CVE-2021-20322 – kernel: new DNS Cache Poisoning Attack based on ICMP fragment needed packets replies
https://notcve.org/view.php?id=CVE-2021-20322
A flaw in the processing of received ICMP errors (ICMP fragment needed and ICMP redirect) in the Linux kernel functionality was found to allow the ability to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypass the source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software that relies on UDP source port randomization are indirectly affected as well. Se encontró un fallo en el procesamiento de los errores ICMP recibidos (fragmento ICMP necesario y redireccionamiento ICMP) en la funcionalidad del kernel de Linux que permite la capacidad de escanear rápidamente los puertos UDP abiertos. Este fallo permite a un usuario remoto fuera de la ruta de acceso omitir efectivamente la aleatorización del puerto de origen UDP. • https://bugzilla.redhat.com/show_bug.cgi?id=2014230 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v5.15-rc6&id=4785305c05b25a242e5314cc821f54ade4c18810 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v5.15-rc6&id=6457378fe796815c973f631a1904e147d6ee33b1 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/ipv4/route.c?h=v5.15-rc6&id=67d6d681e15b578c1725bad8ad079e05d1c48a8e https://git.kernel.org/pub/scm/linux/ke • CWE-330: Use of Insufficiently Random Values •
CVE-2022-21366 – OpenJDK: Excessive memory allocation in TIFF*Decompressor (ImageIO, 8274096)
https://notcve.org/view.php?id=CVE-2022-21366
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. • https://security.gentoo.org/glsa/202209-05 https://security.netapp.com/advisory/ntap-20220121-0007 https://www.debian.org/security/2022/dsa-5057 https://www.debian.org/security/2022/dsa-5058 https://www.oracle.com/security-alerts/cpujan2022.html https://access.redhat.com/security/cve/CVE-2022-21366 https://bugzilla.redhat.com/show_bug.cgi?id=2041789 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2022-21365 – OpenJDK: Integer overflow in BMPImageReader (ImageIO, 8273838)
https://notcve.org/view.php?id=CVE-2022-21365
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. • https://lists.debian.org/debian-lts-announce/2022/02/msg00011.html https://security.gentoo.org/glsa/202209-05 https://security.netapp.com/advisory/ntap-20220121-0007 https://www.debian.org/security/2022/dsa-5057 https://www.debian.org/security/2022/dsa-5058 https://www.oracle.com/security-alerts/cpujan2022.html https://access.redhat.com/security/cve/CVE-2022-21365 https://bugzilla.redhat.com/show_bug.cgi?id=2041785 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2022-21360 – OpenJDK: Excessive memory allocation in BMPImageReader (ImageIO, 8273756)
https://notcve.org/view.php?id=CVE-2022-21360
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. • https://lists.debian.org/debian-lts-announce/2022/02/msg00011.html https://security.gentoo.org/glsa/202209-05 https://security.netapp.com/advisory/ntap-20220121-0007 https://www.debian.org/security/2022/dsa-5057 https://www.debian.org/security/2022/dsa-5058 https://www.oracle.com/security-alerts/cpujan2022.html https://access.redhat.com/security/cve/CVE-2022-21360 https://bugzilla.redhat.com/show_bug.cgi?id=2041491 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2022-21349
https://notcve.org/view.php?id=CVE-2022-21349
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D). Supported versions that are affected are Oracle Java SE: 7u321, 8u311; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. • https://lists.debian.org/debian-lts-announce/2022/02/msg00011.html https://security.gentoo.org/glsa/202209-05 https://security.netapp.com/advisory/ntap-20220121-0007 https://www.oracle.com/security-alerts/cpujan2022.html •