CVE-2022-21282 – OpenJDK: Insufficient URI checks in the XSLT TransformerImpl (JAXP, 8270492)
https://notcve.org/view.php?id=CVE-2022-21282
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. • https://lists.debian.org/debian-lts-announce/2022/02/msg00011.html https://security.gentoo.org/glsa/202209-05 https://security.netapp.com/advisory/ntap-20220121-0007 https://www.debian.org/security/2022/dsa-5057 https://www.debian.org/security/2022/dsa-5058 https://www.oracle.com/security-alerts/cpujan2022.html https://access.redhat.com/security/cve/CVE-2022-21282 https://bugzilla.redhat.com/show_bug.cgi?id=2041435 • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •
CVE-2022-21277 – OpenJDK: Incorrect reading of TIFF files in TIFFNullDecompressor (ImageIO, 8270952)
https://notcve.org/view.php?id=CVE-2022-21277
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. • https://security.gentoo.org/glsa/202209-05 https://security.netapp.com/advisory/ntap-20220121-0007 https://www.debian.org/security/2022/dsa-5057 https://www.debian.org/security/2022/dsa-5058 https://www.oracle.com/security-alerts/cpujan2022.html https://access.redhat.com/security/cve/CVE-2022-21277 https://bugzilla.redhat.com/show_bug.cgi?id=2041479 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2022-21271
https://notcve.org/view.php?id=CVE-2022-21271
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. • https://security.gentoo.org/glsa/202209-05 https://security.netapp.com/advisory/ntap-20220121-0007 https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujan2022.html •
CVE-2022-21248 – OpenJDK: Incomplete deserialization class filtering in ObjectInputStream (Serialization, 8264934)
https://notcve.org/view.php?id=CVE-2022-21248
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. • https://lists.debian.org/debian-lts-announce/2022/02/msg00011.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DIN3L6L3SVZK75CKW2GPSU4HIGZR7XG https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4J2N4FNXW6JKJBWUZH6SNI2UHCZXQXCY https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KPIWQ6DL5IPOT54UBWTISG5T24FQJ7MN https://security.gentoo.org/glsa/202209-05 https://security.netapp.com/advisory/ntap-20220121-0007 h • CWE-502: Deserialization of Untrusted Data •
CVE-2021-45485 – kernel: information leak in the IPv6 implementation
https://notcve.org/view.php?id=CVE-2021-45485
In the IPv6 implementation in the Linux kernel before 5.13.3, net/ipv6/output_core.c has an information leak because of certain use of a hash table which, although big, doesn't properly consider that IPv6-based attackers can typically choose among many IPv6 source addresses. En la implementación de IPv6 en el kernel de Linux versiones anteriores a 5.13.3, el archivo net/ipv6/output_core.c presenta un filtrado de información debido a determinado uso de una tabla hash que, aunque es grande, no considera apropiadamente que atacantes basados en IPv6 pueden elegir típicamente entre muchas direcciones de origen IPv6 An information leak flaw was found in the Linux kernel’s IPv6 implementation in the __ipv6_select_ident in net/ipv6/output_core.c function. The use of a small hash table in IP ID generation allows a remote attacker to reveal sensitive information. • https://arxiv.org/pdf/2112.09604.pdf https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.13.3 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=62f20e068ccc50d6ab66fdb72ba90da2b9418c99 https://security.netapp.com/advisory/ntap-20220121-0001 https://www.oracle.com/security-alerts/cpujul2022.html https://access.redhat.com/security/cve/CVE-2021-45485 https://bugzilla.redhat.com/show_bug.cgi?id=2039911 • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •