
CVE-2021-35550 – OpenJDK: Weak ciphers preferred over stronger ones for TLS (JSSE, 8264210)
https://notcve.org/view.php?id=CVE-2021-35550
20 Oct 2021 — Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java ... • https://lists.debian.org/debian-lts-announce/2021/11/msg00008.html • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •

CVE-2021-35556 – OpenJDK: Excessive memory allocation in RTFParser (Swing, 8265167)
https://notcve.org/view.php?id=CVE-2021-35556
20 Oct 2021 — Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of ... • https://lists.debian.org/debian-lts-announce/2021/11/msg00008.html • CWE-770: Allocation of Resources Without Limits or Throttling •

CVE-2021-35559 – OpenJDK: Excessive memory allocation in RTFReader (Swing, 8265580)
https://notcve.org/view.php?id=CVE-2021-35559
20 Oct 2021 — Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of ... • https://lists.debian.org/debian-lts-announce/2021/11/msg00008.html • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •

CVE-2021-35561 – OpenJDK: Excessive memory allocation in HashMap and HashSet (Utility, 8266097)
https://notcve.org/view.php?id=CVE-2021-35561
20 Oct 2021 — Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Utility). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial o... • https://lists.debian.org/debian-lts-announce/2021/11/msg00008.html • CWE-770: Allocation of Resources Without Limits or Throttling •

CVE-2021-35564 – OpenJDK: Certificates with end dates too far in the future can corrupt keystore (Keytool, 8266137)
https://notcve.org/view.php?id=CVE-2021-35564
20 Oct 2021 — Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Keytool). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to ... • https://lists.debian.org/debian-lts-announce/2021/11/msg00008.html • CWE-20: Improper Input Validation •

CVE-2021-35565 – OpenJDK: Loop in HttpsServer triggered during TLS session close (JSSE, 8254967)
https://notcve.org/view.php?id=CVE-2021-35565
20 Oct 2021 — Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS... • https://lists.debian.org/debian-lts-announce/2021/11/msg00008.html • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •

CVE-2021-35586 – OpenJDK: Excessive memory allocation in BMPImageReader (ImageIO, 8267735)
https://notcve.org/view.php?id=CVE-2021-35586
20 Oct 2021 — Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial o... • https://lists.debian.org/debian-lts-announce/2021/11/msg00008.html • CWE-770: Allocation of Resources Without Limits or Throttling •

CVE-2021-35588 – OpenJDK: Incomplete validation of inner class references in ClassFileParser (Hotspot, 8268071)
https://notcve.org/view.php?id=CVE-2021-35588
20 Oct 2021 — Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Java SE: 7u311, 8u301; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vul... • https://lists.debian.org/debian-lts-announce/2021/11/msg00008.html • CWE-20: Improper Input Validation •

CVE-2021-35603 – OpenJDK: Non-constant comparison during TLS handshakes (JSSE, 8269618)
https://notcve.org/view.php?id=CVE-2021-35603
20 Oct 2021 — Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Oracle GraalVM ... • https://lists.debian.org/debian-lts-announce/2021/11/msg00008.html • CWE-203: Observable Discrepancy •

CVE-2021-3656 – kernel: SVM nested virtualization issue in KVM (VMLOAD/VMSAVE)
https://notcve.org/view.php?id=CVE-2021-3656
09 Sep 2021 — A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the "virt_ext" field, this issue could allow a malicious L1 to disable both VMLOAD/VMSAVE intercepts and VLS (Virtual VMLOAD/VMSAVE) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the en... • https://github.com/rami08448/CVE-2021-3656-Demo • CWE-862: Missing Authorization •