/6824903", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-08-28T07:11:45", "description": "## Summary\n\nMultiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Versions 7, and 8 that are used in IBM PureData System for Operational Analytics AIX based LPARs. These issues were disclosed as part of the IBM Java SDK updates in April 2022 to January 2023. These issues were disclosed as part of the IBM Java SDK updates between April 2022 and January 2023 (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619, CVE-2023-21830,CVE-2022-21426)\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2023-21830](<https://vulners.com/cve/CVE-2023-21830>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Serialization component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245038](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245038>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2022-21628](<https://vulners.com/cve/CVE-2022-21628>) \n** DESCRIPTION: **Java SE is vulnerable to a denial of service, caused by a flaw in the Lightweight HTTP Server. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/238623](<https://exchange.xforce.ibmcloud.com/vulnerabilities/238623>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2022-21626](<https://vulners.com/cve/CVE-2022-21626>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/238689](<https://exchange.xforce.ibmcloud.com/vulnerabilities/238689>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2022-21624](<https://vulners.com/cve/CVE-2022-21624>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to update, insert or delete data resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/238699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/238699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2022-21619](<https://vulners.com/cve/CVE-2022-21619>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to update, insert or delete data resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/238698](<https://exchange.xforce.ibmcloud.com/vulnerabilities/238698>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2022-21426](<https://vulners.com/cve/CVE-2022-21426>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM PureData System for Operational Analytics| 1.1 \n \n\n\n## Remediation/Fixes\n\nJava installp packages are available. Please refer to the table below to determine the minimum levels needed. \n\nJava Level and Bit Width| Java Version| AIX Java Fileset Version| Appliance Fixpack \n---|---|---|--- \nJava 7 32 Bit| N/A| N/A| N/A \nJava 7 64 Bit| N/A| N/A| N/A \nJava 8 32 Bit| 8.0.7.20| 8.0.0.720| N/A \nJava 8 64 Bit| 8.0.7.20| 8.0.0.720| N/A \n \nNote: Java 7 32 and 64 bit are no longer supported and should be removed from the AIX LPARs in the appliance.\n\nUse the levels above and review the following technote to determine what to download and how to apply it to the environment.\n\n[Updating the system installed IBM\u00ae SDK Java\u2122 Technology Edition packages in an IBM PureData System for Operational Analytics environment.](<https://www.ibm.com/support/pages/node/6505701> \"Updating the system installed IBM\u00ae SDK Java\u2122 Technology Edition packages in an IBM PureData System for Operational Analytics environment.\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-04-04T22:21:33", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM SDK, Java Technology Edition Quarterly CPU -April 2022 to January 2023 affects AIX LPARs in IBM PureData System for Operational Analytics", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2022-21619", "CVE-2022-21624", "CVE-2022-21626", "CVE-2022-21628", "CVE-2023-21830"], "modified": "2023-04-04T22:21:33", "id": "C5F628240DB4B1EAE3DA0AE709FE38C5E457D2CF3B13A8612B5AB159E298A3B3", "href": "https://www.ibm.com/support/pages/node/6980889", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-24T06:04:40", "description": "## Summary\n\nThis bulletin covers all applicable Java SE CVEs published by OpenJDK as part of their April 2022 Vulnerability Advisory. For more information please refer to OpenJDK's April 2022 Vulnerability Advisory and the X-Force database entries referenced below.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21476](<https://vulners.com/cve/CVE-2022-21476>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224758](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224758>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2022-21449](<https://vulners.com/cve/CVE-2022-21449>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224732](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224732>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2022-21496](<https://vulners.com/cve/CVE-2022-21496>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JNDI component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224777](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224777>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2022-21434](<https://vulners.com/cve/CVE-2022-21434>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224718](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224718>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2022-21426](<https://vulners.com/cve/CVE-2022-21426>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2022-21443](<https://vulners.com/cve/CVE-2022-21443>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224726](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224726>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\n8.0.302.0 - 8.0.322.0 \n11.0.12.0 - 11.0.14.0 \n17.0.1.0 - 17.0.2.0 \n \nFor detailed information on which CVEs affect which releases, please refer to the [IBM Semeru Runtimes Security Vulnerabilities page](<https://www.ibm.com/support/pages/semeru-runtimes-security-vulnerabilites>).\n\n \n\n\n## Remediation/Fixes\n\n8.0.332.0 \n11.0.15.0 \n17.0.3.0 \n18.0.1.0 \n \nIBM Semeru Runtime releases can be downloaded from the [IBM Semeru Developer Center](<https://developer.ibm.com/languages/java/semeru-runtimes/downloads>). \n \nIBM customers requiring an update for an SDK shipped with an IBM product should contact [IBM support](<http://www.ibm.com/support/>), and/or refer to the appropriate product security bulletin. \n\n**APAR numbers are as follows:**\n\n[IJ39978](<http://www-01.ibm.com/support/docview.wss?uid=swg1IJ39978>) (CVE-2022-21476) \n[IJ39996](<http://www-01.ibm.com/support/docview.wss?uid=swg1IJ39996>) (CVE-2022-21449) \n[IJ39998](<http://www-01.ibm.com/support/docview.wss?uid=swg1IJ39998>) (CVE-2022-21496) \n[IJ40000](<http://www-01.ibm.com/support/docview.wss?uid=swg1IJ40000>) (CVE-2022-21434) \n[IJ40002](<http://www-01.ibm.com/support/docview.wss?uid=swg1IJ40002>) (CVE-2022-21426) \n[IJ40004](<http://www-01.ibm.com/support/docview.wss?uid=swg1IJ40004>) (CVE-2022-21443)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-05-25T09:44:34", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities may affect IBM\u00ae Semeru Runtime", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21449", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-05-25T09:44:34", "id": "0427E6AA646DE077D9A0FABE9729FECFF5A0C7757BA113C348506FCB5410F3B3", "href": "https://www.ibm.com/support/pages/node/6589879", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-09-26T08:24:34", "description": "## Summary\n\nIBM Cloud Transformation Advisor has addressed several security vulnerabilities including those in Java and OpenSSL\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2023-21830](<https://vulners.com/cve/CVE-2023-21830>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Serialization component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245038](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245038>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-21843](<https://vulners.com/cve/CVE-2023-21843>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Sound component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245037](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245037>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2022-21426](<https://vulners.com/cve/CVE-2022-21426>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2023-0286](<https://vulners.com/cve/CVE-2023-0286>) \n** DESCRIPTION: **OpenSSL is vulnerable to a denial of service, caused by a type confusion error related to X.400 address processing inside an X.509 GeneralName. By passing arbitrary pointers to a memcmp call, a remote attacker could exploit this vulnerability to read memory contents or cause a denial of service. \nCVSS Base score: 8.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/246611](<https://exchange.xforce.ibmcloud.com/vulnerabilities/246611>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H) \n \n** CVEID: **[CVE-2022-4450](<https://vulners.com/cve/CVE-2022-4450>) \n** DESCRIPTION: **OpenSSL is vulnerable to a denial of service, caused by a double-free error related to the improper handling of specific PEM data by the PEM_read_bio_ex() function. By sending specially crafted PEM files for parsing, a remote attacker could exploit this vulnerability to cause the system to crash. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/246615](<https://exchange.xforce.ibmcloud.com/vulnerabilities/246615>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2023-0215](<https://vulners.com/cve/CVE-2023-0215>) \n** DESCRIPTION: **OpenSSL is vulnerable to a denial of service, caused by a use-after-free error related to the incorrect handling of streaming ASN.1 data by the BIO_new_NDEF function. A remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/246614](<https://exchange.xforce.ibmcloud.com/vulnerabilities/246614>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2022-4304](<https://vulners.com/cve/CVE-2022-4304>) \n** DESCRIPTION: **OpenSSL could allow a remote attacker to obtain sensitive information, caused by a timing-based side channel in the RSA Decryption implementation. By sending an overly large number of trial messages for decryption, an attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/246612](<https://exchange.xforce.ibmcloud.com/vulnerabilities/246612>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Cloud Transformation Advisor| 2.0.1 - 3.5.0 \n \n\n\n## Remediation/Fixes\n\nProduct(s)| Version(s)| Remediation/Fix/Instructions \n---|---|--- \nIBM Cloud Transformation Advisor| 2.0.1 - 3.5.0| Install v3.5.1 from OperatorHub page in Red Hat OpenShift Container Platform or locally following this [link](<https://www.ibm.com/cloud/architecture/tutorials/install-ibm-transformation-advisor-local> \"link\" ). \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-05-04T16:13:17", "type": "ibm", "title": "Security Bulletin: IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2022-4304", "CVE-2022-4450", "CVE-2023-0215", "CVE-2023-0286", "CVE-2023-21830", "CVE-2023-21843"], "modified": "2023-05-04T16:13:17", "id": "5952692D49B58BD246695C217C8F0489556BAB8A5670C5400570111E98BA4543", "href": "https://www.ibm.com/support/pages/node/6988351", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-08-01T06:16:35", "description": "## Summary\n\nVulnerabilities in the Java Runtime Environment (JRE) 8.0.7.11 and earlier component shipped with Rational Synergy may affect the security of the product.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2023-21830](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245038>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Serialization component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245038](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245038>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-21843](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245037>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Sound component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245037](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245037>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2022-21426](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2022-3676](<https://exchange.xforce.ibmcloud.com/vulnerabilities/239608>) \n** DESCRIPTION: **Eclipse Openj9 could allow a remote attacker to bypass security restrictions, caused by improper runtime type check by the interface calls. By sending a specially-crafted request using bytecode, an attacker could exploit this vulnerability to access or modify memory. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/239608](<https://exchange.xforce.ibmcloud.com/vulnerabilities/239608>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2021-2163](<https://exchange.xforce.ibmcloud.com/vulnerabilities/200292>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/200292](<https://exchange.xforce.ibmcloud.com/vulnerabilities/200292>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2022-21628](<https://exchange.xforce.ibmcloud.com/vulnerabilities/238623>) \n** DESCRIPTION: **Java SE is vulnerable to a denial of service, caused by a flaw in the Lightweight HTTP Server. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/238623](<https://exchange.xforce.ibmcloud.com/vulnerabilities/238623>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2022-21626](<https://exchange.xforce.ibmcloud.com/vulnerabilities/238689>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/238689](<https://exchange.xforce.ibmcloud.com/vulnerabilities/238689>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2022-21624](<https://exchange.xforce.ibmcloud.com/vulnerabilities/238699>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to update, insert or delete data resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/238699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/238699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2022-21619](<https://exchange.xforce.ibmcloud.com/vulnerabilities/238698>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to update, insert or delete data resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/238698](<https://exchange.xforce.ibmcloud.com/vulnerabilities/238698>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-30441](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253188>) \n** DESCRIPTION: **IBM Runtime Environment, Java Technology Edition IBMJCEPlus and JSSE 8.0.7.0 through 8.0.7.11 components could expose sensitive information using a combination of flaws and configurations. IBM X-Force ID: 253188. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253188](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253188>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nRational Synergy| 7.2.2.5 \n \n## Remediation/Fixes\n\n**Product **| **VRMF**| **APAR**| **Remediation/Fixes** \n---|---|---|--- \nRational Synergy| 7.2.2.6| None| \n\nUpgrade to Rational Synergy 7.2.2.6 supporting JRE 8.0.8.0 from [IBM Passport Advantage](<https://iea-pf-b1p3a.mul.ie.ibm.com/netaccess/loginuser.html> \"IBM Passport Advantage\" ) and apply it.\n\n**NOTE:**\n\nDownload the Rational Synergy 7.2.2.6 installation image by referring to the installation platform and its part number in the following list:\n\n * IBM Rational Synergy V7.2.2.6 Linux Informix Multilingual (CC5T9ML)\n * IBM Rational Synergy V7.2.2.6 Linux Oracle Multilingual (CC5TAML)\n * IBM Rational Synergy V7.2.2.6 Windows Informix Multilingual (CC5TBML) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-08-01T07:07:15", "type": "ibm", "title": "Security Bulletin: Multiple Vulnerabilities in Rational Synergy 7.2.2.5", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-2163", "CVE-2022-21426", "CVE-2022-21619", "CVE-2022-21624", "CVE-2022-21626", "CVE-2022-21628", "CVE-2022-3676", "CVE-2023-21830", "CVE-2023-21843", "CVE-2023-30441"], "modified": "2023-08-01T07:07:15", "id": "31B52B6899B60AEEF3E2FDB88C6911775AAECF09577B42C5714529B9E50C6861", "href": "https://www.ibm.com/support/pages/node/7014913", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2023-09-21T10:35:53", "description": "## Summary\n\nIn addition to many updates of operating system level packages, the following security vulnerabilities are addressed with IBM Cloud Pak for Business Automation 21.0.3-IF022 and 22.0.2-IF006.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-43929](<https://exchange.xforce.ibmcloud.com/vulnerabilities/241676>) \n** DESCRIPTION: **IBM Db2 for Linux, UNIX and Windows 11.1 and 11.5 may be vulnerable to a Denial of Service when executing a specially crafted 'Load' command. IBM X-Force ID: 241676. \nCVSS Base score: 4.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/241676](<https://exchange.xforce.ibmcloud.com/vulnerabilities/241676>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2022-43927](<https://exchange.xforce.ibmcloud.com/vulnerabilities/241671>) \n** DESCRIPTION: **IBM Db2 for Linux, UNIX and Windows 10.5, 11.1, and 11.5 is vulnerable to information Disclosure due to improper privilege management when a specially crafted table access is used. IBM X-Force ID: 241671. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/241671](<https://exchange.xforce.ibmcloud.com/vulnerabilities/241671>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2014-3577](<https://exchange.xforce.ibmcloud.com/vulnerabilities/95327>) \n** DESCRIPTION: **Apache HttpComponents could allow a remote attacker to conduct spoofing attacks, caused by the failure to verify that the server hostname matches a domain name in the Subject's Common Name (CN) or SubjectAltName field of certificates. By persuading a victim to visit a Web site containing a specially-crafted certificate, an attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/95327](<https://exchange.xforce.ibmcloud.com/vulnerabilities/95327>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2022-43930](<https://exchange.xforce.ibmcloud.com/vulnerabilities/241677>) \n** DESCRIPTION: **IBM Db2 for Linux, UNIX and Windows 10.5, 11.1, and 11.5 is vulnerable to an Information Disclosure as sensitive information may be included in a log file. IBM X-Force ID: 241677. \nCVSS Base score: 6.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/241677](<https://exchange.xforce.ibmcloud.com/vulnerabilities/241677>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2022-34169](<https://exchange.xforce.ibmcloud.com/vulnerabilities/231489>) \n** DESCRIPTION: **The Apache Xalan Java XSLT library could allow a remote attacker to execute arbitrary code on the system, caused by an integer truncation issue when processing malicious XSLT stylesheets. By using specially crafted XSLT stylesheets, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/231489](<https://exchange.xforce.ibmcloud.com/vulnerabilities/231489>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2022-42889](<https://exchange.xforce.ibmcloud.com/vulnerabilities/247569>) \n** DESCRIPTION: **OX AppSuite could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the Apache Commons Text library. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/247569](<https://exchange.xforce.ibmcloud.com/vulnerabilities/247569>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2022-21426](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2023-21830](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245038>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Serialization component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245038](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245038>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-21843](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245037>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Sound component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245037](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245037>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2022-1471](<https://exchange.xforce.ibmcloud.com/vulnerabilities/241118>) \n** DESCRIPTION: **SnakeYaml could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the Constructor class. By using a specially-crafted yaml content, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/241118](<https://exchange.xforce.ibmcloud.com/vulnerabilities/241118>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s)| Status \n---|---|--- \nIBM Cloud Pak for Business Automation| V22.0.2 - V22.0.2-IF005| affected \nIBM Cloud Pak for Business Automation| V21.0.3 - V21.0.3-IF021| affected \nIBM Cloud Pak for Business Automation| V22.0.1 - V22.0.1-IF006 and later fixes \nV21.0.2 - V21.0.2-IF012 and later fixes \nV21.0.1 - V21.0.1-IF007 and later fixes \nV20.0.1 - V20.0.3 and later fixes \nV19.0.1 - V19.0.3 and later fixes \nV18.0.0 - V18.0.2 and later fixes| affected \n \n## Remediation/Fixes\n\nAny open source library may be included in one or more sub-components of IBM Cloud Pak for Business Automation. Open source updates are not always synchronized across all components. The CVE in this bulletin are specifically addressed by\n\nCVE ID| Addressed in component \n---|--- \nCVE-2022-43929| Db2 in starter pattern \nCVE-2022-43927| Db2 in starter pattern \nCVE-2014-3577| Db2 in starter pattern \nCVE-2022-43930| Db2 in starter pattern \nCVE-2022-34169| Operational Decision Management, Automation Decisions Services \nCVE-2022-42889| Automation Decisions Services \nCVE-2022-21426| Operational Decision Management \nCVE-2023-21830| Operational Decision Management \nCVE-2023-21843| Operational Decision Management \nCVE-2022-1471| Automation Decisions Services \n \nAffected Product(s)| Version(s)| Remediation / Fix \n---|---|--- \nIBM Cloud Pak for Business Automation| V22.0.2 - V22.0.2-IF005| Apply security fix [22.0.2-IF006](<https://www.ibm.com/support/pages/node/7001049> \"22.0.2-IF006\" ) \nIBM Cloud Pak for Business Automation| V21.0.3 - V21.0.3-IF021| Apply security fix [21.0.3-IF022](<https://www.ibm.com/support/pages/node/7001241> \"21.0.3-IF022\" ) or upgrade to [22.0.2-IF006](<https://www.ibm.com/support/pages/node/7001049> \"22.0.2-IF006\" ) \nIBM Cloud Pak for Business Automation| V21.0.1 - V21.0.1-IF008 \nV20.0.1 - V20.0.3 \nV19.0.1 - V19.0.3 \nV18.0.0 - V18.0.2| Upgrade to [21.0.3-IF022](<https://www.ibm.com/support/pages/node/7001241> \"21.0.3-IF022\" ) or [22.0.2-IF006](<https://www.ibm.com/support/pages/node/7001049> \"22.0.2-IF006\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-06-30T15:51:44", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for June 2023", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3577", "CVE-2022-1471", "CVE-2022-21426", "CVE-2022-34169", "CVE-2022-42889", "CVE-2022-43927", "CVE-2022-43929", "CVE-2022-43930", "CVE-2023-21830", "CVE-2023-21843"], "modified": "2023-06-30T15:51:44", "id": "00B8BFFFE9EC2CDB467AF3D17608DB7C5E49C98591131C859F8ADA15204371EB", "href": "https://www.ibm.com/support/pages/node/7009021", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-26T06:55:57", "description": "## Summary\n\nIBM\u00ae SDK Java\u2122 Technology Edition and IBM\u00ae Runtime Environment Java\u2122 used by IBM i are vulnerable to denial of service, availability, integrity, and confidentiality impacts as described in the vulnerability details section (CVE-2022-21426, CVE-2023-2597, CVE-2023-21830, CVE-2023-21843, CVE-2023-21930, CVE-2023-21937, CVE-2023-21938, CVE-2023-21939, CVE-2023-21954, CVE-2023-21967, CVE-2023-21968). The vulnerabilities are fixed by applying an IBM i Group PTF for Java as described in the remediation/fixes section. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21426](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2023-21930](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253115>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the JSSE component could allow an unauthenticated attacker to cause high confidentiality impact and high integrity impact. \nCVSS Base score: 7.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253115](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253115>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) \n \n** CVEID: **[CVE-2023-21967](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253156>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the JSSE component could allow a remote attacker to cause high availability impact. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253156](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253156>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2023-21954](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253166>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Hotspot component could allow a remote attacker to cause high confidentiality impact. