2024-15 Java Security Weekly News - Oracle, Red Hat, GitHub

2024 » Published on April 26, 2024

Oracle Security Alerts

Oracle Critical Patch Update Advisory - April 2024

Red Hat Security Advisory

(RHSA-2024:1819) Moderate: OpenJDK 11.0.23 Security Update for Portable Linux Builds

(RHSA-2024:1826) Moderate: OpenJDK 21.0.3 Security Update for Portable Linux Builds

(RHSA-2024:1828) Moderate: java-21-openjdk security update

(RHSA-2024:1818) Moderate: java-1.8.0-openjdk security update

(RHSA-2024:1825) Moderate: java-17-openjdk security update

(RHSA-2024:1827) Moderate: OpenJDK 21.0.3 Security Update for Windows Builds

(RHSA-2024:1823) Moderate: OpenJDK 17.0.11 Security Update for Portable Linux Builds

(RHSA-2024:1824) Moderate: OpenJDK 17.0.11 Security Update for Windows Builds

(RHSA-2024:1820) Moderate: OpenJDK 11.0.23 Security Update for Windows Builds

(RHSA-2024:1815) Moderate: OpenJDK 8u412 Security Update for Portable Linux Builds

(RHSA-2024:1816) Moderate: OpenJDK 8u412 Windows Security Update

(RHSA-2024:1817) Moderate: java-1.8.0-openjdk security update

Github Security Advisories

[GHSA-mrv8-pqfj-7gp5] Keycloak path traversal vulnerability in the redirect validation

Java CVEs

N/A	CVE-2024-27348 RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server.This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.3.0 in Java8 & Java11 Users are recommended to upgrade to version 1.3.0 with Java11 & enable the Auth system, which fixes the issue. Published Monday, April 22, 2024
N/A	CVE-2024-32653 jadx is a Dex to Java decompiler. Prior to version 1.5.0, the package name is not filtered before concatenation. This can be exploited to inject arbitrary code into the package name. The vulnerability allows an attacker to execute commands with shell privileges. Version 1.5.0 contains a patch for the vulnerability. Published Monday, April 22, 2024
N/A	CVE-2024-32656 Ant Media Server is live streaming engine software. A local privilege escalation vulnerability in present in versions 2.6.0 through 2.8.2 allows any unprivileged operating system user account to escalate privileges to the root user account on the system. This vulnerability arises from Ant Media Server running with Java Management Extensions (JMX) enabled and authentication disabled on localhost on port 5599/TCP. This vulnerability is nearly identical to the local privilege escalation vulnerability CVE-2023-26269 identified in Apache James. Any unprivileged operating system user can connect to the JMX service running on port 5599/TCP on localhost and leverage the MLet Bean within JMX to load a remote MBean from an attacker-controlled server. This allows an attacker to execute arbitrary code within the Java process run by Ant Media Server and execute code within the context of the `antmedia` service account on the system. Version 2.9.0 contains a patch for the issue. As a workaround, one may remove certain parameters from the `antmedia.service` file. Published Monday, April 22, 2024
N/A	CVE-2023-5675 A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is enabled by either 'quarkus.security.jaxrs.deny-unannotated-endpoints' or 'quarkus.security.jaxrs.default-roles-allowed' properties. Published Thursday, April 25, 2024