CVE-2018-14720

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity XXE attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization...

SUSE SLES15 Security Update : java-1_8_0-openjdk (SUSE-SU-2018:1938-2)

This update for java-180-openjdk to version 8u171 fixes the following issues: These security issues were fixed : - S8180881: Better packaging of deserialization - S8182362: Update CipherOutputStream Usage - S8183032: Upgrade to LittleCMS 2.9 - S8189123: More consistent classloading - S8189969,...

SUSE SLES15 Security Update : java-1_8_0-openjdk (SUSE-SU-2018:1938-1)

This update for java-180-openjdk to version 8u171 fixes the following issues: These security issues were fixed : - S8180881: Better packaging of deserialization - S8182362: Update CipherOutputStream Usage - S8183032: Upgrade to LittleCMS 2.9 - S8189123: More consistent classloading - S8189969,...

ignite: Improper deserialization allows for code execution via GridClientJdkMarshaller endpoint

In Apache Ignite before 2.4.8 and 2.5.x before 2.5.3, the serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3-rd party vulnerable classes are present in Ignite classpath. The vulnerability can be...

Ubuntu: Security Advisory (USN-3830-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

USN-3830-1 openjdk-8, openjdk-lts regression

USN-3804-1 fixed vulnerabilities in OpenJDK. Unfortunately, that update introduced a regression when validating JAR files that prevented Java applications from finding classes in some situations. This update fixes the problem. We apologize for the inconvenience...

SUSE SLES12 Security Update : java-1_8_0-openjdk (SUSE-SU-2018:1690-2)

This update for java-180-openjdk to version 8u171 fixes the following issues : These security issues were fixed : S8180881: Better packaging of deserialization S8182362: Update CipherOutputStream Usage S8183032: Upgrade to LittleCMS 2.9 S8189123: More consistent classloading S8189969,...

GHSA-CHP4-RV79-68J3 Apache serialization mechanism does not have a list of classes allowed for serialization/deserialization

In Apache Ignite 2.3 or earlier, the serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3-rd party vulnerable classes are present in Ignite classpath. The vulnerability can be exploited if the one...

bouncycastle: Carry propagation bug in math.raw.Nat??? class

In the Bouncy Castle JCE Provider versions 1.51 to 1.55, a carry propagation bug was introduced in the implementation of squaring for several raw math classes have been fixed org.bouncycastle.math.raw.Nat???. These classes are used by our custom elliptic curve implementations...

pwned - A command-line tool for querying the 'Have I been pwned?' service

A command-line tool for querying Troy Hunt's Have I been pwned? service using the hibp Node.js module. Installation npm install pwned -g Usage Usage: pwned option | command Commands: ba options get all breaches for an account username or email address breaches options get all breaches in the syst...

ignite: Possible Execution of Arbitrary Code Within Deserialization Endpoints

In Apache Ignite 2.3 or earlier, the serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3-rd party vulnerable classes are present in Ignite classpath. The vulnerability can be exploited if the one...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Developer for i, Rational Developer for AIX and Linux, Rational Developer for Power Systems Software (CVE-2014-4263, CVE-2014-3566, CVE-2014-3065, CVE-2014-6457)

Summary There are multiple vulnerabilities in IBM SDK Java Technology Edition, Versions 6, and 7 that are used by Rational Developer for i, Rational Developer for AIX and Linux, Rational Developer for Power Systems Software. This also includes a fix for the Padding Oracle On Downgraded Legacy...

Security Bulletin: IBM Java Quarterly CPU - October 2014 affecting Rational Business Developer (CVE-2014-6457,CVE-2014-3065 and CVE-2014-3566)

Summary IBM SDK, which is based on an Oracle Java Development Kit JDK, is shipped with Rational Business Developer. Oracle has released the October 2014 critical patch updates CPU that contains security vulnerability fixes for the JDK. The IBM SDK has been updated to incorporate these fixes and...

How to Customize NetScaler SD-WAN Virtual Path Traffic Classes

This article describes how to to modify the traffic classes that are part of NetScaler SD-WAN Virtual Path. Background Citrix SD-WAN Standard & Enterprise Editionsprovides 17 classes 0-16. Classes 0-3 are predefined for Citrix HDX QoS prioritization. To use this feature, enable the following...

Deserialization of untrusted data

Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code 'Unsafe Reflection' vulnerability in XMSS/XMSS^MT private key deserialization that can result in...

mytutor.lk XSS vulnerability

Open Bug Bounty ID: OBB-639424 Description| Value ---|--- Affected Website:| mytutor.lk Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| 6.1...

OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977)

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE subcomponent: Security. Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker wi...

Microsoft Windows: Prevent installation of devices also to already installed (Driver Setup Class)

This test checks the setting for policy OpenVAS Vulnerability Test $Id: windenydriversalreadyinstalled.nasl 11337 2018-09-11 14:23:53Z emoss $ Check value for Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already...

Microsoft Windows: Block SBP-2 Driver and Thunderbolt controllers (Driver Setup Class)

This test checks the setting for policy OpenVAS Vulnerability Test $Id: windenysbp2thunderboltdriver.nasl 11532 2018-09-21 19:07:30Z cfischer $ Check value for Blocking the SBP-2 driver and Thunderbolt controllers Authors: Emanuel Moss Copyright: Copyright c 2018 Greenbone Networks GmbH,...

Microsoft Windows: Prevent installation of devices (device setup classes)

This test checks the setting for policy OpenVAS Vulnerability Test $Id: windenydriverssetupclasses.nasl 11337 2018-09-11 14:23:53Z emoss $ Check value for Prevent installation of devices using drivers that match these device setup classes Authors: Emanuel Moss Copyright: Copyright c 2018 Greenbon...