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253166](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253166>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2023-21939](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253168>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Swing component could allow a remote attacker to cause integrity impact. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253168](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253168>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-21968](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253083>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE and GraalVM Enterprise Edition related to the Libraries component could allow an unauthenticated attacker to cause low integrity impact. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253083](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253083>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-21937](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253167>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Networking component could allow a remote attacker to cause integrity impact. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253167](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253167>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-21938](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253155>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Libraries component could allow a remote attacker to cause integrity impact. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253155](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253155>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-2597](<https://exchange.xforce.ibmcloud.com/vulnerabilities/255906>) \n** DESCRIPTION: **Eclipse Openj9 is vulnerable to a buffer overflow, caused by improper bounds checking by the getCachedUTFString() function. By using specially crafted input, a local authenticated attacker could overflow a buffer and execute arbitrary code on the system. \nCVSS Base score: 7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/255906](<https://exchange.xforce.ibmcloud.com/vulnerabilities/255906>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2023-21830](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245038>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Serialization component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245038](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245038>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-21843](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245037>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Sound component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245037](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245037>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM i| 7.5 \nIBM i| 7.4 \nIBM i| 7.3 \n \n## Remediation/Fixes\n\nThe vulnerabilities can be fixed by applying the latest Java Group PTF. Releases 7.5, 7.4, and 7.3, of IBM i will be fixed. \n\nThe IBM i Group PTF numbers contain the fixes for the vulnerabilities. Future Group PTFs for Java will also contain the fixes for the vulnerabilities.\n\nIBM i Release| 5770-JV1 Group PTF Number and Level| PTF Download Link \n---|---|--- \n7.5| \n\nSF99955 Level 6\n\n| \n\n<https://www.ibm.com/support/pages/uid/nas4SF99955> \n \n7.4| \n\nSF99665 Level 19\n\n| \n\n<https://www.ibm.com/support/pages/uid/nas4SF99665> \n \n7.3| \n\nSF99725 Level 29\n\n| <https://www.ibm.com/support/pages/uid/nas4SF99725> \n \nPlease see the Java document at this URL for the latest Java information for IBM i: \n<https://www.ibm.com/support/pages/java-ibm-i>\n\nIf you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether additional Java vulnerabilities are applicable to your code. For a complete list of vulnerabilities, refer to the \"IBM Java SDK Security Vulnerabilities\", located in the References section for more information.\n\n**Important note: _IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products._**\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2023-08-18T21:41:15", "type": "ibm", "title": "Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to denial of service, availability, integrity, and confidentiality impacts due to multiple vulnerabilities.", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2023-21830", "CVE-2023-21843", "CVE-2023-21930", "CVE-2023-21937", "CVE-2023-21938", "CVE-2023-21939", "CVE-2023-21954", "CVE-2023-21967", "CVE-2023-21968", "CVE-2023-2597"], "modified": "2023-08-18T21:41:15", "id": "25D690A300D0E42310A8CA7E7EF327D23154BCA8F8F8C7756472D12C2424B272", "href": "https://www.ibm.com/support/pages/node/7028168", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2023-09-26T07:45:59", "description": "## Summary\n\nIBM\u00ae Runtime Environment Java\u2122 is used by CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition. The fix updates the Java Runtime Environment to resolve the following vulnerabilities. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-21426](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2023-21930](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253115>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the JSSE component could allow an unauthenticated attacker to cause high confidentiality impact and high integrity impact. \nCVSS Base score: 7.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253115](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253115>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) \n \n** CVEID: **[CVE-2023-21967](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253166>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Hotspot component could allow a remote attacker to cause high confidentiality impact. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253166](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253166>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2023-21954](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253156>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the JSSE component could allow a remote attacker to cause high availability impact. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253156](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253156>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2023-21939](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253168>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Swing component could allow a remote attacker to cause integrity impact. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253168](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253168>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-21968](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253083>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE and GraalVM Enterprise Edition related to the Libraries component could allow an unauthenticated attacker to cause low integrity impact. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253083](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253083>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-21937](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253167>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Networking component could allow a remote attacker to cause integrity impact. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253167](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253167>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-21938](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253155>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Libraries component could allow a remote attacker to cause integrity impact. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253155](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253155>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-2597](<https://exchange.xforce.ibmcloud.com/vulnerabilities/255906>) \n** DESCRIPTION: **Eclipse Openj9 is vulnerable to a buffer overflow, caused by improper bounds checking by the getCachedUTFString() function. By using specially crafted input, a local authenticated attacker could overflow a buffer and execute arbitrary code on the system. \nCVSS Base score: 7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/255906](<https://exchange.xforce.ibmcloud.com/vulnerabilities/255906>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2023-21830](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245038>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Serialization component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245038](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245038>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-21843](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245037>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Sound component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245037](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245037>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nCICS Transaction Gateway Desktop Edition| 9.0 \nCICS Transaction Gateway Desktop Edition| 9.1 \nCICS Transaction Gateway Desktop Edition| 9.2 \nCICS Transaction Gateway Desktop Edition| 9.3 \nIBM CICS Transaction Gateway| 9.0 \nIBM CICS Transaction Gateway| 9.1 \nIBM CICS Transaction Gateway| 9.2 \nIBM CICS Transaction Gateway| 9.3 \n \n## Remediation/Fixes\n\nIBM recommends that you apply these fixes:\n\n**Product**\n\n| **VRMF**| **Remediation/First Fix** \n---|---|--- \n \nCICS Transaction Gateway for Multiplatforms\n\nCICS Transaction Gateway Desktop Edition\n\n| 9.0| \n\nPSIRT fixes for CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition 9.0 will be provided only for extended support customers with request through Salesforce case. \n \nCICS Transaction Gateway for Multiplatforms\n\nCICS Transaction Gateway Desktop Edition\n\n| 9.1| \n\nAIX: [Fix Central Link](<https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FCICS+Transaction+Gateway+for+Multiplatforms&fixids=8.0.8-CICSTG-AIXpSeries32-JRE-SR5&source=SAR > \"Fix Central Link\" )\n\nLinux on POWER Big Endian: [Fix Central Link](<https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FCICS+Transaction+Gateway+for+Multiplatforms&fixids=8.0.8-CICSTG-LinuxpSeries32-JRE-SR5&source=SAR> \"Fix Central Link\" )\n\nLinux on Intel: [Fix Central Link](<https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FCICS+Transaction+Gateway+for+Multiplatforms&fixids=8.0.8-CICSTG-Linuxx8632-JRE-SR5&source=SAR> \"Fix Central Link\" )\n\nLinux on IBM Z: [Fix Central Link](<https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FCICS+Transaction+Gateway+for+Multiplatforms&fixids=8.0.8-CICSTG-LinuxzSeries31-JRE-SR5&source=SAR> \"Fix Central Link\" )\n\nWindows: [Fix Central Link](<https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FCICS+Transaction+Gateway+for+Multiplatforms&fixids=8.0.8-CICSTG-Windowsx8632-JRE-SR5&source=SAR> \"Fix Central Link\" ) \n \nCICS Transaction Gateway for Multiplatforms\n\nCICS Transaction Gateway Desktop Edition\n\n| \n\n9.2\n\n| \n\nAIX: [Fix Central Link](<https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FCICS+Transaction+Gateway+for+Multiplatforms&fixids=8.0.8-CICSTG-AIXpSeries32-JRE-SR5&source=SAR> \"Fix Central Link\" )\n\nLinux on POWER Big Endian: [Fix Central Link](<https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FCICS+Transaction+Gateway+for+Multiplatforms&fixids=8.0.8-CICSTG-LinuxpSeries32-JRE-SR5&source=SAR> \"Fix Central Link\" )\n\nLinux on Intel: [Fix Central Link](<https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FCICS+Transaction+Gateway+for+Multiplatforms&fixids=8.0.8-CICSTG-Linuxx8632-JRE-SR5&source=SAR> \"Fix Central Link\" )\n\nLinux on IBM Z: [Fix Central Link](<https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FCICS+Transaction+Gateway+for+Multiplatforms&fixids=8.0.8-CICSTG-LinuxzSeries31-JRE-SR5&source=SAR> \"Fix Central Link\" )\n\nWindows: [Fix Central Link](<https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FCICS+Transaction+Gateway+for+Multiplatforms&fixids=8.0.8-CICSTG-Windowsx8632-JRE-SR5&source=SAR> \"Fix Central Link\" ) \n \nCICS Transaction Gateway for Multiplatforms\n\nCICS Transaction Gateway Desktop Edition\n\n| \n\n9.3\n\n| \n\nLinux on POWER Big Endian: [Fix Central Link](<https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FCICS+Transaction+Gateway+for+Multiplatforms&fixids=8.0.8-CICSTG-LinuxpSeries32-JRE-SR5&source=SAR> \"Fix Central Link\" )\n\nWindows: [Fix Central Link](<https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FCICS+Transaction+Gateway+for+Multiplatforms&fixids=8.0.8-CICSTG-Windowsx8632-JRE-SR5&source=SAR> \"Fix Central Link\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2023-06-29T09:10:52", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities may affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition.", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2023-21830", "CVE-2023-21843", "CVE-2023-21930", "CVE-2023-21937", "CVE-2023-21938", "CVE-2023-21939", "CVE-2023-21954", "CVE-2023-21967", "CVE-2023-21968", "CVE-2023-2597"], "modified": "2023-06-29T09:10:52", "id": "2D0F574971EC3935DCB84C5F7C39763FF716E95E0A5DB8AD002F670020E3326E", "href": "https://www.ibm.com/support/pages/node/7008335", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2023-09-26T07:14:52", "description": "## Summary\n\nMultiple vulnerabilities in IBM SDK, Java Technology Edition affect IBM Operations Analytics Predictive Insights 1.3.6 or earlier. The following relevant vulnerabilities, [CVE-2023-21830, CVE-2023-21843, CVE-2023-21930, CVE-2023-21967, CVE-2023-21954, CVE-2023-21939, CVE-2023-21968, CVE-2023-21937, CVE-2023-21938, CVE-2023-2597, CVE-2022-21426] were published by Oracle as part of their January and April 2023 Critical Patch Update\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2023-21830](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245038>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Serialization component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245038](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245038>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-21843](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245037>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Sound component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245037](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245037>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2022-21426](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2023-21930](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253115>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the JSSE component could allow an unauthenticated attacker to cause high confidentiality impact and high integrity impact. \nCVSS Base score: 7.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253115](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253115>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) \n \n** CVEID: **[CVE-2023-21967](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253156>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the JSSE component could allow a remote attacker to cause high availability impact. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253156](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253156>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2023-21954](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253166>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Hotspot component could allow a remote attacker to cause high confidentiality impact. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253166](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253166>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2023-21939](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253168>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Swing component could allow a remote attacker to cause integrity impact. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253168](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253168>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-21968](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253083>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE and GraalVM Enterprise Edition related to the Libraries component could allow an unauthenticated attacker to cause low integrity impact. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253083](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253083>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-21937](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253167>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Networking component could allow a remote attacker to cause integrity impact. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253167](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253167>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-21938](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253155>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Libraries component could allow a remote attacker to cause integrity impact. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253155](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253155>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-2597](<https://exchange.xforce.ibmcloud.com/vulnerabilities/255906>) \n** DESCRIPTION: **Eclipse Openj9 is vulnerable to a buffer overflow, caused by improper bounds checking by the getCachedUTFString() function. By using specially crafted input, a local authenticated attacker could overflow a buffer and execute arbitrary code on the system. \nCVSS Base score: 7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/255906](<https://exchange.xforce.ibmcloud.com/vulnerabilities/255906>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Operations Analytics Predictive Insights| 1.3.5 \nIBM Operations Analytics Predictive Insights| 1.3.6 \n \n## Remediation/Fixes\n\nIBM strongly suggests applying 1.3.6 InterimI Fix 6 from Fix Central: \n\n[https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Tivoli/IBM+SmartCloud+Analytics+-+Predictive+Insights&release=1.3.6](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Tivoli/IBM+SmartCloud+Analytics+-+Predictive+Insights&release=1.3.6>)\n\nThen, download and apply IBM SDK, Java Technology Edition release 8.0.8.6 with the latest fixes from the [Java Developer Center](<https://www.ibm.com/support/pages/java-sdk-downloads-version-80>).\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2023-07-21T15:41:22", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM SDK, Java Technology Edition affect IBM Operations Analytics Predictive Insights", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2023-21830", "CVE-2023-21843", "CVE-2023-21930", "CVE-2023-21937", "CVE-2023-21938", "CVE-2023-21939", "CVE-2023-21954", "CVE-2023-21967", "CVE-2023-21968", "CVE-2023-2597"], "modified": "2023-07-21T15:41:22", "id": "E5EA1ABA09C0B7BA9C99C3CA24CC6F67B4249EFAC33F9E2686685604DDE79CB6", "href": "https://www.ibm.com/support/pages/node/7013887", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2023-09-12T02:11:27", "description": "## Summary\n\nIBM Data Risk Manager (IDRM) 2.0.6.16, which is the only supported version, is affected by multiple vulnerabilities. The vulnerabilities have been addressed in the updated version of IDRM 2.0.6.17. Please see the remediation steps below to apply the fix. All customers are encouraged to act quickly to update their systems.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2023-20862](<https://vulners.com/cve/CVE-2023-20862>) \n** DESCRIPTION: **VMware Tanzu Spring Security could allow a remote attacker to bypass security restrictions, caused by the logout support feature does not properly clean the security context if using serialized versions. By sending a specially-crafted request, an attacker could exploit this vulnerability to remain authenticated after logout is performed. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253351](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253351>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2023-21830](<https://vulners.com/cve/CVE-2023-21830>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Serialization component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245038](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245038>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-21843](<https://vulners.com/cve/CVE-2023-21843>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Sound component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245037](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245037>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-20861](<https://vulners.com/cve/CVE-2023-20861>) \n** DESCRIPTION: **VMware Tanzu Spring Framework is vulnerable to a denial of service. By sending a specially crafted SpEL expression, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/250701](<https://exchange.xforce.ibmcloud.com/vulnerabilities/250701>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2023-30441](<https://vulners.com/cve/CVE-2023-30441>) \n** DESCRIPTION: **IBM Runtime Environment, Java Technology Edition IBMJCEPlus and JSSE 8.0.7.0 through 8.0.7.11 components could expose sensitive information using a combination of flaws and configurations. IBM X-Force ID: 253188. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253188](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253188>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2023-1370](<https://vulners.com/cve/CVE-2023-1370>) \n** DESCRIPTION: **netplex json-smart-v2 is vulnerable to a denial of service, caused by not limiting the nesting of arrays or objects. By sending a specially crafted input, a remote attacker could exploit this vulnerability to cause a stack exhaustion and crash the software. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/249885](<https://exchange.xforce.ibmcloud.com/vulnerabilities/249885>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-37533](<https://vulners.com/cve/CVE-2021-37533>) \n** DESCRIPTION: **Apache Commons Net could allow a remote attacker to obtain sensitive information, caused by an issue with the FTP client trusts the host from PASV response by default. By persuading a victim to connect to specially-crafted server, an attacker could exploit this vulnerability to obtain information about services running on the private network, and use this information to launch further attacks against the affected system. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/241253](<https://exchange.xforce.ibmcloud.com/vulnerabilities/241253>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2022-4378](<https://vulners.com/cve/CVE-2022-4378>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a stack-based buffer overflow in the __do_proc_dointvec function. By executing a specially-crafted program, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/242006](<https://exchange.xforce.ibmcloud.com/vulnerabilities/242006>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2023-20860](<https://vulners.com/cve/CVE-2023-20860>) \n** DESCRIPTION: **VMware Tanzu Spring Framework could allow a remote attacker to bypass security restrictions, caused by the use of an un-prefixed double wildcard pattern with the mvcRequestMatcher in Spring Security configuration. An attacker could exploit this vulnerability to create a mismatch in pattern matching between Spring Security and Spring MVC. \nCVSS Base score: 9.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/250679](<https://exchange.xforce.ibmcloud.com/vulnerabilities/250679>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) \n \n** CVEID: **[CVE-2023-1436](<https://vulners.com/cve/CVE-2023-1436>) \n** DESCRIPTION: **Jettison is vulnerable to a denial of service, caused by an infinite recursion when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. A remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/250490](<https://exchange.xforce.ibmcloud.com/vulnerabilities/250490>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2023-28708](<https://vulners.com/cve/CVE-2023-28708>) \n** DESCRIPTION: **Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by the missing of secure attribute in some configurations for JSESSIONID Cookie when using the RemoteIpFilter. By sniffing the network traffic, an attacker could exploit this vulnerability to obtain session cookie information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/250740](<https://exchange.xforce.ibmcloud.com/vulnerabilities/250740>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2022-21426](<https://vulners.com/cve/CVE-2022-21426>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** IBM X-Force ID: **254437 \n** DESCRIPTION: **jose.4.j could allow a remote attacker to obtain sensitive information, caused by a chosen ciphertext attack in RSA1_5. By utilize cryptographic attack techniques, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/254437 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/254437>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Data Risk Manager| 2.0.6.16 \n \n## Remediation/Fixes\n\n**IBM encourages customers to update their systems promptly.