2023-4 Java Security Weekly News - Red Hat, Jenkins

2023 » Published on February 3, 2023

Red Hat Security Advisory

(RHSA-2023:0208) Moderate: java-1.8.0-openjdk security and bug fix update

(RHSA-2023:0210) Moderate: java-1.8.0-openjdk security and bug fix update

(RHSA-2023:0203) Moderate: java-1.8.0-openjdk security and bug fix update

(RHSA-2023:0389) Moderate: OpenJDK 17.0.6 Security Update for Portable Linux Builds

(RHSA-2023:0352) Moderate: OpenJDK 17.0.6 Security Update for Windows Builds

(RHSA-2023:0388) Moderate: OpenJDK 11.0.18 Security Update for Portable Linux Builds

(RHSA-2023:0353) Moderate: OpenJDK 11.0.18 Security Update for Windows Builds

(RHSA-2023:0354) Moderate: OpenJDK 8u362 Windows Security Update

(RHSA-2023:0387) Moderate: OpenJDK 8u362 Security Update for Portable Linux Builds

(RHSA-2023:0207) Moderate: java-1.8.0-openjdk security update

(RHSA-2023:0206) Moderate: java-1.8.0-openjdk security update

(RHSA-2023:0209) Moderate: java-1.8.0-openjdk security update

(RHSA-2023:0205) Moderate: java-1.8.0-openjdk security update

(RHSA-2023:0204) Moderate: java-1.8.0-openjdk security update

(RHSA-2023:0194) Moderate: java-17-openjdk security and bug fix update

(RHSA-2023:0195) Moderate: java-11-openjdk security and bug fix update

Jenkins Security Advisories

Jenkins Security Advisory 2023-01-24

Java CVEs

N/A	CVE-2022-39811 Italtel NetMatch-S CI 5.2.0-20211008 has incorrect Access Control under NMSCI-WebGui/advancedsettings.jsp and NMSCIWebGui/SaveFileUploader. By not verifying permissions for access to resources, it allows an attacker to view pages that are not allowed, and modify the system configuration, bypassing all controls (without checking for user identity). Published Friday, January 27, 2023
N/A	CVE-2022-39813 Italtel NetMatch-S CI 5.2.0-20211008 allows Multiple Reflected/Stored XSS issues under NMSCIWebGui/j_security_check via the j_username parameter, or NMSCIWebGui/actloglineview.jsp via the name or actLine parameter. An attacker leveraging this vulnerability could inject arbitrary JavaScript. The payload would then be triggered every time an authenticated user browses the page containing it. Published Friday, January 27, 2023
N/A	CVE-2022-42971 A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerability exists that could cause remote code execution when the attacker uploads a malicious JSP file. Affected Products: APC Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 - Versions prior to V2.5-GA), APC Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 - Versions prior to V2.5-GA-01-22261), Schneider Electric Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 - Versions prior to V2.5-GS), Schneider Electric Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 - Versions prior to V2.5-GS-01-22261) Published Wednesday, February 1, 2023
N/A	CVE-2022-46934 kkFileView v4.1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the url parameter at /controller/OnlinePreviewController.java. Published Wednesday, February 1, 2023
N/A	CVE-2022-37034 In dotCMS 5.x-22.06, it is possible to call the TempResource multiple times, each time requesting the dotCMS server to download a large file. If done repeatedly, this will result in Tomcat request-thread exhaustion and ultimately a denial of any other requests. Published Wednesday, February 1, 2023