2022-16 Java Security Weekly News - Oracle, Red Hat, Amazon, GitHub

2022 » Published on April 29, 2022

Oracle Security Alerts

Oracle Critical Patch Update Advisory - April 2022

Red Hat Security Advisory

(RHSA-2022:1440) Important: java-11-openjdk security, bug fix, and enhancement update

(RHSA-2022:1442) Important: java-11-openjdk security update

(RHSA-2022:1445) Important: java-17-openjdk security and bug fix update

(RHSA-2022:1444) Important: java-11-openjdk security update

(RHSA-2022:1441) Important: java-11-openjdk security update

(RHSA-2022:1443) Important: java-11-openjdk security update

Amazon AWS Security Advisories

Reported Apache Log4j Hotpatch Issues

Github Security Advisories

[GHSA-4pm3-f52j-8ggh] Improper Input Validation in GeoServer

Java CVEs

9.8	CVE-2022-22532 In SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, an unauthenticated attacker could submit a crafted HTTP server request which triggers improper shared memory buffer handling. This could allow the malicious payload to be executed and hence execute functions that could be impersonating the victim or even steal the victim's logon session. Published Wednesday, February 9, 2022
4.3	CVE-2021-43953 Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to toggle the Thread Contention and CPU monitoring settings via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/ViewInstrumentation.jspa endpoint. The affected versions are before version 8.13.16, and from version 8.14.0 before 8.20.5. Published Tuesday, February 15, 2022
N/A	CVE-2022-1451 Out-of-bounds Read in r_bin_java_constant_value_attr_new function in GitHub repository radareorg/radare2 prior to 5.7.0. The bug causes the program reads data past the end 2f the intented buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash. More details see [CWE-125: Out-of-bounds read](https://cwe.mitre.org/data/definitions/125.html). Published Sunday, April 24, 2022
N/A	CVE-2022-1452 Out-of-bounds Read in r_bin_java_bootstrap_methods_attr_new function in GitHub repository radareorg/radare2 prior to 5.7.0. The bug causes the program reads data past the end 2f the intented buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash. More details see [CWE-125: Out-of-bounds read](https://cwe.mitre.org/data/definitions/125.html). Published Sunday, April 24, 2022
N/A	CVE-2021-41041 In Eclipse Openj9 before version 0.32.0, Java 8 & 11 fail to throw the exception captured during bytecode verification when verification is triggered by a MethodHandle invocation, allowing unverified methods to be invoked using MethodHandles. Published Wednesday, April 27, 2022