**\n\nTo obtain fixes for all reported issues, customers are advised first to upgrade to v2.0.6.16, and then apply the latest FixPack 2.0.6.17.\n\n**Affected Product(s)**| **Version(s)**| \n\n**Remediation / First Fix** \n \n---|---|--- \nIBM Data Risk Manager| 2.0.6.16| \n\nApply [DRM_2.0.6.17_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.16&platform=Linux&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-05-31T19:18:09", "type": "ibm", "title": "Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-37533", "CVE-2022-21426", "CVE-2022-4378", "CVE-2023-1370", "CVE-2023-1436", "CVE-2023-20860", "CVE-2023-20861", "CVE-2023-20862", "CVE-2023-21830", "CVE-2023-21843", "CVE-2023-28708", "CVE-2023-30441"], "modified": "2023-05-31T19:18:09", "id": "AD07FBFE41C71959BA164DC477AA5C9937143E243C7EA2C9CB72779238BB5E2B", "href": "https://www.ibm.com/support/pages/node/6999555", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-09-26T07:05:37", "description": "## Summary\n\nIn addition to many updates of operating system level packages, the following security vulnerabilities are addressed with IBM Cloud Pak for Business Automation 21.0.3-IF023 and 23.0.1-IF001.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2023-38367](<https://exchange.xforce.ibmcloud.com/vulnerabilities/261130>) \n** DESCRIPTION: **IBM Cloud Pak Foundational Services Identity Provider (idP) API allows CRUD Operations with an invalid token. This could allow an unauthenticated attacker to view, update, delete or create an IdP configuration. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/261130](<https://exchange.xforce.ibmcloud.com/vulnerabilities/261130>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2023-21830](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245038>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Serialization component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245038](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245038>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-21843](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245037>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Sound component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245037](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245037>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-21930](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253115>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the JSSE component could allow an unauthenticated attacker to cause high confidentiality impact and high integrity impact. \nCVSS Base score: 7.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253115](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253115>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) \n \n** CVEID: **[CVE-2023-21967](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253156>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the JSSE component could allow a remote attacker to cause high availability impact. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253156](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253156>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2023-21954](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253166>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Hotspot component could allow a remote attacker to cause high confidentiality impact. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253166](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253166>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2023-21939](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253168>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Swing component could allow a remote attacker to cause integrity impact. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253168](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253168>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-21968](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253083>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE and GraalVM Enterprise Edition related to the Libraries component could allow an unauthenticated attacker to cause low integrity impact. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253083](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253083>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-21937](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253167>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Networking component could allow a remote attacker to cause integrity impact. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253167](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253167>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-21938](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253155>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Libraries component could allow a remote attacker to cause integrity impact. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253155](<https://exchange.xforce.ibmcloud.com/vulnerabilities/253155>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2023-2597](<https://exchange.xforce.ibmcloud.com/vulnerabilities/255906>) \n** DESCRIPTION: **Eclipse Openj9 is vulnerable to a buffer overflow, caused by improper bounds checking by the getCachedUTFString() function. By using specially crafted input, a local authenticated attacker could overflow a buffer and execute arbitrary code on the system. \nCVSS Base score: 7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/255906](<https://exchange.xforce.ibmcloud.com/vulnerabilities/255906>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2022-21426](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224714](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224714>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2023-2253](<https://exchange.xforce.ibmcloud.com/vulnerabilities/254846>) \n** DESCRIPTION: **Distribution is vulnerable to a denial of service, caused by improper input validation by the /v2/_catalog endpoint. By sending a specially crafted /v2/_catalog API endpoint request request, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/254846](<https://exchange.xforce.ibmcloud.com/vulnerabilities/254846>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s)| Status \n---|---|--- \nIBM Cloud Pak for Business Automation| V23.0.1| affected \nIBM Cloud Pak for Business Automation| V21.0.3 - V21.0.3-IF022| affected \nIBM Cloud Pak for Business Automation| V22.0.2 - V22.0.2-IF006 and later fixes \nV22.0.1 - V22.0.1-IF006 and later fixes \nV21.0.2 - V21.0.2-IF012 and later fixes \nV21.0.1 - V21.0.1-IF007 and later fixes \nV20.0.1 - V20.0.3 and later fixes \nV19.0.1 - V19.0.3 and later fixes \nV18.0.0 - V18.0.2 and later fixes| affected \n \n## Remediation/Fixes\n\nAny open source library may be included in one or more sub-components of IBM Cloud Pak for Business Automation. Open source updates are not always synchronized across all components. The CVE in this bulletin are specifically addressed by\n\nCVE ID| Addressed in component \n---|--- \nCVE-2022-21426| Java based components \nCVE-2023-21830| Java based components \nCVE-2023-21843| Java based components \nCVE-2023-21930| Java based components \nCVE-2023-21937| Java based components \nCVE-2023-21938| Java based components \nCVE-2023-21939| Java based components \nCVE-2023-21954| Java based components \nCVE-2023-21967| Java based components \nCVE-2023-21968| Java based components \nCVE-2023-2253| Operational Decision Manager component \nCVE-2023-2597| Java based components \nCVE-2023-38367| IBM Cloud Pak foundational services \nPlease see [An important security issue with Identity Management found with Cloud Pak for Business Automation 23.0.1](<https://www.ibm.com/support/pages/node/7008631> \"An important security issue with Identity Management found with Cloud Pak for Business Automation 23.0.1\" ) for additional details \n \nAffected Product(s)| Version(s)| Remediation / Fix \n---|---|--- \nIBM Cloud Pak for Business Automation| V23.0.1| Apply security fix [23.0.1-IF001](<https://www.ibm.com/support/pages/node/7009703> \"23.0.1-IF001\" ) \nIBM Cloud Pak for Business Automation| V22.0.2 - V22.0.2-IF005| Apply security fix [23.0.1-IF001](<https://www.ibm.com/support/pages/node/7009703> \"23.0.1-IF001\" ) \nIBM Cloud Pak for Business Automation| V21.0.3 - V21.0.3-IF022| Apply security fix [21.0.3-IF023](<https://www.ibm.com/support/pages/node/7009699> \"21.0.3-IF023\" ) or upgrade to [23.0.1-IF001](<https://www.ibm.com/support/pages/node/7009703> \"23.0.1-IF001\" ) \nIBM Cloud Pak for Business Automation| V21.0.1 - V21.0.1-IF008 \nV20.0.1 - V20.0.3 \nV19.0.1 - V19.0.3 \nV18.0.0 - V18.0.2| Upgrade to [21.0.3-IF023](<https://www.ibm.com/support/pages/node/7009699> \"21.0.3-IF023\" ) or [23.0.1-IF001](<https://www.ibm.com/support/pages/node/7009703> \"23.0.1-IF001\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2023-07-28T07:30:53", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for July 2023", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2023-21830", "CVE-2023-21843", "CVE-2023-21930", "CVE-2023-21937", "CVE-2023-21938", "CVE-2023-21939", "CVE-2023-21954", "CVE-2023-21967", "CVE-2023-21968", "CVE-2023-2253", "CVE-2023-2597", "CVE-2023-38367"], "modified": "2023-07-28T07:30:53", "id": "75B047BBA3A3D86E57FF5ED11A58BF675D163D5E9120073AFEF4FD3E99030BEE", "href": "https://www.ibm.com/support/pages/node/7015271", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}}], "redhatcve": [{"lastseen": "2023-08-07T11:31:19", "description": "Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-04-20T08:28:36", "type": "redhatcve", "title": "CVE-2022-21426", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426"], "modified": "2023-08-07T10:21:06", "id": "RH:CVE-2022-21426", "href": "https://access.redhat.com/security/cve/cve-2022-21426", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "ubuntucve": [{"lastseen": "2023-08-09T15:27:09", "description": "Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition\nproduct of Oracle Java SE (component: JAXP). Supported versions that are\naffected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle\nGraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\nvulnerability allows unauthenticated attacker with network access via\nmultiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise\nEdition. Successful attacks of this vulnerability can result in\nunauthorized ability to cause a partial denial of service (partial DOS) of\nOracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability\napplies to Java deployments, typically in clients running sandboxed Java\nWeb Start applications or sandboxed Java applets, that load and run\nuntrusted code (e.g., code that comes from the internet) and rely on the\nJava sandbox for security. This vulnerability can also be exploited by\nusing APIs in the specified Component, e.g., through a web service which\nsupplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts).\nCVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-04-19T00:00:00", "type": "ubuntucve", "title": "CVE-2022-21426", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426"], "modified": "2022-04-19T00:00:00", "id": "UB:CVE-2022-21426", "href": "https://ubuntu.com/security/CVE-2022-21426", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "veracode": [{"lastseen": "2023-04-25T20:13:54", "description": "openjdk is vulnerable to denial of service. The vulnerability exists due to a lack of validation of authentication allowing an attacker to crash the system using APIs in the specified Component. \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-04-24T00:57:44", "type": "veracode", "title": "Denial Of Service (DoS)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426"], "modified": "2022-08-25T09:42:41", "id": "VERACODE:35226", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-35226/summary", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "debiancve": [{"lastseen": "2023-07-29T02:03:30", "description": "Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-04-19T21:15:00", "type": "debiancve", "title": "CVE-2022-21426", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426"], "modified": "2022-04-19T21:15:00", "id": "DEBIANCVE:CVE-2022-21426", "href": "https://security-tracker.debian.org/tracker/CVE-2022-21426", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "prion": [{"lastseen": "2023-08-15T15:42:16", "description": "Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-04-19T21:15:00", "type": "prion", "title": "CVE-2022-21426", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426"], "modified": "2023-04-27T17:53:00", "id": "PRION:CVE-2022-21426", "href": "https://kb.prio-n.com/vulnerability/CVE-2022-21426", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "alpinelinux": [{"lastseen": "2023-07-24T01:11:56", "description": "Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-04-19T21:15:00", "type": "alpinelinux", "title": "CVE-2022-21426", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426"], "modified": "2023-04-27T17:53:00", "id": "ALPINE:CVE-2022-21426", "href": "https://security.alpinelinux.org/vuln/CVE-2022-21426", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "redhat": [{"lastseen": "2023-07-30T00:25:48", "description": "IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.\n\nThis update upgrades IBM Java SE 8 to version 8 SR8.\n\nSecurity Fix(es):\n\n* OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)\n\n* OpenJDK: improper restrictions in CORBA deserialization (Serialization, 8285021) (CVE-2023-21830)\n\n* OpenJDK: soundbank URL remote loading (Sound, 8293742) (CVE-2023-21843)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-05-16T18:10:27", "type": "redhat", "title": "(RHSA-2023:3136) Moderate: java-1.8.0-ibm security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2023-21830", "CVE-2023-21843"], "modified": "2023-05-16T18:10:55", "id": "RHSA-2023:3136", "href": "https://access.redhat.com/errata/RHSA-2023:3136", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-08-16T15:27:36", "description": "The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n* OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)\n\n* OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)\n\n* OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n* OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-05-17T22:32:47", "type": "redhat", "title": "(RHSA-2022:1728) Important: java-11-openjdk security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-05-17T23:05:20", "id": "RHSA-2022:1728", "href": "https://access.redhat.com/errata/RHSA-2022:1728", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-08-16T15:27:36", "description": "The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n* OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)\n\n* OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)\n\n* OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n* OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-04-20T12:24:01", "type": "redhat", "title": "(RHSA-2022:1442) Important: java-11-openjdk security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-04-20T12:58:12", "id": "RHSA-2022:1442", "href": "https://access.redhat.com/errata/RHSA-2022:1442", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-08-16T15:27:36", "description": "The OpenJDK 8 packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.\n\nThis release of the Red Hat build of OpenJDK 8 (8u332) for portable Linux serves as a replacement for Red Hat build of OpenJDK 8 (8u322) and includes security and bug fixes as well as enhancements. For further information, refer to the release notes linked to in the References section.\n\nSecurity Fix(es):\n\n* OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)\n\n* OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n* OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)\n\n* OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n* OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nBug Fix(es):\n\n* The Red Hat build of OpenJDK 8u322 attempted to use /etc/pki/java/cacerts as their security certificate database, a change in behaviour from 8u312 where the cacerts database inside the portable build was used. This update rectifies this situation and again uses the database provided in the JDK bundle. Users may also now configure the cacerts database in the java.security file using the property security.systemCACerts. This functionality may be disabled using the switch -Djava.security.disableSystemCACerts=true\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-04-28T18:57:17", "type": "redhat", "title": "(RHSA-2022:1438) Important: OpenJDK 8u332 security update for Portable Linux Builds", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-04-28T18:57:38", "id": "RHSA-2022:1438", "href": "https://access.redhat.com/errata/RHSA-2022:1438", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-08-16T15:27:36", "description": "The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n* OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)\n\n* OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)\n\n* OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n* OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-05-17T22:32:47", "type": "redhat", "title": "(RHSA-2022:2137) Important: java-1.8.0-openjdk security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-05-17T23:05:22", "id": "RHSA-2022:2137", "href": "https://access.redhat.com/errata/RHSA-2022:2137", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-08-16T15:27:36", "description": "The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n* OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)\n\n* OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)\n\n* OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n* OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-04-25T12:35:45", "type": "redhat", "title": "(RHSA-2022:1487) Important: java-1.8.0-openjdk security, bug fix, and enhancement update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-04-25T12:36:10", "id": "RHSA-2022:1487", "href": "https://access.redhat.com/errata/RHSA-2022:1487", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-08-16T15:27:36", "description": "The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.\n\nThe following packages have been upgraded to a later upstream version: java-11-openjdk (11.0.15.0.9). (BZ#2047531)\n\nSecurity Fix(es):\n\n* OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n* OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)\n\n* OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)\n\n* OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n* OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-04-20T12:19:58", "type": "redhat", "title": "(RHSA-2022:1440) Important: java-11-openjdk security, bug fix, and enhancement update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-04-20T13:19:08", "id": "RHSA-2022:1440", "href": "https://access.redhat.com/errata/RHSA-2022:1440", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-08-16T15:27:36", "description": "The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n* OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)\n\n* OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)\n\n* OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n* OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-04-20T12:22:21", "type": "redhat", "title": "(RHSA-2022:1444) Important: java-11-openjdk security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-04-20T12:37:52", "id": "RHSA-2022:1444", "href": "https://access.redhat.com/errata/RHSA-2022:1444", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-08-16T15:27:36", "description": "The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n* OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)\n\n* OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)\n\n* OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n* OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-04-20T12:01:49", "type": "redhat", "title": "(RHSA-2022:1443) Important: java-11-openjdk security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-04-20T12:17:42", "id": "RHSA-2022:1443", "href": "https://access.redhat.com/errata/RHSA-2022:1443", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-08-16T15:27:36", "description": "The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n* OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)\n\n* OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)\n\n* OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n* OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-04-20T12:00:56", "type": "redhat", "title": "(RHSA-2022:1441) Important: java-11-openjdk security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-04-20T12:37:49", "id": "RHSA-2022:1441", "href": "https://access.redhat.com/errata/RHSA-2022:1441", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-08-16T15:27:36", "description": "The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n* OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)\n\n* OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)\n\n* OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n* OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-04-25T14:31:07", "type": "redhat", "title": "(RHSA-2022:1490) Important: java-1.8.0-openjdk security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-04-25T14:31:34", "id": "RHSA-2022:1490", "href": "https://access.redhat.com/errata/RHSA-2022:1490", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-08-16T15:27:36", "description": "The OpenJDK 11 packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.\n\nThis release of the Red Hat build of OpenJDK 11 (11.0.15) for portable Linux serves as a replacement for the Red Hat build of OpenJDK 11 (11.0.14) and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.\n\nSecurity Fix(es):\n\n* OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)\n\n* OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n* OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)\n\n* OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n* OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-04-28T18:58:34", "type": "redhat", "title": "(RHSA-2022:1435) Important: OpenJDK 11.0.15 security update for Portable Linux Builds", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-04-28T18:58:44", "id": "RHSA-2022:1435", "href": "https://access.redhat.com/errata/RHSA-2022:1435", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-08-16T15:27:36", "description": "The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n* OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)\n\n* OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)\n\n* OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n* OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-04-25T14:35:47", "type": "redhat", "title": "(RHSA-2022:1488) Important: java-1.8.0-openjdk security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-04-25T14:42:11", "id": "RHSA-2022:1488", "href": "https://access.redhat.com/errata/RHSA-2022:1488", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-08-16T15:27:36", "description": "The OpenJDK 8 packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.\n\nThis release of the Red Hat build of OpenJDK 8 (8u332) for Windows serves as a replacement for the Red Hat build of OpenJDK 8 (8u322) and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.