This Week in Spring - Happy New Year 2023 edition - December 27th, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring! Its 27 December as I write this and - being honest - I couldnt be happier. Its raining outside. Im in a warm cozy office. Good music is playing. People are asleep in my home. I can hear the raindrops and wind outside the...

Apache Commons Text 1.5 - 1.9 RCE Vulnerability (Text4Shell)

The Apache Commons Text library is prone to a remote code execution RCE vulnerability dubbed SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CP...

CVE-2022-43766

Apache IoTDB version 0.12.2 to 0.12.6, 0.13.0 to 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. Users should upgrade to 0.13.3 which addresses this issue or use a later version of Java to avoid it...

Security Bulletin: The IBM® Engineering Lifecycle Management products recommendation for Java CPU CVE-2021-35561

Summary Java version 7.0.11.5 and earlier, 7.1.5.5 and earlier, 8.0.7.6 and earlier are affected by a flaw in the java.util component allows an attacker to inflict a denial of service via malicious serialized data which triggers an OutOfMemoryError. Vulnerability Details Refer to the security...

Unable to use managed-app-utility.jar from MAM-SDK with Java 11

Building a custom app using Java 11 or later, the gradle build chain fails when invoking the final stage "task generateMdx" as the jar file for this stage requiresJava 1.7/1.8 Java/JDK 8...

CVE-2022-24823

Netty is an open-source, asynchronous event-driven network application framework. The package io.netty:netty-codec-http prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local syst...

CVE-2022-24823 Local Information Disclosure Vulnerability in io.netty:netty-codec-http

Netty is an open-source, asynchronous event-driven network application framework. The package io.netty:netty-codec-http prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local syst...

SUSE-SU-2022:1265-1 Security update for jsoup, jsr-305

This update for jsoup, jsr-305 fixes the following issues: - CVE-2021-37714: Fixed infinite in untrusted HTML or XML data parsing bsc1189749. Changes in jsr-305: - Build with java source and target levels 8 - Upgrade to upstream version 3.0.2 Changes in jsoup: - Upgrade to upstream version 1.14.2...

CVE-2022-24289 Deserialization of untrusted data in the Hessian Component of Apache Cayenne 4.1 with older Java versions

Hessian serialization is a network protocol that supports object-based transmission. Apache Cayenne's optional Remote Object Persistence ROP feature is a web services-based technology that provides object persistence and query functionality to 'remote' applications. In Apache Cayenne 4.1 and...

PT-2022-1739 · Sap · Sap Content Server +4

Name of the Vulnerable Software and Affected Versions: SAP NetWeaver Application Server ABAP versions 7.53 and earlier SAP NetWeaver Application Server Java versions 7.53 and earlier ABAP Platform versions 7.53 and earlier SAP Content Server versions 7.53 and earlier SAP Web Dispatcher versions...

Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Java version used in it.(CVE-2021-2161)

Summary IBM Rational Build Forge version 8.0 to 8.0.0.20 is affected by the Java version used in it. CVE-2021-2161 Vulnerability Details CVEID: CVE-2021-2161 DESCRIPTION: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no...

Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Java version used in it.(CVE-2021-2388, CVE-2021-2369, CVE-2021-2432)

Summary IBM Rational Build Forge version 8.0 to 8.0.0.20 is affected by the Java version used in it. CVE-2021-2388, CVE-2021-2369, CVE-2021-2432 Vulnerability Details CVEID: CVE-2021-2388 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow an unauthenticat...

Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware

Log4Shell CVE-2021-44228https://nvd.nist.gov/vuln/detail/C...

XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly...

CVE-2021-34539

An issue was discovered in CubeCoders AMP before 2.1.1.8. A lack of validation of the Java Version setting means that an unintended executable path can be set. The result is that high-privileged users can trigger code execution...

CVE-2021-34539

An issue was discovered in CubeCoders AMP before 2.1.1.8. A lack of validation of the Java Version setting means that an unintended executable path can be set. The result is that high-privileged users can trigger code execution...

Design/Logic Flaw

An issue was discovered in CubeCoders AMP before 2.1.1.8. A lack of validation of the Java Version setting means that an unintended executable path can be set. The result is that high-privileged users can trigger code execution...

PT-2021-24353 · Amazon Web Services · Aws Encryption Sdk For Java

Name of the Vulnerable Software and Affected Versions: AWS Encryption SDK for Java versions 2.0.0 through 2.2.0 AWS Encryption SDK for Java versions less than 1.9.0 Description: The issue concerns the incorrect validation of some invalid ECDSA signatures. This affects the integrity of the...

Exploit for Deserialization of Untrusted Data in Apache Ofbiz

CVE-2020-9496 - RCE Because the 2 xmlrpc related requets in we...

OESA-2021-1049 guava security update

Guava is a set of core Java libraries from Google that includes new collection types such as multimap and multiset, immutable collections, a graph library, and utilities for concurrency, I/O, hashing, caching, primitives, strings, and more! It is widely used on most Java projects within Google, a...