CLSA-2022-1660064249 Fix CVE(s): CVE-2022-21434, CVE-2022-21426, CVE-2022-21443, CVE-2022-34169, CVE-2022-21540, CVE-2022-21541, CVE-2022-21476, CVE-2022-21496

Backport upstream releases 8u342 and 8u332 to 16.04 LTS Security fixes in 8u342: - JDK-8272243: Improve DER parsing - JDK-8272249: Better properties of loaded Properties - JDK-8277608: Address IP Addressing - JDK-8281859, CVE-2022-21540: Improve class compilation - JDK-8281866, CVE-2022-21541:...

SUSE-SU-2022:2660-1 Security update for java-17-openjdk

This update for java-17-openjdk fixes the following issues: Update to upstream tag jdk-17.0.4+8 July 2022 CPU - CVE-2022-21540: Improve class compilation bsc1201694 - CVE-2022-21541: Enhance MethodHandle invocations bsc1201692 - CVE-2022-34169: Improve Xalan supports bsc1201684 - CVE-2022-21549:...

SUSE-SU-2022:2610-1 Security update for java-11-openjdk

This update for java-11-openjdk fixes the following issues: Update to upstream tag jdk-11.0.16+8 July 2022 CPU - CVE-2022-21540: Improve class compilation bsc1201694 - CVE-2022-21541: Enhance MethodHandle invocations bsc1201692 - CVE-2022-34169: Improve Xalan supports bsc1201684...

Oracle Linux 9 : java-1.8.0-openjdk (ELSA-2022-5709)

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-5709 advisory. 1.8.0.342.b07-1.0.1 - Replace upstream references Orabug: 34340145 1:1.8.0.342.b07-1 - Update to shenandoah-jdk8u342-b07 - Update release notes for...

OESA-2022-1780 derby security update

Apache Derby, an Apache DB sub-project, is a relational database implemented entirely in Java. Some key advantages include a small footprint, conformance to Java, JDBC, and SQL standards and embedded JDBC driver. Security Fixes: In Apache Derby 10.3.1.4 to 10.14.1.0, a specially-crafted network...

SUSE-SU-2022:2531-1 Security update for java-1_8_0-openjdk

This update for java-180-openjdk fixes the following issues: Update to version jdk8u332 - April 2022 CPU icedtea-3.23.0 - CVE-2022-21426: Better XPath expression handling bsc1198672 - CVE-2022-21443: Improved Object Identification bsc1198675 - CVE-2022-21434: Better invocation handler handling...

Apache Xalan 输入验证错误漏洞

Apache Xalan is an open source software library from the Apache Foundation USA. Apache Xalan Java XSLT Stock in Input Validation Error vulnerability stems from an integer truncation issue when processing malicious XSLT stylesheets. The vulnerability can be exploited to corrupt Java class files...

MGASA-2022-0261 Updated java packages fix security vulnerability

OpenJDK: Defective secure validation in Apache Santuario Libraries, 8278008 CVE-2022-21476 OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions JAXP, 8270504 CVE-2022-21426 OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler Libraries, 8277672...

Apache Shiro < 1.6.0 Authentication Bypass

Apache Shiro before 1.6.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. C Tenable, Inc. include'compat.inc'; i...

Apache Shiro < 1.4.2 Padding Attack

Apache Shiro before 1.4.2, when using the default 'remember me' configuration, cookies could be susceptible to a padding attack. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. C Tenable, Inc. include'compat.inc'; if...

Apache Shiro < 1.8.0 Authentication Bypass

Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. C Tenable, Inc...

OpenJDK: URI parsing inconsistencies (JNDI, 8278972)

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: JNDI. Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable...

GHSA-845H-985R-JRQH Improper Authentication in Hibernate Validator

ReflectionHelper org.hibernate.validator.util.ReflectionHelper in Hibernate Validator 4.1.0 before 4.2.1, 4.3.x before 4.3.2, and 5.x before 5.1.2 allows attackers to bypass Java Security Manager JSM restrictions and execute restricted reflection calls via a crafted application...

Improper Authentication in Hibernate Validator

ReflectionHelper org.hibernate.validator.util.ReflectionHelper in Hibernate Validator 4.1.0 before 4.2.1, 4.3.x before 4.3.2, and 5.x before 5.1.2 allows attackers to bypass Java Security Manager JSM restrictions and execute restricted reflection calls via a crafted application...

Improper Restriction of XML External Entity Reference in Elasticsearch

Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's findfilestructure API. If a policy allowing external network access has been added to Elasticsearch's Java Security Manager then an attacker could send a specially crafted request capable of leaking content ...

Improper Restriction of XML External Entity Reference in Apace Derby

XML external entity XXE vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary files or cause a denial of service resource consumption via vectors involving XmlVTI and the XML dataty...

SUSE-SU-2022:1513-1 Security update for java-11-openjdk

This update for java-11-openjdk fixes the following issues: - CVE-2022-21426: Fixed Oracle Java SE compromission via unauthenticated attacker with network access via multiple protocols bsc1198672. - CVE-2022-21434: Fixed Oracle Java SE compromission via unauthenticated attacker with network acces...

SUSE-SU-2022:1474-1 Security update for java-11-openjdk

This update for java-11-openjdk fixes the following issues: - CVE-2022-21426: Fixed Oracle Java SE compromission via unauthenticated attacker with network access via multiple protocols bsc1198672. - CVE-2022-21434: Fixed Oracle Java SE compromission via unauthenticated attacker with network acces...

java-17-openjdk security and bug fix update

1:17.0.3.0.6-2 - Add JDK-8284920 fix for XPath regression - Related: rhbz2073575 1:17.0.3.0.6-2 - JDK-8275082 should be listed as also resolving JDK-8278008 & CVE-2022-21476 - Related: rhbz2073575 1:17.0.3.0.6-1 - JDK-8283911 patch no longer needed now we're GA... - Resolves: rhbz2073575...

SUSE-SU-2022:1026-1 Security update for java-1_8_0-ibm

This update for java-180-ibm fixes the following issues: Update Java 8.0 to Service Refresh 7 Fix Pack 5 bsc1197126. Including fixes for the following vulnerabilities: CVE-2022-21366, CVE-2022-21365, CVE-2022-21360, CVE-2022-21349, CVE-2022-21341, CVE-2022-21340, CVE-2022-21305, CVE-2022-21277,...