\n\nSecurity Fix(es):\n\n* OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)\n\n* OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n* OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)\n\n* OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n* OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-04-28T18:57:15", "type": "redhat", "title": "(RHSA-2022:1492) Important: OpenJDK 8u332 Windows builds release and security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-04-28T18:57:38", "id": "RHSA-2022:1492", "href": "https://access.redhat.com/errata/RHSA-2022:1492", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-08-16T15:27:36", "description": "The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n* OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)\n\n* OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)\n\n* OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n* OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-04-25T14:33:34", "type": "redhat", "title": "(RHSA-2022:1489) Important: java-1.8.0-openjdk security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-04-25T14:34:00", "id": "RHSA-2022:1489", "href": "https://access.redhat.com/errata/RHSA-2022:1489", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-08-16T15:27:36", "description": "The OpenJDK 11 packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.\n\nThis release of the Red Hat build of OpenJDK 11 (11.0.15) for Windows serves as a replacement for the Red Hat build of OpenJDK 11 (11.0.14) and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.\n\nSecurity Fix(es):\n\n* OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)\n\n* OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n* OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)\n\n* OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n* OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-04-28T18:58:31", "type": "redhat", "title": "(RHSA-2022:1439) Important: OpenJDK 11.0.15 security update for Windows Builds", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-04-28T18:59:03", "id": "RHSA-2022:1439", "href": "https://access.redhat.com/errata/RHSA-2022:1439", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-08-16T15:27:36", "description": "The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n* OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)\n\n* OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)\n\n* OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n* OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-04-25T15:17:09", "type": "redhat", "title": "(RHSA-2022:1491) Important: java-1.8.0-openjdk security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-04-25T15:17:39", "id": "RHSA-2022:1491", "href": "https://access.redhat.com/errata/RHSA-2022:1491", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-08-16T15:27:36", "description": "The OpenJDK 17 packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit.\n\nThis release of the Red Hat build of OpenJDK 17 (17.0.3) for portable Linux\nserves as a replacement for the Red Hat build of OpenJDK 17 (17.0.2) and\nincludes security and bug fixes, and enhancements. For further information,\nrefer to the release notes linked to in the References section.\n\nSecurity Fix(es):\n\n* OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)\n\n* OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n* OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)\n\n* OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n* OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\n* OpenJDK: Improper ECDSA signature verification (Libraries, 8277233) (CVE-2022-21449)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-04-28T19:02:41", "type": "redhat", "title": "(RHSA-2022:1436) Important: OpenJDK 17.0.3 security update for Portable Linux Builds", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21449", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-04-28T19:02:54", "id": "RHSA-2022:1436", "href": "https://access.redhat.com/errata/RHSA-2022:1436", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-08-16T15:27:36", "description": "The OpenJDK 17 packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit.\n\nThis release of the Red Hat build of OpenJDK 17 (17.0.3) for portable Linux\nserves as a replacement for the Red Hat build of OpenJDK 17 (17.0.2) and\nincludes security and bug fixes, and enhancements. For further information,\nrefer to the release notes linked to in the References section.\n\nSecurity Fix(es):\n\n* OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)\n\n* OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n* OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)\n\n* OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n* OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\n* OpenJDK: Improper ECDSA signature verification (Libraries, 8277233) (CVE-2022-21449)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-04-28T19:02:34", "type": "redhat", "title": "(RHSA-2022:1437) Important: OpenJDK 17.0.3 security update for Windows Builds", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21449", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-04-28T19:03:15", "id": "RHSA-2022:1437", "href": "https://access.redhat.com/errata/RHSA-2022:1437", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-08-16T15:27:36", "description": "The java-17-openjdk packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Improper ECDSA signature verification (Libraries, 8277233) (CVE-2022-21449)\n\n* OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n* OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)\n\n* OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)\n\n* OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n* OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-05-17T22:32:49", "type": "redhat", "title": "(RHSA-2022:1729) Important: java-17-openjdk security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21449", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-05-17T23:05:22", "id": "RHSA-2022:1729", "href": "https://access.redhat.com/errata/RHSA-2022:1729", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-08-16T15:27:36", "description": "The java-17-openjdk packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit.\n\nSecurity Fix(es):\n\n* OpenJDK: Improper ECDSA signature verification (Libraries, 8277233) (CVE-2022-21449)\n\n* OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n* OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)\n\n* OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)\n\n* OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n* OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* Enable the import of plain keys into the NSS Software Token while in FIPS mode [rhel-8, openjdk-17] (BZ#2018189)\n\n* Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode [rhel-8, openjdk-17] (BZ#2055396)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-04-20T12:21:21", "type": "redhat", "title": "(RHSA-2022:1445) Important: java-17-openjdk security and bug fix update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21449", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-04-20T12:47:21", "id": "RHSA-2022:1445", "href": "https://access.redhat.com/errata/RHSA-2022:1445", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-08-16T15:27:36", "description": "Red Hat OpenShift Container Platform is Red Hat's cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nThis advisory contains the container images for Red Hat OpenShift Container Platform 4.8.41. See the following advisory for the RPM packages for this release:\n\nhttps://access.redhat.com/errata/RHBA-2022:2270\n\nSpace precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nSecurity Fix(es):\n\n* openshift/router: route hijacking attack via crafted HAProxy\nconfiguration file (CVE-2022-1677)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s)\nlisted in the References section.\n\nYou may download the oc tool and use it to inspect release image metadata as follows:\n\n(For x86_64 architecture)\n\n $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.8.41-x86_64\n\nThe image digest is sha256:4ebcb3aea63d4acbb92118d3ae7ed08d3ebb1a66e7f79fddbb4da74883a12d0a\n\n(For s390x architecture)\n\n $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.8.41-s390x\n\nThe image digest is sha256:5ed0fc5b89e3ec257db50f936f788492211e4de4a741f930191ab2d3bc7ceec3\n\n(For ppc64le architecture)\n\n $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.8.41-ppc64le\n\nThe image digest is sha256:908ec3688cc152b15faaea3f71bb4ba59565df60e9846f08fcd15a6c2b43274a\n\nAll OpenShift Container Platform 4.8 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available\nat https://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-25T21:38:41", "type": "redhat", "title": "(RHSA-2022:2272) Moderate: OpenShift Container Platform 4.8.41 bug fix and security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-25032", "CVE-2022-1271", "CVE-2022-1677", "CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-05-25T21:41:06", "id": "RHSA-2022:2272", "href": "https://access.redhat.com/errata/RHSA-2022:2272", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-08-16T15:27:36", "description": "Red Hat OpenShift Container Platform is Red Hat's cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nThis advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.7.50. See the following advisory for the container images for this release:\n\nhttps://access.redhat.com/errata/RHBA-2022:1698\n\nSecurity Fix(es):\n\n* moby: Default inheritable capabilities for linux container should be\nempty (CVE-2022-24769)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section.\n\nAll OpenShift Container Platform 4.7 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-12T17:58:21", "type": "redhat", "title": "(RHSA-2022:1699) Moderate: OpenShift Container Platform 4.7.50 security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4083", "CVE-2022-0492", "CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496", "CVE-2022-24769", "CVE-2022-25636"], "modified": "2022-05-12T17:58:56", "id": "RHSA-2022:1699", "href": "https://access.redhat.com/errata/RHSA-2022:1699", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-16T15:27:36", "description": "The rh-sso-7/sso75-openshift-rhel8 container image has been updated for RHEL-8 based Middleware Containers to include the following security issues.\n\nSecurity Fix(es):\n\n* keycloak: Privilege escalation vulnerability on Token Exchange (CVE-2022-1245)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nUsers of rh-sso-7/sso75-openshift-rhel8 container images are advised to upgrade to these updated images, which contain backported patches to correct these security issues, fix these bugs and add these enhancements. Users of these images are also encouraged to rebuild all container images that depend on these images.\n\nYou can find images updated by this advisory in Red Hat Container Catalog (see References).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-04T13:18:30", "type": "redhat", "title": "(RHSA-2022:1713) Moderate: security update for rh-sso-7/sso75-openshift-rhel8 container image", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-25032", "CVE-2022-1154", "CVE-2022-1245", "CVE-2022-1271", "CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-05-04T13:18:56", "id": "RHSA-2022:1713", "href": "https://access.redhat.com/errata/RHSA-2022:1713", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-16T15:27:36", "description": "New Cryostat 2.1.0 on RHEL 8 container images have been released, adding a variety of features and bug fixes and addressing the following security vulnerability: CVE-2021-3121 (see References)\n\nUsers of Cryostat 2.0.0 on RHEL 8 container images are advised to upgrade to these updated images, which contain backported patches to correct these security issues, fix these bugs and add these enhancements. Users of these images are also encouraged to rebuild all container images that depend on these images.\n\nYou can find images updated by this advisory in Red Hat Container Catalog (see References).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T10:31:43", "type": "redhat", "title": "(RHSA-2022:1679) Moderate: Cryostat 2.1.0: new Cryostat on RHEL 8 container images", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-25032", "CVE-2021-3121", "CVE-2022-1154", "CVE-2022-1271", "CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-05-10T10:31:54", "id": "RHSA-2022:1679", "href": "https://access.redhat.com/errata/RHSA-2022:1679", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-16T15:27:36", "description": "Red Hat OpenShift Container Platform is Red Hat's cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nThis advisory contains the container images for Red Hat OpenShift Container Platform 3.11.705. See the following advisory for the RPM packages for this release:\n\nhttps://access.redhat.com/errata/RHSA-2022:2280\n\nSpace precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:\n\nhttps://docs.openshift.com/container-platform/3.11/release_notes/ocp-3-11-release-notes.html\n\nSecurity Fix(es):\n\n* openshift/router: route hijacking attack via crafted HAProxy\nconfiguration file (CVE-2022-1677)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s)\nlisted in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-31T08:29:31", "type": "redhat", "title": "(RHSA-2022:2281) Moderate: OpenShift Container Platform 3.11.705 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-25032", "CVE-2022-1271", "CVE-2022-1677", "CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496", "CVE-2022-21698", "CVE-2022-29036", "CVE-2022-29046", "CVE-2022-29599"], "modified": "2022-05-31T08:31:04", "id": "RHSA-2022:2281", "href": "https://access.redhat.com/errata/RHSA-2022:2281", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-07-26T13:39:17", "description": "The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:3136 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf;\n Oracle GraalVM Enterprise Edition: 20.3.8 and 21.3.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.\n Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). (CVE-2023-21830)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Sound). Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf, 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and 22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). (CVE-2023-21843)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-05-17T00:00:00", "type": "nessus", "title": "RHEL 7 : java-1.8.0-ibm (RHSA-2023:3136)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2023-21830", "CVE-2023-21843"], "modified": "2023-05-24T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-devel", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-jdbc", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-plugin", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-src"], "id": "REDHAT-RHSA-2023-3136.NASL", "href": "https://www.tenable.com/plugins/nessus/175932", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2023:3136. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(175932);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/24\");\n\n script_cve_id(\"CVE-2022-21426\", \"CVE-2023-21830\", \"CVE-2023-21843\");\n script_xref(name:\"RHSA\", value:\"2023:3136\");\n\n script_name(english:\"RHEL 7 : java-1.8.0-ibm (RHSA-2023:3136)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2023:3136 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise\n Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Serialization). Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf;\n Oracle GraalVM Enterprise Edition: 20.3.8 and 21.3.4. Easily exploitable vulnerability allows\n unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle\n GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update,\n insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.\n Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web\n Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from\n the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java\n deployments, typically in servers, that load and run only trusted code (e.g., code installed by an\n administrator). (CVE-2023-21830)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Sound). Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf, 11.0.17,\n 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and 22.3.0. Difficult to exploit\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition\n accessible data. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not\n apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed\n by an administrator). (CVE-2023-21843)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21426\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2023-21830\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2023-21843\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2023:3136\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21426\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2023-21830\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(400, 502, 646, 770);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/05/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/05/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-ibm-src\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '7')) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/debug',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/optional/debug',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/optional/os',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/optional/source/SRPMS',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/os',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/source/SRPMS',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/supplementary/debug',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/supplementary/source/SRPMS',\n 'content/dist/rhel-alt/server/7/7Server/system-z-a/s390x/debug',\n 'content/dist/rhel-alt/server/7/7Server/system-z-a/s390x/optional/debug',\n 'content/dist/rhel-alt/server/7/7Server/system-z-a/s390x/optional/os',\n 'content/dist/rhel-alt/server/7/7Server/system-z-a/s390x/optional/source/SRPMS',\n 'content/dist/rhel-alt/server/7/7Server/system-z-a/s390x/os',\n 'content/dist/rhel-alt/server/7/7Server/system-z-a/s390x/source/SRPMS',\n 'content/dist/rhel/client/7/7Client/x86_64/debug',\n 'content/dist/rhel/client/7/7Client/x86_64/optional/debug',\n 'content/dist/rhel/client/7/7Client/x86_64/optional/os',\n 'content/dist/rhel/client/7/7Client/x86_64/optional/source/SRPMS',\n 'content/dist/rhel/client/7/7Client/x86_64/oracle-java-rm/os',\n 'content/dist/rhel/client/7/7Client/x86_64/os',\n 'content/dist/rhel/client/7/7Client/x86_64/source/SRPMS',\n 'content/dist/rhel/client/7/7Client/x86_64/supplementary/debug',\n 'content/dist/rhel/client/7/7Client/x86_64/supplementary/os',\n 'content/dist/rhel/client/7/7Client/x86_64/supplementary/source/SRPMS',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/debug',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/optional/debug',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/optional/os',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/optional/source/SRPMS',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/oracle-java-rm/os',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/os',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/source/SRPMS',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/supplementary/debug',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/supplementary/os',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/supplementary/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/highavailability/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/highavailability/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/highavailability/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/optional/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/optional/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/optional/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/resilientstorage/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/resilientstorage/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/resilientstorage/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/sap-hana/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/sap-hana/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/sap-hana/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/sap/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/sap/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/sap/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/supplementary/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/supplementary/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/supplementary/source/SRPMS',\n 'content/dist/rhel/power/7/7Server/ppc64/debug',\n 'content/dist/rhel/power/7/7Server/ppc64/optional/debug',\n 'content/dist/rhel/power/7/7Server/ppc64/optional/os',\n 'content/dist/rhel/power/7/7Server/ppc64/optional/source/SRPMS',\n 'content/dist/rhel/power/7/7Server/ppc64/os',\n 'content/dist/rhel/power/7/7Server/ppc64/sap/debug',\n 'content/dist/rhel/power/7/7Server/ppc64/sap/os',\n 'content/dist/rhel/power/7/7Server/ppc64/sap/source/SRPMS',\n 'content/dist/rhel/power/7/7Server/ppc64/source/SRPMS',\n 'content/dist/rhel/power/7/7Server/ppc64/supplementary/debug',\n 'content/dist/rhel/power/7/7Server/ppc64/supplementary/os',\n 'content/dist/rhel/power/7/7Server/ppc64/supplementary/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/highavailability/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/highavailability/os',\n 'content/dist/rhel/server/7/7Server/x86_64/highavailability/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/nfv/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/nfv/os',\n 'content/dist/rhel/server/7/7Server/x86_64/nfv/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/optional/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/optional/os',\n 'content/dist/rhel/server/7/7Server/x86_64/optional/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/oracle-java-rm/os',\n 'content/dist/rhel/server/7/7Server/x86_64/os',\n 'content/dist/rhel/server/7/7Server/x86_64/resilientstorage/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/resilientstorage/os',\n 'content/dist/rhel/server/7/7Server/x86_64/resilientstorage/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rt/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rt/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rt/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/sap-hana/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/sap-hana/os',\n 'content/dist/rhel/server/7/7Server/x86_64/sap-hana/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/sap/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/sap/os',\n 'content/dist/rhel/server/7/7Server/x86_64/sap/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/supplementary/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/supplementary/os',\n 'content/dist/rhel/server/7/7Server/x86_64/supplementary/source/SRPMS',\n 'content/dist/rhel/system-z/7/7Server/s390x/debug',\n 'content/dist/rhel/system-z/7/7Server/s390x/highavailability/debug',\n 'content/dist/rhel/system-z/7/7Server/s390x/highavailability/os',\n 'content/dist/rhel/system-z/7/7Server/s390x/highavailability/source/SRPMS',\n 'content/dist/rhel/system-z/7/7Server/s390x/optional/debug',\n 'content/dist/rhel/system-z/7/7Server/s390x/optional/os',\n 'content/dist/rhel/system-z/7/7Server/s390x/optional/source/SRPMS',\n 'content/dist/rhel/system-z/7/7Server/s390x/os',\n 'content/dist/rhel/system-z/7/7Server/s390x/resilientstorage/debug',\n 'content/dist/rhel/system-z/7/7Server/s390x/resilientstorage/os',\n 'content/dist/rhel/system-z/7/7Server/s390x/resilientstorage/source/SRPMS',\n 'content/dist/rhel/system-z/7/7Server/s390x/sap/debug',\n 'content/dist/rhel/system-z/7/7Server/s390x/sap/os',\n 'content/dist/rhel/system-z/7/7Server/s390x/sap/source/SRPMS',\n 'content/dist/rhel/system-z/7/7Server/s390x/source/SRPMS',\n 'content/dist/rhel/system-z/7/7Server/s390x/supplementary/debug',\n 'content/dist/rhel/system-z/7/7Server/s390x/supplementary/os',\n 'content/dist/rhel/system-z/7/7Server/s390x/supplementary/source/SRPMS',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/debug',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/optional/debug',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/optional/os',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/optional/source/SRPMS',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/oracle-java-rm/os',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/os',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/source/SRPMS',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/supplementary/debug',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/supplementary/os',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/supplementary/source/SRPMS',\n 'content/fastrack/rhel/client/7/x86_64/debug',\n 'content/fastrack/rhel/client/7/x86_64/optional/debug',\n 'content/fastrack/rhel/client/7/x86_64/optional/os',\n 'content/fastrack/rhel/client/7/x86_64/optional/source/SRPMS',\n 'content/fastrack/rhel/client/7/x86_64/os',\n 'content/fastrack/rhel/client/7/x86_64/source/SRPMS',\n 'content/fastrack/rhel/computenode/7/x86_64/debug',\n 'content/fastrack/rhel/computenode/7/x86_64/optional/debug',\n 'content/fastrack/rhel/computenode/7/x86_64/optional/os',\n 'content/fastrack/rhel/computenode/7/x86_64/optional/source/SRPMS',\n 'content/fastrack/rhel/computenode/7/x86_64/os',\n 'content/fastrack/rhel/computenode/7/x86_64/source/SRPMS',\n 'content/fastrack/rhel/power/7/ppc64/debug',\n 'content/fastrack/rhel/power/7/ppc64/optional/debug',\n 'content/fastrack/rhel/power/7/ppc64/optional/os',\n 'content/fastrack/rhel/power/7/ppc64/optional/source/SRPMS',\n 'content/fastrack/rhel/power/7/ppc64/os',\n 'content/fastrack/rhel/power/7/ppc64/source/SRPMS',\n 'content/fastrack/rhel/server/7/x86_64/debug',\n 'content/fastrack/rhel/server/7/x86_64/highavailability/debug',\n 'content/fastrack/rhel/server/7/x86_64/highavailability/os',\n 'content/fastrack/rhel/server/7/x86_64/highavailability/source/SRPMS',\n 'content/fastrack/rhel/server/7/x86_64/optional/debug',\n 'content/fastrack/rhel/server/7/x86_64/optional/os',\n 'content/fastrack/rhel/server/7/x86_64/optional/source/SRPMS',\n 'content/fastrack/rhel/server/7/x86_64/os',\n 'content/fastrack/rhel/server/7/x86_64/resilientstorage/debug',\n 'content/fastrack/rhel/server/7/x86_64/resilientstorage/os',\n 'content/fastrack/rhel/server/7/x86_64/resilientstorage/source/SRPMS',\n 'content/fastrack/rhel/server/7/x86_64/source/SRPMS',\n 'content/fastrack/rhel/system-z/7/s390x/debug',\n 'content/fastrack/rhel/system-z/7/s390x/optional/debug',\n 'content/fastrack/rhel/system-z/7/s390x/optional/os',\n 'content/fastrack/rhel/system-z/7/s390x/optional/source/SRPMS',\n 'content/fastrack/rhel/system-z/7/s390x/os',\n 'content/fastrack/rhel/system-z/7/s390x/source/SRPMS',\n 'content/fastrack/rhel/workstation/7/x86_64/debug',\n 'content/fastrack/rhel/workstation/7/x86_64/optional/debug',\n 'content/fastrack/rhel/workstation/7/x86_64/optional/os',\n 'content/fastrack/rhel/workstation/7/x86_64/optional/source/SRPMS',\n 'content/fastrack/rhel/workstation/7/x86_64/os',\n 'content/fastrack/rhel/workstation/7/x86_64/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'java-1.8.0-ibm-1.8.0.8.0-1jpp.1.el7', 'cpu':'ppc64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-ibm-1.8.0.8.0-1jpp.1.el7', 'cpu':'ppc64le', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-ibm-1.8.0.8.0-1jpp.1.