2023-42 Java Security Weekly News - Oracle, Red Hat

2023 » Published on October 27, 2023

Oracle Security Alerts

Oracle Critical Patch Update Advisory - October 2023

Red Hat Security Advisory

(RHSA-2023:5928) Important: tomcat security update

(RHSA-2023:5730) Moderate: java-1.8.0-openjdk security update

(RHSA-2023:5732) Moderate: java-1.8.0-openjdk security update

(RHSA-2023:5728) Moderate: java-1.8.0-openjdk security update

(RHSA-2023:5727) Moderate: java-1.8.0-openjdk security update

(RHSA-2023:5761) Moderate: java-1.8.0-openjdk security update

(RHSA-2023:5731) Moderate: java-1.8.0-openjdk security update

(RHSA-2023:5746) Moderate: OpenJDK 17.0.9 Security Update for Windows Builds

(RHSA-2023:5734) Moderate: OpenJDK 11.0.21 Security Update for Portable Linux Builds

(RHSA-2023:5735) Moderate: OpenJDK 11.0.21 Security Update for Windows Builds

(RHSA-2023:5736) Moderate: java-11-openjdk security and bug fix update

(RHSA-2023:5737) Moderate: java-11-openjdk security update

(RHSA-2023:5752) Moderate: java-17-openjdk security and bug fix update

(RHSA-2023:5751) Moderate: java-17-openjdk security and bug fix update

(RHSA-2023:5750) Moderate: java-17-openjdk security and bug fix update

(RHSA-2023:5753) Moderate: java-17-openjdk security and bug fix update

(RHSA-2023:5744) Moderate: java-11-openjdk security and bug fix update

(RHSA-2023:5743) Moderate: java-11-openjdk security and bug fix update

(RHSA-2023:5741) Moderate: java-11-openjdk security and bug fix update

(RHSA-2023:5739) Moderate: java-11-openjdk security and bug fix update

(RHSA-2023:5742) Moderate: java-11-openjdk security and bug fix update

Java CVEs

9.6	CVE-2023-45144 com.xwiki.identity-oauth:identity-oauth-ui is a package to aid in building identity and service providers based on OAuth authorizations. When a user logs in via the OAuth method, the identityOAuth parameters sent in the GET request is vulnerable to cross site scripting (XSS) and XWiki syntax injection. This allows remote code execution via the groovy macro and thus affects the confidentiality, integrity and availability of the whole XWiki installation. The issue has been fixed in Identity OAuth version 1.6. There are no known workarounds for this vulnerability and users are advised to upgrade. Published Monday, October 16, 2023
N/A	CVE-2023-46122 sbt is a build tool for Scala, Java, and others. Given a specially crafted zip or JAR file, `IO.unzip` allows writing of arbitrary file. This would have potential to overwrite `/root/.ssh/authorized_keys`. Within sbt's main code, `IO.unzip` is used in `pullRemoteCache` task and `Resolvers.remote`; however many projects use `IO.unzip(...)` directly to implement custom tasks. This vulnerability has been patched in version 1.9.7. Published Monday, October 23, 2023
N/A	CVE-2023-37913 XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 3.5-milestone-1 and prior to versions 14.10.8 and 15.3-rc-1, triggering the office converter with a specially crafted file name allows writing the attachment's content to an attacker-controlled location on the server as long as the Java process has write access to that location. In particular in the combination with attachment moving, a feature introduced in XWiki 14.0, this is easy to reproduce but it also possible to reproduce in versions as old as XWiki 3.5 by uploading the attachment through the REST API which doesn't remove `/` or `\` from the filename. As the mime type of the attachment doesn't matter for the exploitation, this could e.g., be used to replace the `jar`-file of an extension which would allow executing arbitrary Java code and thus impact the confidentiality, integrity and availability of the XWiki installation. This vulnerability has been patched in XWiki 14.10.8 and 15.3RC1. There are no known workarounds apart from disabling the office converter. Published Wednesday, October 25, 2023
N/A	CVE-2023-39219 PingFederate Administrative Console dependency contains a weakness where console becomes unresponsive with crafted Java class loading enumeration requests Published Wednesday, October 25, 2023
N/A	CVE-2023-41339 GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The WMS specification defines an ``sld=<url>`` parameter for GetMap, GetLegendGraphic and GetFeatureInfo operations for user supplied "dynamic styling". Enabling the use of dynamic styles, without also configuring URL checks, provides the opportunity for Service Side Request Forgery. This vulnerability can be used to steal user NetNTLMv2 hashes which could be relayed or cracked externally to gain further access. This vulnerability has been patched in versions 2.22.5 and 2.23.2. Published Wednesday, October 25, 2023
N/A	CVE-2023-43795 GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests. This presents the opportunity for Server Side Request Forgery. This vulnerability has been patched in version 2.22.5 and 2.23.2. Published Wednesday, October 25, 2023
N/A	CVE-2023-46120 The RabbitMQ Java client library allows Java and JVM-based applications to connect to and interact with RabbitMQ nodes. `maxBodyLebgth` was not used when receiving Message objects. Attackers could send a very large Message causing a memory overflow and triggering an OOM Error. Users of RabbitMQ may suffer from DoS attacks from RabbitMQ Java client which will ultimately exhaust the memory of the consumer. This vulnerability was patched in version 5.18.0. Published Wednesday, October 25, 2023