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-ibm-1.8.0.8.0-1jpp.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-ibm-demo-1.8.0.8.0-1jpp.1.el7', 'cpu':'ppc64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-ibm-demo-1.8.0.8.0-1jpp.1.el7', 'cpu':'ppc64le', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-ibm-demo-1.8.0.8.0-1jpp.1.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-ibm-demo-1.8.0.8.0-1jpp.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-ibm-devel-1.8.0.8.0-1jpp.1.el7', 'cpu':'ppc64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-ibm-devel-1.8.0.8.0-1jpp.1.el7', 'cpu':'ppc64le', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-ibm-devel-1.8.0.8.0-1jpp.1.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-ibm-devel-1.8.0.8.0-1jpp.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-ibm-jdbc-1.8.0.8.0-1jpp.1.el7', 'cpu':'ppc64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-ibm-jdbc-1.8.0.8.0-1jpp.1.el7', 'cpu':'ppc64le', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-ibm-jdbc-1.8.0.8.0-1jpp.1.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-ibm-jdbc-1.8.0.8.0-1jpp.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-ibm-plugin-1.8.0.8.0-1jpp.1.el7', 'cpu':'ppc64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-ibm-plugin-1.8.0.8.0-1jpp.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-ibm-src-1.8.0.8.0-1jpp.1.el7', 'cpu':'ppc64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-ibm-src-1.8.0.8.0-1jpp.1.el7', 'cpu':'ppc64le', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-ibm-src-1.8.0.8.0-1jpp.1.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-ibm-src-1.8.0.8.0-1jpp.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-1.8.0-ibm / java-1.8.0-ibm-demo / java-1.8.0-ibm-devel / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-26T13:31:42", "description": "The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:1850-1 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf;\n Oracle GraalVM Enterprise Edition: 20.3.8 and 21.3.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.\n Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). (CVE-2023-21830)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 11.0.17, 17.0.5, 19.0.1;\n Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and 22.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via DTLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). (CVE-2023-21835)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Sound). Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf, 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and 22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). (CVE-2023-21843)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-04-15T00:00:00", "type": "nessus", "title": "SUSE SLES15 / openSUSE 15 Security Update : java-1_8_0-ibm (SUSE-SU-2023:1850-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2023-21830", "CVE-2023-21835", "CVE-2023-21843"], "modified": "2023-07-14T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:java-1_8_0-ibm", "p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-alsa", "p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-devel", "p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-plugin", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2023-1850-1.NASL", "href": "https://www.tenable.com/plugins/nessus/174375", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2023:1850-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(174375);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/07/14\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2023-21830\",\n \"CVE-2023-21835\",\n \"CVE-2023-21843\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2023:1850-1\");\n\n script_name(english:\"SUSE SLES15 / openSUSE 15 Security Update : java-1_8_0-ibm (SUSE-SU-2023:1850-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple\nvulnerabilities as referenced in the SUSE-SU-2023:1850-1 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise\n Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Serialization). Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf;\n Oracle GraalVM Enterprise Edition: 20.3.8 and 21.3.4. Easily exploitable vulnerability allows\n unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle\n GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update,\n insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.\n Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web\n Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from\n the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java\n deployments, typically in servers, that load and run only trusted code (e.g., code installed by an\n administrator). (CVE-2023-21830)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JSSE). Supported versions that are affected are Oracle Java SE: 11.0.17, 17.0.5, 19.0.1;\n Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and 22.3.0. Easily exploitable vulnerability allows\n unauthenticated attacker with network access via DTLS to compromise Oracle Java SE, Oracle GraalVM\n Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a\n partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This\n vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start\n applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the\n internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java\n deployments, typically in servers, that load and run only trusted code (e.g., code installed by an\n administrator). (CVE-2023-21835)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Sound). Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf, 11.0.17,\n 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and 22.3.0. Difficult to exploit\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition\n accessible data. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not\n apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed\n by an administrator). (CVE-2023-21843)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1207246\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1207248\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1207249\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1208480\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lists.suse.com/pipermail/sle-updates/2023-April/028817.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-21426\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2023-21830\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2023-21835\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2023-21843\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21426\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2023-21830\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/04/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-alsa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:java-1_8_0-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(os_release) || os_release !~ \"^(SLED|SLES|SUSE)\") audit(AUDIT_OS_NOT, \"SUSE / openSUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)(?:_SAP)?\\d+|SUSE([\\d.]+))\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE / openSUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15|SLES_SAP15|SUSE15\\.4)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES15 / SLES_SAP15 / openSUSE 15', 'SUSE / openSUSE (' + os_ver + ')');\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE / openSUSE (' + os_ver + ')', cpu);\n\nvar service_pack = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(service_pack)) service_pack = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(1|2|3|4)$\", string:service_pack))) audit(AUDIT_OS_NOT, \"SLES15 SP1/2/3/4\", os_ver + \" SP\" + service_pack);\nif (os_ver == \"SLES_SAP15\" && (! preg(pattern:\"^(1|2|3|4)$\", string:service_pack))) audit(AUDIT_OS_NOT, \"SLES_SAP15 SP1/2/3/4\", os_ver + \" SP\" + service_pack);\n\nvar pkgs = [\n {'reference':'java-1_8_0-ibm-1.8.0_sr8.0-150000.3.71.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.1']},\n {'reference':'java-1_8_0-ibm-alsa-1.8.0_sr8.0-150000.3.71.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.1']},\n {'reference':'java-1_8_0-ibm-devel-1.8.0_sr8.0-150000.3.71.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.1']},\n {'reference':'java-1_8_0-ibm-plugin-1.8.0_sr8.0-150000.3.71.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.1']},\n {'reference':'java-1_8_0-ibm-1.8.0_sr8.0-150000.3.71.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.2']},\n {'reference':'java-1_8_0-ibm-alsa-1.8.0_sr8.0-150000.3.71.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.2']},\n {'reference':'java-1_8_0-ibm-devel-1.8.0_sr8.0-150000.3.71.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.2']},\n {'reference':'java-1_8_0-ibm-plugin-1.8.0_sr8.0-150000.3.71.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.2']},\n {'reference':'java-1_8_0-ibm-1.8.0_sr8.0-150000.3.71.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.3']},\n {'reference':'java-1_8_0-ibm-alsa-1.8.0_sr8.0-150000.3.71.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.3']},\n {'reference':'java-1_8_0-ibm-devel-1.8.0_sr8.0-150000.3.71.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.3']},\n {'reference':'java-1_8_0-ibm-plugin-1.8.0_sr8.0-150000.3.71.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.3']},\n {'reference':'java-1_8_0-ibm-1.8.0_sr8.0-150000.3.71.1', 'sp':'4', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.4']},\n {'reference':'java-1_8_0-ibm-alsa-1.8.0_sr8.0-150000.3.71.1', 'sp':'4', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.4']},\n {'reference':'java-1_8_0-ibm-devel-1.8.0_sr8.0-150000.3.71.1', 'sp':'4', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.4']},\n {'reference':'java-1_8_0-ibm-plugin-1.8.0_sr8.0-150000.3.71.1', 'sp':'4', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.4']},\n {'reference':'java-1_8_0-ibm-1.8.0_sr8.0-150000.3.71.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-3']},\n {'reference':'java-1_8_0-ibm-alsa-1.8.0_sr8.0-150000.3.71.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-3']},\n {'reference':'java-1_8_0-ibm-devel-1.8.0_sr8.0-150000.3.71.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-3']},\n {'reference':'java-1_8_0-ibm-plugin-1.8.0_sr8.0-150000.3.71.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-3']},\n {'reference':'java-1_8_0-ibm-1.8.0_sr8.0-150000.3.71.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.3']},\n {'reference':'java-1_8_0-ibm-alsa-1.8.0_sr8.0-150000.3.71.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.3', 'sles-ltss-release-15.3']},\n {'reference':'java-1_8_0-ibm-devel-1.8.0_sr8.0-150000.3.71.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.3']},\n {'reference':'java-1_8_0-ibm-plugin-1.8.0_sr8.0-150000.3.71.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.3', 'sles-ltss-release-15.3']},\n {'reference':'java-1_8_0-ibm-1.8.0_sr8.0-150000.3.71.1', 'sp':'4', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.4', 'sle-module-legacy-release-15.4', 'sles-release-15.4']},\n {'reference':'java-1_8_0-ibm-alsa-1.8.0_sr8.0-150000.3.71.1', 'sp':'4', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.4', 'sle-module-legacy-release-15.4', 'sles-release-15.4']},\n {'reference':'java-1_8_0-ibm-devel-1.8.0_sr8.0-150000.3.71.1', 'sp':'4', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.4', 'sle-module-legacy-release-15.4', 'sles-release-15.4']},\n {'reference':'java-1_8_0-ibm-plugin-1.8.0_sr8.0-150000.3.71.1', 'sp':'4', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.4', 'sle-module-legacy-release-15.4', 'sles-release-15.4']},\n {'reference':'java-1_8_0-ibm-1.8.0_sr8.0-150000.3.71.1', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'java-1_8_0-ibm-32bit-1.8.0_sr8.0-150000.3.71.1', 'cpu':'x86_64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'java-1_8_0-ibm-alsa-1.8.0_sr8.0-150000.3.71.1', 'cpu':'x86_64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'java-1_8_0-ibm-demo-1.8.0_sr8.0-150000.3.71.1', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'java-1_8_0-ibm-devel-1.8.0_sr8.0-150000.3.71.1', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'java-1_8_0-ibm-devel-32bit-1.8.0_sr8.0-150000.3.71.1', 'cpu':'x86_64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'java-1_8_0-ibm-plugin-1.8.0_sr8.0-150000.3.71.1', 'cpu':'x86_64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'java-1_8_0-ibm-src-1.8.0_sr8.0-150000.3.71.1', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'java-1_8_0-ibm-1.8.0_sr8.0-150000.3.71.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15.1']},\n {'reference':'java-1_8_0-ibm-alsa-1.8.0_sr8.0-150000.3.71.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15.1']},\n {'reference':'java-1_8_0-ibm-devel-1.8.0_sr8.0-150000.3.71.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15.1']},\n {'reference':'java-1_8_0-ibm-plugin-1.8.0_sr8.0-150000.3.71.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15.1']},\n {'reference':'java-1_8_0-ibm-1.8.0_sr8.0-150000.3.71.1', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15.2']},\n {'reference':'java-1_8_0-ibm-alsa-1.8.0_sr8.0-150000.3.71.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15.2']},\n {'reference':'java-1_8_0-ibm-devel-1.8.0_sr8.0-150000.3.71.1', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15.2']},\n {'reference':'java-1_8_0-ibm-plugin-1.8.0_sr8.0-150000.3.71.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15.2']},\n {'reference':'java-1_8_0-ibm-1.8.0_sr8.0-150000.3.71.1', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15.3']},\n {'reference':'java-1_8_0-ibm-devel-1.8.0_sr8.0-150000.3.71.1', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15.3']}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && _release) {\n if (exists_check) {\n var check_flag = 0;\n foreach var check (exists_check) {\n if (!rpm_exists(release:_release, rpm:check)) continue;\n if ('ltss' >< tolower(check)) ltss_caveat_required = TRUE;\n check_flag++;\n }\n if (!check_flag) continue;\n }\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n var ltss_plugin_caveat = NULL;\n if(ltss_caveat_required) ltss_plugin_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in SUSE Enterprise Linux Server LTSS\\n' +\n 'repositories. Access to these package security updates require\\n' +\n 'a paid SUSE LTSS subscription.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + ltss_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-1_8_0-ibm / java-1_8_0-ibm-32bit / java-1_8_0-ibm-alsa / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:36:14", "description": "The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2022:2137 advisory.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-11-16T00:00:00", "type": "nessus", "title": "AlmaLinux 9 : java-1.8.0-openjdk (ALSA-2022:2137)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-11-17T00:00:00", "cpe": ["p-cpe:/a:alma:linux:java-1.8.0-openjdk", "p-cpe:/a:alma:linux:java-1.8.0-openjdk-demo", "p-cpe:/a:alma:linux:java-1.8.0-openjdk-demo-fastdebug", "p-cpe:/a:alma:linux:java-1.8.0-openjdk-demo-slowdebug", "p-cpe:/a:alma:linux:java-1.8.0-openjdk-devel", "p-cpe:/a:alma:linux:java-1.8.0-openjdk-devel-fastdebug", "p-cpe:/a:alma:linux:java-1.8.0-openjdk-devel-slowdebug", "p-cpe:/a:alma:linux:java-1.8.0-openjdk-fastdebug", "p-cpe:/a:alma:linux:java-1.8.0-openjdk-headless", "p-cpe:/a:alma:linux:java-1.8.0-openjdk-headless-fastdebug", "p-cpe:/a:alma:linux:java-1.8.0-openjdk-headless-slowdebug", "p-cpe:/a:alma:linux:java-1.8.0-openjdk-javadoc", "p-cpe:/a:alma:linux:java-1.8.0-openjdk-javadoc-zip", "p-cpe:/a:alma:linux:java-1.8.0-openjdk-slowdebug", "p-cpe:/a:alma:linux:java-1.8.0-openjdk-src", "p-cpe:/a:alma:linux:java-1.8.0-openjdk-src-fastdebug", "p-cpe:/a:alma:linux:java-1.8.0-openjdk-src-slowdebug", "cpe:/o:alma:linux:9", "cpe:/o:alma:linux:9::appstream", "cpe:/o:alma:linux:9::crb"], "id": "ALMA_LINUX_ALSA-2022-2137.NASL", "href": "https://www.tenable.com/plugins/nessus/167673", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# AlmaLinux Security Advisory ALSA-2022:2137.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(167673);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/11/17\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n script_xref(name:\"ALSA\", value:\"2022:2137\");\n\n script_name(english:\"AlmaLinux 9 : java-1.8.0-openjdk (ALSA-2022:2137)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote AlmaLinux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nALSA-2022:2137 advisory.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://errata.almalinux.org/9/ALSA-2022-2137.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 191, 400, 470, 770);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/05/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/05/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/11/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-1.8.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-1.8.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-1.8.0-openjdk-demo-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-1.8.0-openjdk-demo-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-1.8.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-1.8.0-openjdk-devel-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-1.8.0-openjdk-devel-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-1.8.0-openjdk-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-1.8.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-1.8.0-openjdk-headless-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-1.8.0-openjdk-headless-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-1.8.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-1.8.0-openjdk-javadoc-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-1.8.0-openjdk-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-1.8.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-1.8.0-openjdk-src-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:alma:linux:java-1.8.0-openjdk-src-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:9::appstream\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:alma:linux:9::crb\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Alma Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AlmaLinux/release\", \"Host/AlmaLinux/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/AlmaLinux/release');\nif (isnull(os_release) || 'AlmaLinux' >!< os_release) audit(AUDIT_OS_NOT, 'AlmaLinux');\nvar os_ver = pregmatch(pattern: \"AlmaLinux release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'AlmaLinux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^9([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'AlmaLinux 9.x', 'AlmaLinux ' + os_ver);\n\nif (!get_kb_item('Host/AlmaLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'AlmaLinux', cpu);\n\nvar pkgs = [\n {'reference':'java-1.8.0-openjdk-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-demo-fastdebug-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-demo-fastdebug-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-demo-slowdebug-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-demo-slowdebug-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-devel-fastdebug-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-devel-fastdebug-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-devel-slowdebug-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-devel-slowdebug-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-fastdebug-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-fastdebug-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-headless-fastdebug-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-headless-fastdebug-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-headless-slowdebug-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-headless-slowdebug-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-slowdebug-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-slowdebug-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-src-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-src-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-src-fastdebug-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-src-fastdebug-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-src-slowdebug-1.8.0.332.b09-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-src-slowdebug-1.8.0.332.b09-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = 'Alma-' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-1.8.0-openjdk / java-1.8.0-openjdk-demo / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-26T14:40:21", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:1442 advisory.\n\n - OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)\n\n - OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)\n\n - OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n - OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n - OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-21T00:00:00", "type": "nessus", "title": "RHEL 8 : java-11-openjdk (RHSA-2022:1442)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2023-05-25T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:8", "cpe:/o:redhat:rhel_aus:8.6", "cpe:/o:redhat:rhel_e4s:8.6", "cpe:/o:redhat:rhel_eus:8.6", "cpe:/o:redhat:rhel_tus:8.6", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-demo", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-demo-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-demo-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-devel", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-devel-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-devel-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-headless", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-headless-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-headless-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-javadoc", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-javadoc-zip", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-jmods", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-jmods-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-jmods-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-src", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-src-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-src-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-static-libs", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-static-libs-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-static-libs-slowdebug"], "id": "REDHAT-RHSA-2022-1442.NASL", "href": "https://www.tenable.com/plugins/nessus/160023", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2022:1442. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160023);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/25\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n script_xref(name:\"RHSA\", value:\"2022:1442\");\n script_xref(name:\"IAVA\", value:\"2022-A-0170-S\");\n\n script_name(english:\"RHEL 8 : java-11-openjdk (RHSA-2022:1442)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2022:1442 advisory.\n\n - OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)\n (CVE-2022-21426)\n\n - OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)\n (CVE-2022-21434)\n\n - OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n - OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n - OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21426\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21434\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21443\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21476\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21496\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2022:1442\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075788\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075793\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075836\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075842\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075849\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 179, 191, 400, 470, 770, 1173);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-demo-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-demo-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-devel-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-devel-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-headless-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-headless-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-javadoc-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-jmods\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-jmods-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-jmods-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-src-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-src-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-static-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-static-libs-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-static-libs-slowdebug\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/aus/rhel8/8.6/x86_64/appstream/debug',\n 'content/aus/rhel8/8.6/x86_64/appstream/os',\n 'content/aus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/aus/rhel8/8.6/x86_64/baseos/debug',\n 'content/aus/rhel8/8.6/x86_64/baseos/os',\n 'content/aus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/debug',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/os',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/debug',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/os',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/debug',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/os',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/os',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/sap/debug',\n 'content/e4s/rhel8/8.6/ppc64le/sap/os',\n 'content/e4s/rhel8/8.6/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/appstream/debug',\n 'content/e4s/rhel8/8.6/x86_64/appstream/os',\n 'content/e4s/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/baseos/debug',\n 'content/e4s/rhel8/8.6/x86_64/baseos/os',\n 'content/e4s/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/debug',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/os',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/debug',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/os',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/sap/debug',\n 'content/e4s/rhel8/8.6/x86_64/sap/os',\n 'content/e4s/rhel8/8.6/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/appstream/debug',\n 'content/eus/rhel8/8.6/aarch64/appstream/os',\n 'content/eus/rhel8/8.6/aarch64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/baseos/debug',\n 'content/eus/rhel8/8.6/aarch64/baseos/os',\n 'content/eus/rhel8/8.6/aarch64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/debug',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/os',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/highavailability/debug',\n 'content/eus/rhel8/8.6/aarch64/highavailability/os',\n 'content/eus/rhel8/8.6/aarch64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/supplementary/debug',\n 'content/eus/rhel8/8.6/aarch64/supplementary/os',\n 'content/eus/rhel8/8.6/aarch64/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/appstream/debug',\n 'content/eus/rhel8/8.6/ppc64le/appstream/os',\n 'content/eus/rhel8/8.6/ppc64le/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/baseos/debug',\n 'content/eus/rhel8/8.6/ppc64le/baseos/os',\n 'content/eus/rhel8/8.6/ppc64le/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/debug',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/os',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/debug',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/os',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/debug',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/os',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/debug',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/os',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/sap/debug',\n 'content/eus/rhel8/8.6/ppc64le/sap/os',\n 'content/eus/rhel8/8.6/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/debug',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/os',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/appstream/debug',\n 'content/eus/rhel8/8.6/x86_64/appstream/os',\n 'content/eus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/baseos/debug',\n 'content/eus/rhel8/8.6/x86_64/baseos/os',\n 'content/eus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/debug',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/os',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/highavailability/debug',\n 'content/eus/rhel8/8.6/x86_64/highavailability/os',\n 'content/eus/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/debug',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/os',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/debug',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/os',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/sap/debug',\n 'content/eus/rhel8/8.6/x86_64/sap/os',\n 'content/eus/rhel8/8.6/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/supplementary/debug',\n 'content/eus/rhel8/8.6/x86_64/supplementary/os',\n 'content/eus/rhel8/8.6/x86_64/supplementary/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/appstream/debug',\n 'content/tus/rhel8/8.6/x86_64/appstream/os',\n 'content/tus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/baseos/debug',\n 'content/tus/rhel8/8.6/x86_64/baseos/os',\n 'content/tus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/highavailability/debug',\n 'content/tus/rhel8/8.6/x86_64/highavailability/os',\n 'content/tus/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/rt/os',\n 'content/tus/rhel8/8.6/x86_64/rt/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'java-11-openjdk-11.0.15.0.9-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-11.0.15.0.9-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-slowdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-11.0.15.0.9-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-slowdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-11.0.15.0.9-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-slowdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-javadoc-11.0.15.0.9-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-javadoc-zip-11.0.15.0.9-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-11.0.15.0.9-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-slowdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-slowdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-11.0.15.0.9-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-slowdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-11.0.15.0.9-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-fastdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-slowdebug-11.0.15.0.9-2.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'}\n ]\n },\n {\n 'repo_relative_urls': [\n 'content/dist/rhel8/8/aarch64/appstream/debug',\n 'content/dist/rhel8/8/aarch64/appstream/os',\n 'content/dist/rhel8/8/aarch64/appstream/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/baseos/debug',\n 'content/dist/rhel8/8/aarch64/baseos/os',\n 'content/dist/rhel8/8/aarch64/baseos/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/codeready-builder/debug',\n 'content/dist/rhel8/8/aarch64/codeready-builder/os',\n 'content/dist/rhel8/8/aarch64/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/highavailability/debug',\n 'content/dist/rhel8/8/aarch64/highavailability/os',\n 'content/dist/rhel8/8/aarch64/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/supplementary/debug',\n 'content/dist/rhel8/8/aarch64/supplementary/os',\n 'content/dist/rhel8/8/aarch64/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/appstream/debug',\n 'content/dist/rhel8/8/ppc64le/appstream/os',\n 'content/dist/rhel8/8/ppc64le/appstream/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/baseos/debug',\n 'content/dist/rhel8/8/ppc64le/baseos/os',\n 'content/dist/rhel8/8/ppc64le/baseos/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/debug',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/os',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/highavailability/debug',\n 'content/dist/rhel8/8/ppc64le/highavailability/os',\n 'content/dist/rhel8/8/ppc64le/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/debug',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/os',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/debug',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/os',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/sap/debug',\n 'content/dist/rhel8/8/ppc64le/sap/os',\n 'content/dist/rhel8/8/ppc64le/sap/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/supplementary/debug',\n 'content/dist/rhel8/8/ppc64le/supplementary/os',\n 'content/dist/rhel8/8/ppc64le/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/appstream/debug',\n 'content/dist/rhel8/8/x86_64/appstream/os',\n 'content/dist/rhel8/8/x86_64/appstream/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/baseos/debug',\n 'content/dist/rhel8/8/x86_64/baseos/os',\n 'content/dist/rhel8/8/x86_64/baseos/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/codeready-builder/debug',\n 'content/dist/rhel8/8/x86_64/codeready-builder/os',\n 'content/dist/rhel8/8/x86_64/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/highavailability/debug',\n 'content/dist/rhel8/8/x86_64/highavailability/os',\n 'content/dist/rhel8/8/x86_64/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/nfv/debug',\n 'content/dist/rhel8/8/x86_64/nfv/os',\n 'content/dist/rhel8/8/x86_64/nfv/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/resilientstorage/debug',\n 'content/dist/rhel8/8/x86_64/resilientstorage/os',\n 'content/dist/rhel8/8/x86_64/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/rt/debug',\n 'content/dist/rhel8/8/x86_64/rt/os',\n 'content/dist/rhel8/8/x86_64/rt/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/sap-solutions/debug',\n 'content/dist/rhel8/8/x86_64/sap-solutions/os',\n 'content/dist/rhel8/8/x86_64/sap-solutions/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/sap/debug',\n 'content/dist/rhel8/8/x86_64/sap/os',\n 'content/dist/rhel8/8/x86_64/sap/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/supplementary/debug',\n 'content/dist/rhel8/8/x86_64/supplementary/os',\n 'content/dist/rhel8/8/x86_64/supplementary/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'java-11-openjdk-11.0.15.0.9-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-11.0.15.0.9-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-slowdebug-11.0.15.0.9-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-11.0.15.0.9-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-slowdebug-11.0.15.0.9-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-11.0.15.0.9-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-slowdebug-11.0.15.0.9-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-javadoc-11.0.15.0.9-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-javadoc-zip-11.0.15.0.9-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-11.0.15.0.9-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-slowdebug-11.0.15.0.9-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-slowdebug-11.0.15.0.9-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-11.0.15.0.9-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-slowdebug-11.0.15.0.9-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-11.0.15.0.9-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-slowdebug-11.0.15.0.9-2.el8_5', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp']) && !enterprise_linux_flag) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-11-openjdk / java-11-openjdk-demo / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-25T20:31:35", "description": "The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:1728 advisory.\n\n - OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)\n\n - OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)\n\n - OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n - OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n - OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-09-08T00:00:00", "type": "nessus", "title": "RHEL 9 : java-11-openjdk (RHSA-2022:1728)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2023-05-25T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:9", "cpe:/o:redhat:rhel_e4s:9.0", "cpe:/o:redhat:rhel_eus:9.0", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-devel-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-headless", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-headless-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-headless-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-javadoc", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-javadoc-zip", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-jmods", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-jmods-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-jmods-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-demo", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-demo-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-demo-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-devel", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-devel-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-src", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-src-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-src-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-static-libs", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-static-libs-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-static-libs-slowdebug"], "id": "REDHAT-RHSA-2022-1728.NASL", "href": "https://www.tenable.com/plugins/nessus/164869", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2022:1728. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164869);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/25\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n script_xref(name:\"RHSA\", value:\"2022:1728\");\n\n script_name(english:\"RHEL 9 : java-11-openjdk (RHSA-2022:1728)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2022:1728 advisory.\n\n - OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)\n (CVE-2022-21426)\n\n - OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)\n (CVE-2022-21434)\n\n - OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n - OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n - OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21426\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21434\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21443\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21476\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21496\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2022:1728\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075788\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075793\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075836\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075842\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075849\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 179, 191, 400, 470, 770, 1173);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/05/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:9.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:9.0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-demo-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-demo-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-devel-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-devel-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-headless-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-headless-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-javadoc-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-jmods\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-jmods-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-jmods-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-src-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-src-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-static-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-static-libs-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-11-openjdk-static-libs-slowdebug\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '9')) audit(AUDIT_OS_NOT, 'Red Hat 9.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/dist/rhel9/9/aarch64/appstream/debug',\n 'content/dist/rhel9/9/aarch64/appstream/os',\n 'content/dist/rhel9/9/aarch64/appstream/source/SRPMS',\n 'content/dist/rhel9/9/aarch64/baseos/debug',\n 'content/dist/rhel9/9/aarch64/baseos/os',\n 'content/dist/rhel9/9/aarch64/baseos/source/SRPMS',\n 'content/dist/rhel9/9/aarch64/codeready-builder/debug',\n 'content/dist/rhel9/9/aarch64/codeready-builder/os',\n 'content/dist/rhel9/9/aarch64/codeready-builder/source/SRPMS',\n 'content/dist/rhel9/9/aarch64/highavailability/debug',\n 'content/dist/rhel9/9/aarch64/highavailability/os',\n 'content/dist/rhel9/9/aarch64/highavailability/source/SRPMS',\n 'content/dist/rhel9/9/aarch64/supplementary/debug',\n 'content/dist/rhel9/9/aarch64/supplementary/os',\n 'content/dist/rhel9/9/aarch64/supplementary/source/SRPMS',\n 'content/dist/rhel9/9/ppc64le/appstream/debug',\n 'content/dist/rhel9/9/ppc64le/appstream/os',\n 'content/dist/rhel9/9/ppc64le/appstream/source/SRPMS',\n 'content/dist/rhel9/9/ppc64le/baseos/debug',\n 'content/dist/rhel9/9/ppc64le/baseos/os',\n 'content/dist/rhel9/9/ppc64le/baseos/source/SRPMS',\n 'content/dist/rhel9/9/ppc64le/codeready-builder/debug',\n 'content/dist/rhel9/9/ppc64le/codeready-builder/os',\n 'content/dist/rhel9/9/ppc64le/codeready-builder/source/SRPMS',\n 'content/dist/rhel9/9/ppc64le/highavailability/debug',\n 'content/dist/rhel9/9/ppc64le/highavailability/os',\n 'content/dist/rhel9/9/ppc64le/highavailability/source/SRPMS',\n 'content/dist/rhel9/9/ppc64le/resilientstorage/debug',\n 'content/dist/rhel9/9/ppc64le/resilientstorage/os',\n 'content/dist/rhel9/9/ppc64le/resilientstorage/source/SRPMS',\n 'content/dist/rhel9/9/ppc64le/sap-solutions/debug',\n 'content/dist/rhel9/9/ppc64le/sap-solutions/os',\n 'content/dist/rhel9/9/ppc64le/sap-solutions/source/SRPMS',\n 'content/dist/rhel9/9/ppc64le/sap/debug',\n 'content/dist/rhel9/9/ppc64le/sap/os',\n 'content/dist/rhel9/9/ppc64le/sap/source/SRPMS',\n 'content/dist/rhel9/9/ppc64le/supplementary/debug',\n 'content/dist/rhel9/9/ppc64le/supplementary/os',\n 'content/dist/rhel9/9/ppc64le/supplementary/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/appstream/debug',\n 'content/dist/rhel9/9/x86_64/appstream/os',\n 'content/dist/rhel9/9/x86_64/appstream/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/baseos/debug',\n 'content/dist/rhel9/9/x86_64/baseos/os',\n 'content/dist/rhel9/9/x86_64/baseos/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/codeready-builder/debug',\n 'content/dist/rhel9/9/x86_64/codeready-builder/os',\n 'content/dist/rhel9/9/x86_64/codeready-builder/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/highavailability/debug',\n 'content/dist/rhel9/9/x86_64/highavailability/os',\n 'content/dist/rhel9/9/x86_64/highavailability/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/nfv/debug',\n 'content/dist/rhel9/9/x86_64/nfv/os',\n 'content/dist/rhel9/9/x86_64/nfv/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/resilientstorage/debug',\n 'content/dist/rhel9/9/x86_64/resilientstorage/os',\n 'content/dist/rhel9/9/x86_64/resilientstorage/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/rt/debug',\n 'content/dist/rhel9/9/x86_64/rt/os',\n 'content/dist/rhel9/9/x86_64/rt/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/sap-solutions/debug',\n 'content/dist/rhel9/9/x86_64/sap-solutions/os',\n 'content/dist/rhel9/9/x86_64/sap-solutions/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/sap/debug',\n 'content/dist/rhel9/9/x86_64/sap/os',\n 'content/dist/rhel9/9/x86_64/sap/source/SRPMS',\n 'content/dist/rhel9/9/x86_64/supplementary/debug',\n 'content/dist/rhel9/9/x86_64/supplementary/os',\n 'content/dist/rhel9/9/x86_64/supplementary/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'java-11-openjdk-11.0.15.0.10-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-11.0.15.0.10-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-slowdebug-11.0.15.0.10-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-11.0.15.0.10-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-slowdebug-11.0.15.0.10-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-11.0.15.0.10-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-slowdebug-11.0.15.0.10-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-javadoc-11.0.15.0.10-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-javadoc-zip-11.0.15.0.10-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-11.0.15.0.10-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-slowdebug-11.0.15.0.10-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-slowdebug-11.0.15.0.10-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-11.0.15.0.10-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-slowdebug-11.0.15.0.10-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-11.0.15.0.10-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-fastdebug-11.0.15.0.10-1.el9_0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-slowdebug-11.0.15.0.10-1.el9_0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'}\n ]\n },\n {\n 'repo_relative_urls': [\n 'content/e4s/rhel9/9.0/aarch64/appstream/debug',\n 'content/e4s/rhel9/9.0/aarch64/appstream/os',\n 'content/e4s/rhel9/9.0/aarch64/appstream/source/SRPMS',\n 'content/e4s/rhel9/9.0/aarch64/baseos/debug',\n 'content/e4s/rhel9/9.0/aarch64/baseos/os',\n 'content/e4s/rhel9/9.0/aarch64/baseos/source/SRPMS',\n 'content/e4s/rhel9/9.0/aarch64/highavailability/debug',\n 'content/e4s/rhel9/9.0/aarch64/highavailability/os',\n 'content/e4s/rhel9/9.0/aarch64/highavailability/source/SRPMS',\n 'content/e4s/rhel9/9.0/ppc64le/appstream/debug',\n 'content/e4s/rhel9/9.0/ppc64le/appstream/os',\n 'content/e4s/rhel9/9.0/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel9/9.0/ppc64le/baseos/debug',\n 'content/e4s/rhel9/9.0/ppc64le/baseos/os',\n 'content/e4s/rhel9/9.0/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel9/9.0/ppc64le/highavailability/debug',\n 'content/e4s/rhel9/9.0/ppc64le/highavailability/os',\n 'content/e4s/rhel9/9.0/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel9/9.0/ppc64le/resilientstorage/debug',\n 'content/e4s/rhel9/9.0/ppc64le/resilientstorage/os',\n 'content/e4s/rhel9/9.0/ppc64le/resilientstorage/source/SRPMS',\n 'content/e4s/rhel9/9.0/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel9/9.0/ppc64le/sap-solutions/os',\n 'content/e4s/rhel9/9.0/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel9/9.0/ppc64le/sap/debug',\n 'content/e4s/rhel9/9.0/ppc64le/sap/os',\n 'content/e4s/rhel9/9.0/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel9/9.0/x86_64/appstream/debug',\n 'content/e4s/rhel9/9.0/x86_64/appstream/os',\n 'content/e4s/rhel9/9.0/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel9/9.0/x86_64/baseos/debug',\n 'content/e4s/rhel9/9.0/x86_64/baseos/os',\n 'content/e4s/rhel9/9.0/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel9/9.0/x86_64/highavailability/debug',\n 'content/e4s/rhel9/9.0/x86_64/highavailability/os',\n 'content/e4s/rhel9/9.0/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel9/9.0/x86_64/nfv/debug',\n 'content/e4s/rhel9/9.0/x86_64/nfv/os',\n 'content/e4s/rhel9/9.0/x86_64/nfv/source/SRPMS',\n 'content/e4s/rhel9/9.0/x86_64/resilientstorage/debug',\n 'content/e4s/rhel9/9.0/x86_64/resilientstorage/os',\n 'content/e4s/rhel9/9.0/x86_64/resilientstorage/source/SRPMS',\n 'content/e4s/rhel9/9.0/x86_64/rt/debug',\n 'content/e4s/rhel9/9.0/x86_64/rt/os',\n 'content/e4s/rhel9/9.0/x86_64/rt/source/SRPMS',\n 'content/e4s/rhel9/9.0/x86_64/sap-solutions/debug',\n 'content/e4s/rhel9/9.0/x86_64/sap-solutions/os',\n 'content/e4s/rhel9/9.0/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel9/9.0/x86_64/sap/debug',\n 'content/e4s/rhel9/9.0/x86_64/sap/os',\n 'content/e4s/rhel9/9.0/x86_64/sap/source/SRPMS',\n 'content/eus/rhel9/9.0/aarch64/appstream/debug',\n 'content/eus/rhel9/9.0/aarch64/appstream/os',\n 'content/eus/rhel9/9.0/aarch64/appstream/source/SRPMS',\n 'content/eus/rhel9/9.0/aarch64/baseos/debug',\n 'content/eus/rhel9/9.0/aarch64/baseos/os',\n 'content/eus/rhel9/9.0/aarch64/baseos/source/SRPMS',\n 'content/eus/rhel9/9.0/aarch64/codeready-builder/debug',\n 'content/eus/rhel9/9.0/aarch64/codeready-builder/os',\n 'content/eus/rhel9/9.0/aarch64/codeready-builder/source/SRPMS',\n 'content/eus/rhel9/9.0/aarch64/highavailability/debug',\n 'content/eus/rhel9/9.0/aarch64/highavailability/os',\n 'content/eus/rhel9/9.0/aarch64/highavailability/source/SRPMS',\n 'content/eus/rhel9/9.0/aarch64/supplementary/debug',\n 'content/eus/rhel9/9.0/aarch64/supplementary/os',\n 'content/eus/rhel9/9.0/aarch64/supplementary/source/SRPMS',\n 'content/eus/rhel9/9.0/ppc64le/appstream/debug',\n 'content/eus/rhel9/9.0/ppc64le/appstream/os',\n 'content/eus/rhel9/9.0/ppc64le/appstream/source/SRPMS',\n 'content/eus/rhel9/9.0/ppc64le/baseos/debug',\n 'content/eus/rhel9/9.0/ppc64le/baseos/os',\n 'content/eus/rhel9/9.0/ppc64le/baseos/source/SRPMS',\n 'content/eus/rhel9/9.0/ppc64le/codeready-builder/debug',\n 'content/eus/rhel9/9.0/ppc64le/codeready-builder/os',\n 'content/eus/rhel9/9.0/ppc64le/codeready-builder/source/SRPMS',\n 'content/eus/rhel9/9.0/ppc64le/highavailability/debug',\n 'content/eus/rhel9/9.0/ppc64le/highavailability/os',\n 'content/eus/rhel9/9.0/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel9/9.0/ppc64le/resilientstorage/debug',\n 'content/eus/rhel9/9.0/ppc64le/resilientstorage/os',\n 'content/eus/rhel9/9.0/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel9/9.0/ppc64le/sap-solutions/debug',\n 'content/eus/rhel9/9.0/ppc64le/sap-solutions/os',\n 'content/eus/rhel9/9.0/ppc64le/sap-solutions/source/SRPMS',\n 'content/eus/rhel9/9.0/ppc64le/sap/debug',\n 'content/eus/rhel9/9.0/ppc64le/sap/os',\n 'content/eus/rhel9/9.0/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel9/9.0/ppc64le/supplementary/debug',\n 'content/eus/rhel9/9.0/ppc64le/supplementary/os',\n 'content/eus/rhel9/9.0/ppc64le/supplementary/source/SRPMS',\n 'content/eus/rhel9/9.0/x86_64/appstream/debug',\n 'content/eus/rhel9/9.0/x86_64/appstream/os',\n 'content/eus/rhel9/9.0/x86_64/appstream/source/SRPMS',\n 'content/eus/rhel9/9.0/x86_64/baseos/debug',\n 'content/eus/rhel9/9.0/x86_64/baseos/os',\n 'content/eus/rhel9/9.0/x86_64/baseos/source/SRPMS',\n 'content/eus/rhel9/9.0/x86_64/codeready-builder/debug',\n 'content/eus/rhel9/9.0/x86_64/codeready-builder/os',\n 'content/eus/rhel9/9.0/x86_64/codeready-builder/source/SRPMS',\n 'content/eus/rhel9/9.0/x86_64/highavailability/debug',\n 'content/eus/rhel9/9.0/x86_64/highavailability/os',\n 'content/eus/rhel9/9.0/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel9/9.0/x86_64/resilientstorage/debug',\n 'content/eus/rhel9/9.0/x86_64/resilientstorage/os',\n 'content/eus/rhel9/9.0/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel9/9.0/x86_64/sap-solutions/debug',\n 'content/eus/rhel9/9.0/x86_64/sap-solutions/os',\n 'content/eus/rhel9/9.0/x86_64/sap-solutions/source/SRPMS',\n 'content/eus/rhel9/9.0/x86_64/sap/debug',\n 'content/eus/rhel9/9.0/x86_64/sap/os',\n 'content/eus/rhel9/9.0/x86_64/sap/source/SRPMS',\n 'content/eus/rhel9/9.0/x86_64/supplementary/debug',\n 'content/eus/rhel9/9.0/x86_64/supplementary/os',\n 'content/eus/rhel9/9.0/x86_64/supplementary/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'java-11-openjdk-11.0.15.0.10-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-11.0.15.0.10-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-slowdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-11.0.15.0.10-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-slowdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-11.0.15.0.10-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-slowdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-javadoc-11.0.15.0.10-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-javadoc-zip-11.0.15.0.10-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-11.0.15.0.10-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-slowdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-slowdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-11.0.15.0.10-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-slowdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-11.0.15.0.10-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'ppc64le', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-fastdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-slowdebug-11.0.15.0.10-1.el9_0', 'sp':'0', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp']) && !enterprise_linux_flag) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-11-openjdk / java-11-openjdk-demo / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-26T14:39:54", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:1488 advisory.\n\n - OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)\n\n - OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)\n\n - OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n - OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n - OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-26T00:00:00", "type": "nessus", "title": "RHEL 8 : java-1.8.0-openjdk (RHSA-2022:1488)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2023-05-25T00:00:00", "cpe": ["cpe:/o:redhat:rhel_e4s:8.1", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-accessibility", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-devel", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-headless", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc-zip", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-src"], "id": "REDHAT-RHSA-2022-1488.NASL", "href": "https://www.tenable.com/plugins/nessus/160210", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2022:1488. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160210);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/25\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n script_xref(name:\"RHSA\", value:\"2022:1488\");\n\n script_name(english:\"RHEL 8 : java-1.8.0-openjdk (RHSA-2022:1488)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2022:1488 advisory.\n\n - OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)\n (CVE-2022-21426)\n\n - OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)\n (CVE-2022-21434)\n\n - OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n - OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n - OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21426\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21434\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21443\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21476\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21496\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2022:1488\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075788\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075793\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075836\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075842\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075849\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 179, 191, 400, 470, 770, 1173);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-src\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'eq', os_version: os_ver, rhel_version: '8.1')) audit(AUDIT_OS_NOT, 'Red Hat 8.1', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/e4s/rhel8/8.1/ppc64le/appstream/debug',\n 'content/e4s/rhel8/8.1/ppc64le/appstream/os',\n 'content/e4s/rhel8/8.1/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.1/ppc64le/baseos/debug',\n 'content/e4s/rhel8/8.1/ppc64le/baseos/os',\n 'content/e4s/rhel8/8.1/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.1/ppc64le/highavailability/debug',\n 'content/e4s/rhel8/8.1/ppc64le/highavailability/os',\n 'content/e4s/rhel8/8.1/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.1/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel8/8.1/ppc64le/sap-solutions/os',\n 'content/e4s/rhel8/8.1/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.1/ppc64le/sap/debug',\n 'content/e4s/rhel8/8.1/ppc64le/sap/os',\n 'content/e4s/rhel8/8.1/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel8/8.1/x86_64/appstream/debug',\n 'content/e4s/rhel8/8.1/x86_64/appstream/os',\n 'content/e4s/rhel8/8.1/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.1/x86_64/baseos/debug',\n 'content/e4s/rhel8/8.1/x86_64/baseos/os',\n 'content/e4s/rhel8/8.1/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.1/x86_64/highavailability/debug',\n 'content/e4s/rhel8/8.1/x86_64/highavailability/os',\n 'content/e4s/rhel8/8.1/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.1/x86_64/sap-solutions/debug',\n 'content/e4s/rhel8/8.1/x86_64/sap-solutions/os',\n 'content/e4s/rhel8/8.1/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.1/x86_64/sap/debug',\n 'content/e4s/rhel8/8.1/x86_64/sap/os',\n 'content/e4s/rhel8/8.1/x86_64/sap/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'java-1.8.0-openjdk-1.8.0.332.b09-1.el8_1', 'sp':'1', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-1.8.0.332.b09-1.el8_1', 'sp':'1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_1', 'sp':'1', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_1', 'sp':'1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_1', 'sp':'1', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_1', 'sp':'1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_1', 'sp':'1', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_1', 'sp':'1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_1', 'sp':'1', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_1', 'sp':'1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el8_1', 'sp':'1', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el8_1', 'sp':'1', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_1', 'sp':'1', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_1', 'sp':'1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var subscription_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in the Red Hat Enterprise Linux\\n' +\n 'Update Services for SAP Solutions repository.\\n' +\n 'Access to this repository requires a paid RHEL subscription.\\n';\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = subscription_caveat + rpm_report_get() + redhat_report_repo_caveat();\n else extra = subscription_caveat + rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-1.8.0-openjdk / java-1.8.0-openjdk-accessibility / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:43:45", "description": "The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-1442 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2022-21434)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2022-21476)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2022-21496)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2022-21443)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-21T00:00:00", "type": "nessus", "title": "Oracle Linux 8 : java-11-openjdk (ELSA-2022-1442)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-08-09T00:00:00", "cpe": ["cpe:/o:oracle:linux:8", "p-cpe:/a:oracle:linux:java-11-openjdk", "p-cpe:/a:oracle:linux:java-11-openjdk-demo", "p-cpe:/a:oracle:linux:java-11-openjdk-demo-fastdebug", "p-cpe:/a:oracle:linux:java-11-openjdk-demo-slowdebug", "p-cpe:/a:oracle:linux:java-11-openjdk-devel", "p-cpe:/a:oracle:linux:java-11-openjdk-devel-fastdebug", "p-cpe:/a:oracle:linux:java-11-openjdk-devel-slowdebug", "p-cpe:/a:oracle:linux:java-11-openjdk-fastdebug", "p-cpe:/a:oracle:linux:java-11-openjdk-headless", "p-cpe:/a:oracle:linux:java-11-openjdk-headless-fastdebug", "p-cpe:/a:oracle:linux:java-11-openjdk-headless-slowdebug", "p-cpe:/a:oracle:linux:java-11-openjdk-javadoc", "p-cpe:/a:oracle:linux:java-11-openjdk-javadoc-zip", "p-cpe:/a:oracle:linux:java-11-openjdk-jmods", "p-cpe:/a:oracle:linux:java-11-openjdk-jmods-fastdebug", "p-cpe:/a:oracle:linux:java-11-openjdk-jmods-slowdebug", "p-cpe:/a:oracle:linux:java-11-openjdk-slowdebug", "p-cpe:/a:oracle:linux:java-11-openjdk-src", "p-cpe:/a:oracle:linux:java-11-openjdk-src-fastdebug", "p-cpe:/a:oracle:linux:java-11-openjdk-src-slowdebug", "p-cpe:/a:oracle:linux:java-11-openjdk-static-libs", "p-cpe:/a:oracle:linux:java-11-openjdk-static-libs-fastdebug", "p-cpe:/a:oracle:linux:java-11-openjdk-static-libs-slowdebug"], "id": "ORACLELINUX_ELSA-2022-1442.NASL", "href": "https://www.tenable.com/plugins/nessus/160052", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2022-1442.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160052);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/08/09\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n script_xref(name:\"IAVA\", value:\"2022-A-0170-S\");\n\n script_name(english:\"Oracle Linux 8 : java-11-openjdk (ELSA-2022-1442)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nELSA-2022-1442 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise\n Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS\n 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition\n accessible data. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2022-21434)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise\n Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients\n running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code\n (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability\n can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies\n data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2022-21476)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible\n data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS\n 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2022-21496)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM\n Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2022-21443)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2022-1442.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-demo-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-demo-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-devel-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-devel-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-headless-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-headless-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-javadoc-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-jmods\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-jmods-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-jmods-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-src-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-src-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-static-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-static-libs-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-11-openjdk-static-libs-slowdebug\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 8', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\n\nvar pkgs = [\n {'reference':'java-11-openjdk-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-slowdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-demo-slowdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-slowdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-devel-slowdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-slowdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-headless-slowdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-javadoc-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-javadoc-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-javadoc-zip-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-javadoc-zip-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-slowdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-jmods-slowdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-slowdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-slowdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-slowdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-src-slowdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-fastdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-slowdebug-11.0.15.0.9-2.el8_5', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-11-openjdk-static-libs-slowdebug-11.0.15.0.9-2.el8_5', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release) {\n if (exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-11-openjdk / java-11-openjdk-demo / java-11-openjdk-demo-fastdebug / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:44:09", "description": "The version of java-11-amazon-corretto installed on the remote host is prior to 11.0.15+9-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2022-1790 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2022-21434)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2022-21443)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2022-21476)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-27T00:00:00", "type": "nessus", "title": "Amazon Linux 2 : java-11-amazon-corretto (ALAS-2022-1790)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-08-09T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:java-11-amazon-corretto", "p-cpe:/a:amazon:linux:java-11-amazon-corretto-headless", "p-cpe:/a:amazon:linux:java-11-amazon-corretto-javadoc", "cpe:/o:amazon:linux:2"], "id": "AL2_ALAS-2022-1790.NASL", "href": "https://www.tenable.com/plugins/nessus/160266", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALAS-2022-1790.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160266);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/08/09\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n script_xref(name:\"IAVA\", value:\"2022-A-0170-S\");\n script_xref(name:\"ALAS\", value:\"2022-1790\");\n\n script_name(english:\"Amazon Linux 2 : java-11-amazon-corretto (ALAS-2022-1790)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux 2 host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of java-11-amazon-corretto installed on the remote host is prior to 11.0.15+9-1. It is, therefore, affected\nby multiple vulnerabilities as referenced in the ALAS2-2022-1790 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise\n Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS\n 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition\n accessible data. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2022-21434)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM\n Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2022-21443)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise\n Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients\n running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code\n (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability\n can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies\n data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2022-21476)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible\n data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS\n 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/AL2/ALAS-2022-1790.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-21426.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-21434.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-21443.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-21476.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-21496.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update java-11-amazon-corretto' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-11-amazon-corretto\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-11-amazon-corretto-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-11-amazon-corretto-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nvar os_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nvar os_ver = os_ver[1];\nif (os_ver != \"2\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar pkgs = [\n {'reference':'java-11-amazon-corretto-11.0.15+9-1.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-amazon-corretto-11.0.15+9-1.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-amazon-corretto-headless-11.0.15+9-1.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-amazon-corretto-headless-11.0.15+9-1.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-amazon-corretto-javadoc-11.0.15+9-1.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-amazon-corretto-javadoc-11.0.15+9-1.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-11-amazon-corretto / java-11-amazon-corretto-headless / java-11-amazon-corretto-javadoc\");\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-13T15:02:13", "description": "The remote Ubuntu 20.04 LTS / 21.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5388-1 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2022-21434)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2022-21443)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2022-21476)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-26T00:00:00", "type": "nessus", "title": "Ubuntu 20.04 LTS / 21.10 : OpenJDK vulnerabilities (USN-5388-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2023-07-10T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "cpe:/o:canonical:ubuntu_linux:21.10", "p-cpe:/a:canonical:ubuntu_linux:openjdk-11-demo", "p-cpe:/a:canonical:ubuntu_linux:openjdk-11-jdk", "p-cpe:/a:canonical:ubuntu_linux:openjdk-11-jdk-headless", "p-cpe:/a:canonical:ubuntu_linux:openjdk-11-jre", "p-cpe:/a:canonical:ubuntu_linux:openjdk-11-jre-headless", "p-cpe:/a:canonical:ubuntu_linux:openjdk-11-jre-zero", "p-cpe:/a:canonical:ubuntu_linux:openjdk-11-source"], "id": "UBUNTU_USN-5388-1.NASL", "href": "https://www.tenable.com/plugins/nessus/160206", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-5388-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160206);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/07/10\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n script_xref(name:\"USN\", value:\"5388-1\");\n\n script_name(english:\"Ubuntu 20.04 LTS / 21.10 : OpenJDK vulnerabilities (USN-5388-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 20.04 LTS / 21.10 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the USN-5388-1 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise\n Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS\n 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21426)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition\n accessible data. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2022-21434)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM\n Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running\n sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,\n code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also\n be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to\n the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2022-21443)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,\n 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in\n unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise\n Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients\n running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code\n (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability\n can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies\n data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2022-21476)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,\n 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible\n data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS\n 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-5388-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:21.10\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-11-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-11-jdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-11-jdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-11-jre\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-11-jre-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-11-jre-zero\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openjdk-11-source\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2022-2023 Canonical, Inc. / NASL script (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nos_release = chomp(os_release);\nif (! ('18.04' >< os_release || '20.04' >< os_release || '21.10' >< os_release || '22.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 18.04 / 20.04 / 21.10 / 22.04', 'Ubuntu ' + os_release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar pkgs = [\n {'osver': '18.04', 'pkgname': 'openjdk-11-demo', 'pkgver': '11.0.15+10-0ubuntu0.18.04.1'},\n {'osver': '18.04', 'pkgname': 'openjdk-11-jdk', 'pkgver': '11.0.15+10-0ubuntu0.18.04.1'},\n {'osver': '18.04', 'pkgname': 'openjdk-11-jdk-headless', 'pkgver': '11.0.15+10-0ubuntu0.18.04.1'},\n {'osver': '18.04', 'pkgname': 'openjdk-11-jre', 'pkgver': '11.0.15+10-0ubuntu0.18.04.1'},\n {'osver': '18.04', 'pkgname': 'openjdk-11-jre-headless', 'pkgver': '11.0.15+10-0ubuntu0.18.04.1'},\n {'osver': '18.04', 'pkgname': 'openjdk-11-jre-zero', 'pkgver': '11.0.15+10-0ubuntu0.18.04.1'},\n {'osver': '18.04', 'pkgname': 'openjdk-11-source', 'pkgver': '11.0.15+10-0ubuntu0.18.04.1'},\n {'osver': '20.04', 'pkgname': 'openjdk-11-demo', 'pkgver': '11.0.15+10-0ubuntu0.20.04.1'},\n {'osver': '20.04', 'pkgname': 'openjdk-11-jdk', 'pkgver': '11.0.15+10-0ubuntu0.20.04.1'},\n {'osver': '20.04', 'pkgname': 'openjdk-11-jdk-headless', 'pkgver': '11.0.15+10-0ubuntu0.20.04.1'},\n {'osver': '20.04', 'pkgname': 'openjdk-11-jre', 'pkgver': '11.0.15+10-0ubuntu0.20.04.1'},\n {'osver': '20.04', 'pkgname': 'openjdk-11-jre-headless', 'pkgver': '11.0.15+10-0ubuntu0.20.04.1'},\n {'osver': '20.04', 'pkgname': 'openjdk-11-jre-zero', 'pkgver': '11.0.15+10-0ubuntu0.20.04.1'},\n {'osver': '20.04', 'pkgname': 'openjdk-11-source', 'pkgver': '11.0.15+10-0ubuntu0.20.04.1'},\n {'osver': '21.10', 'pkgname': 'openjdk-11-demo', 'pkgver': '11.0.15+10-0ubuntu0.21.10.1'},\n {'osver': '21.10', 'pkgname': 'openjdk-11-jdk', 'pkgver': '11.0.15+10-0ubuntu0.21.10.1'},\n {'osver': '21.10', 'pkgname': 'openjdk-11-jdk-headless', 'pkgver': '11.0.15+10-0ubuntu0.21.10.1'},\n {'osver': '21.10', 'pkgname': 'openjdk-11-jre', 'pkgver': '11.0.15+10-0ubuntu0.21.10.1'},\n {'osver': '21.10', 'pkgname': 'openjdk-11-jre-headless', 'pkgver': '11.0.15+10-0ubuntu0.21.10.1'},\n {'osver': '21.10', 'pkgname': 'openjdk-11-jre-zero', 'pkgver': '11.0.15+10-0ubuntu0.21.10.1'},\n {'osver': '21.10', 'pkgname': 'openjdk-11-source', 'pkgver': '11.0.15+10-0ubuntu0.21.10.1'},\n {'osver': '22.04', 'pkgname': 'openjdk-11-demo', 'pkgver': '11.0.15+10-0ubuntu0.22.04.1'},\n {'osver': '22.04', 'pkgname': 'openjdk-11-jdk', 'pkgver': '11.0.15+10-0ubuntu0.22.04.1'},\n {'osver': '22.04', 'pkgname': 'openjdk-11-jdk-headless', 'pkgver': '11.0.15+10-0ubuntu0.22.04.1'},\n {'osver': '22.04', 'pkgname': 'openjdk-11-jre', 'pkgver': '11.0.15+10-0ubuntu0.22.04.1'},\n {'osver': '22.04', 'pkgname': 'openjdk-11-jre-headless', 'pkgver': '11.0.15+10-0ubuntu0.22.04.1'},\n {'osver': '22.04', 'pkgname': 'openjdk-11-jre-zero', 'pkgver': '11.0.15+10-0ubuntu0.22.04.1'},\n {'osver': '22.04', 'pkgname': 'openjdk-11-source', 'pkgver': '11.0.15+10-0ubuntu0.22.04.1'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var osver = NULL;\n var pkgname = NULL;\n var pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'openjdk-11-demo / openjdk-11-jdk / openjdk-11-jdk-headless / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:44:34", "description": "The remote Scientific Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the SLSA-2022:1440-1 advisory.\n\n - OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n - OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)\n\n - OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)\n\n - OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n - OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-21T00:00:00", "type": "nessus", "title": "Scientific Linux Security Update : java-11-openjdk on SL7.x i686/x86_64 (2022:1440)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2022-05-06T00:00:00", "cpe": ["cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:java-11-openjdk", "p-cpe:/a:fermilab:scientific_linux:java-11-openjdk-debuginfo", "p-cpe:/a:fermilab:scientific_linux:java-11-openjdk-demo", "p-cpe:/a:fermilab:scientific_linux:java-11-openjdk-devel", "p-cpe:/a:fermilab:scientific_linux:java-11-openjdk-headless", "p-cpe:/a:fermilab:scientific_linux:java-11-openjdk-javadoc", "p-cpe:/a:fermilab:scientific_linux:java-11-openjdk-javadoc-zip", "p-cpe:/a:fermilab:scientific_linux:java-11-openjdk-jmods", "p-cpe:/a:fermilab:scientific_linux:java-11-openjdk-src", "p-cpe:/a:fermilab:scientific_linux:java-11-openjdk-static-libs"], "id": "SL_20220420_JAVA_11_OPENJDK_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/160059", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160059);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/06\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n script_xref(name:\"RHSA\", value:\"RHSA-2022:1440\");\n\n script_name(english:\"Scientific Linux Security Update : java-11-openjdk on SL7.x i686/x86_64 (2022:1440)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Scientific Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Scientific Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe SLSA-2022:1440-1 advisory.\n\n - OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n - OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)\n (CVE-2022-21426)\n\n - OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)\n (CVE-2022-21434)\n\n - OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n - OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.scientificlinux.org/category/sl-errata/slsa-20221440-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fermilab:scientific_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-11-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-11-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-11-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-11-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-11-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-11-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-11-openjdk-javadoc-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-11-openjdk-jmods\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-11-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:java-11-openjdk-static-libs\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Scientific Linux' >!< release) audit(AUDIT_OS_NOT, 'Scientific Linux');\nvar os_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Scientific Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Scientific Linux 7.x', 'Scientific Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Scientific Linux', cpu);\n\nvar pkgs = [\n {'reference':'java-11-openjdk-11.0.15.0.9-2.el7_9', 'cpu':'i686', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-11.0.15.0.9-2.el7_9', 'cpu':'x86_64', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-debuginfo-11.0.15.0.9-2.el7_9', 'cpu':'i686', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-debuginfo-11.0.15.0.9-2.el7_9', 'cpu':'x86_64', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-demo-11.0.15.0.9-2.el7_9', 'cpu':'i686', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-demo-11.0.15.0.9-2.el7_9', 'cpu':'x86_64', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-devel-11.0.15.0.9-2.el7_9', 'cpu':'i686', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-devel-11.0.15.0.9-2.el7_9', 'cpu':'x86_64', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-headless-11.0.15.0.9-2.el7_9', 'cpu':'i686', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-headless-11.0.15.0.9-2.el7_9', 'cpu':'x86_64', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-javadoc-11.0.15.0.9-2.el7_9', 'cpu':'i686', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-javadoc-11.0.15.0.9-2.el7_9', 'cpu':'x86_64', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-javadoc-zip-11.0.15.0.9-2.el7_9', 'cpu':'i686', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-javadoc-zip-11.0.15.0.9-2.el7_9', 'cpu':'x86_64', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-jmods-11.0.15.0.9-2.el7_9', 'cpu':'i686', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-jmods-11.0.15.0.9-2.el7_9', 'cpu':'x86_64', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-src-11.0.15.0.9-2.el7_9', 'cpu':'i686', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-src-11.0.15.0.9-2.el7_9', 'cpu':'x86_64', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-static-libs-11.0.15.0.9-2.el7_9', 'cpu':'i686', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'java-11-openjdk-static-libs-11.0.15.0.9-2.el7_9', 'cpu':'x86_64', 'release':'SL7', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'java-11-openjdk / java-11-openjdk-debuginfo / java-11-openjdk-demo / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-26T14:40:37", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:1491 advisory.\n\n - OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)\n\n - OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)\n\n - OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n - OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n - OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-26T00:00:00", "type": "nessus", "title": "RHEL 8 : java-1.8.0-openjdk (RHSA-2022:1491)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21426", "CVE-2022-21434", "CVE-2022-21443", "CVE-2022-21476", "CVE-2022-21496"], "modified": "2023-05-25T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:8", "cpe:/o:redhat:rhel_aus:8.6", "cpe:/o:redhat:rhel_e4s:8.6", "cpe:/o:redhat:rhel_eus:8.6", "cpe:/o:redhat:rhel_tus:8.6", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-accessibility", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-accessibility-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-accessibility-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-demo-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-demo-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-devel", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-devel-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-devel-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-headless", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-headless-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-headless-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc-zip", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-slowdebug", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-src", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-src-fastdebug", "p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-src-slowdebug"], "id": "REDHAT-RHSA-2022-1491.NASL", "href": "https://www.tenable.com/plugins/nessus/160198", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2022:1491. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160198);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/25\");\n\n script_cve_id(\n \"CVE-2022-21426\",\n \"CVE-2022-21434\",\n \"CVE-2022-21443\",\n \"CVE-2022-21476\",\n \"CVE-2022-21496\"\n );\n script_xref(name:\"RHSA\", value:\"2022:1491\");\n\n script_name(english:\"RHEL 8 : java-1.8.0-openjdk (RHSA-2022:1491)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2022:1491 advisory.\n\n - OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)\n (CVE-2022-21426)\n\n - OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)\n (CVE-2022-21434)\n\n - OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n\n - OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n\n - OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21426\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21434\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21443\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21476\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2022-21496\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2022:1491\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075788\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075793\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075836\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075842\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/2075849\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21496\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21476\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 179, 191, 400, 470, 770, 1173);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-accessibility-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-accessibility-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-demo-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-demo-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-devel-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-devel-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-headless-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-headless-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-javadoc-zip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-slowdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-src-fastdebug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.8.0-openjdk-src-slowdebug\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/aus/rhel8/8.6/x86_64/appstream/debug',\n 'content/aus/rhel8/8.6/x86_64/appstream/os',\n 'content/aus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/aus/rhel8/8.6/x86_64/baseos/debug',\n 'content/aus/rhel8/8.6/x86_64/baseos/os',\n 'content/aus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/debug',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/os',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/debug',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/os',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/debug',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/os',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/os',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/sap/debug',\n 'content/e4s/rhel8/8.6/ppc64le/sap/os',\n 'content/e4s/rhel8/8.6/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/appstream/debug',\n 'content/e4s/rhel8/8.6/x86_64/appstream/os',\n 'content/e4s/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/baseos/debug',\n 'content/e4s/rhel8/8.6/x86_64/baseos/os',\n 'content/e4s/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/debug',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/os',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/debug',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/os',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/sap/debug',\n 'content/e4s/rhel8/8.6/x86_64/sap/os',\n 'content/e4s/rhel8/8.6/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/appstream/debug',\n 'content/eus/rhel8/8.6/aarch64/appstream/os',\n 'content/eus/rhel8/8.6/aarch64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/baseos/debug',\n 'content/eus/rhel8/8.6/aarch64/baseos/os',\n 'content/eus/rhel8/8.6/aarch64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/debug',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/os',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/highavailability/debug',\n 'content/eus/rhel8/8.6/aarch64/highavailability/os',\n 'content/eus/rhel8/8.6/aarch64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/supplementary/debug',\n 'content/eus/rhel8/8.6/aarch64/supplementary/os',\n 'content/eus/rhel8/8.6/aarch64/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/appstream/debug',\n 'content/eus/rhel8/8.6/ppc64le/appstream/os',\n 'content/eus/rhel8/8.6/ppc64le/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/baseos/debug',\n 'content/eus/rhel8/8.6/ppc64le/baseos/os',\n 'content/eus/rhel8/8.6/ppc64le/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/debug',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/os',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/debug',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/os',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/debug',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/os',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/debug',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/os',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/sap/debug',\n 'content/eus/rhel8/8.6/ppc64le/sap/os',\n 'content/eus/rhel8/8.6/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/debug',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/os',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/appstream/debug',\n 'content/eus/rhel8/8.6/x86_64/appstream/os',\n 'content/eus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/baseos/debug',\n 'content/eus/rhel8/8.6/x86_64/baseos/os',\n 'content/eus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/debug',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/os',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/highavailability/debug',\n 'content/eus/rhel8/8.6/x86_64/highavailability/os',\n 'content/eus/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/debug',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/os',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/debug',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/os',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/sap/debug',\n 'content/eus/rhel8/8.6/x86_64/sap/os',\n 'content/eus/rhel8/8.6/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/supplementary/debug',\n 'content/eus/rhel8/8.6/x86_64/supplementary/os',\n 'content/eus/rhel8/8.6/x86_64/supplementary/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/appstream/debug',\n 'content/tus/rhel8/8.6/x86_64/appstream/os',\n 'content/tus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/baseos/debug',\n 'content/tus/rhel8/8.6/x86_64/baseos/os',\n 'content/tus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/highavailability/debug',\n 'content/tus/rhel8/8.6/x86_64/highavailability/os',\n 'content/tus/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/rt/os',\n 'content/tus/rhel8/8.6/x86_64/rt/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'java-1.8.0-openjdk-1.8.0.332.b09-1.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-accessibility-fastdebug-1.8.0.332.b09-1.el8_5', 'sp':'6', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-accessibility-fastdebug-1.8.0.332.b09-1.el8_5', 'sp':'6', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-accessibility-fastdebug-1.8.0.332.b09-1.el8_5', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.332.b09-1.el8_5', 'sp':'6', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.332.b09-1.el8_5', 'sp':'6', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.332.b09-1.el8_5', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-demo-fastdebug-1.8.0.332.b09-1.el8_5', 'sp':'6', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-demo-fastdebug-1.8.0.332.b09-1.el8_5', 'sp':'6', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-demo-fastdebug-1.8.0.332.b09-1.el8_5', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-demo-slowdebug-1.8.0.332.b09-1.el8_5', 'sp':'6', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-demo-slowdebug-1.8.0.332.b09-1.el8_5', 'sp':'6', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-demo-slowdebug-1.8.0.332.b09-1.el8_5', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-devel-fastdebug-1.8.0.332.b09-1.el8_5', 'sp':'6', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-devel-fastdebug-1.8.0.332.b09-1.el8_5', 'sp':'6', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-devel-fastdebug-1.8.0.332.b09-1.el8_5', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-devel-slowdebug-1.8.0.332.b09-1.el8_5', 'sp':'6', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-devel-slowdebug-1.8.0.332.b09-1.el8_5', 'sp':'6', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-devel-slowdebug-1.8.0.332.b09-1.el8_5', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-fastdebug-1.8.0.332.b09-1.el8_5', 'sp':'6', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-fastdebug-1.8.0.332.b09-1.el8_5', 'sp':'6', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-fastdebug-1.8.0.332.b09-1.el8_5', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-headless-fastdebug-1.8.0.332.b09-1.el8_5', 'sp':'6', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-headless-fastdebug-1.8.0.332.b09-1.el8_5', 'sp':'6', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-headless-fastdebug-1.8.0.332.b09-1.el8_5', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-headless-slowdebug-1.8.0.332.b09-1.el8_5', 'sp':'6', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-headless-slowdebug-1.8.0.332.b09-1.el8_5', 'sp':'6', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-headless-slowdebug-1.8.0.332.b09-1.el8_5', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-slowdebug-1.8.0.332.b09-1.el8_5', 'sp':'6', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-slowdebug-1.8.0.332.b09-1.el8_5', 'sp':'6', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-slowdebug-1.8.0.332.b09-1.el8_5', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_5', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-src-fastdebug-1.8.0.332.b09-1.el8_5', 'sp':'6', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-src-fastdebug-1.8.0.332.b09-1.el8_5', 'sp':'6', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-src-fastdebug-1.8.0.332.b09-1.el8_5', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-src-slowdebug-1.8.0.332.b09-1.el8_5', 'sp':'6', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-src-slowdebug-1.8.0.332.b09-1.el8_5', 'sp':'6', 'cpu':'ppc64le', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'java-1.8.0-openjdk-src-slowdebug-1.8.0.332.b09-1.el8_5', 'sp':'6', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'}\n ]\n },\n {\n 'repo_relative_urls': [\n 'content/dist/rhel8/8/aarch64/appstream/debug',\n 'content/dist/rhel8/8/aarch64/appstream/os',\n 'content/dist/rhel8/8/aarch64/appstream/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/baseos/debug',\n 'content/dist/rhel8/8/aarch64/baseos/os',\n 'content/dist/rhel8/8/aarch64/baseos/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/codeready-builder/debug',\n 'content/dist/rhel8/8/aarch64/codeready-builder/os',\n 'content/dist/rhel8/8/aarch64/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/highavailability/debug',\n 'content/dist/rhel8/8/aarch64/highavailability/os',\n 'content/dist/rhel8/8/aarch64/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/supplementary/debug',\n 'content/dist/rhel8/8/aarch64/supplementary/os',\n 'content/dist/rhel8/8/aarch64/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/appstream/debug',\n 'content/dist/rhel8/8/ppc64le/appstream/os',\n 'content/dist/rhel8/8/ppc64le/appstream/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/baseos/debug',\n 'content/dist/rhel8/8/ppc64le/baseos/os',\n 'content/dist/rhel8/8/ppc64le/baseos/source/SRPMS',\n

CVE-2022-21426

Description

Affected Software

Related