2024-28 Java Security Weekly News - Oracle, Red Hat

2024 » Published on July 26, 2024

Oracle Security Alerts

Oracle Critical Patch Update Advisory - July 2024

Red Hat Security Advisory

(RHSA-2024:4562) Important: OpenJDK 8u422 Security Update for Portable Linux Builds

(RHSA-2024:4560) Important: java-1.8.0-openjdk security update

(RHSA-2024:4568) Important: java-17-openjdk security update

(RHSA-2024:4561) Important: OpenJDK 8u422 Windows Security Update

(RHSA-2024:4573) Important: java-21-openjdk security update

(RHSA-2024:4571) Important: OpenJDK 21.0.4 Security Update for Windows Builds

(RHSA-2024:4572) Important: OpenJDK 21.0.4 Security Update for Portable Linux Builds

dnsjava:dnsjava

HIGH

CVE-2024-25638
dnsjava is an implementation of DNS in Java. Records in DNS replies are not checked for their relevance to the query, allowing an attacker to respond with RRs from different zones. This vulnerability is fixed in 3.6.0.

 
dnsjava:dnsjava
     impacts versions: < 3.6.0 fixed in: 3.6.0

Published Monday, July 22, 2024

org.openidentityplatform.openam:openam-oauth2

HIGH

CVE-2024-41667
OpenAM is an open access management solution. In versions 15.0.3 and prior, the `getCustomLoginUrlTemplate` method in RealmOAuth2ProviderSettings.java is vulnerable to template injection due to its usage of user input. Although the developer intended to implement a custom URL for handling login to override the default PingOne Advanced Identity Cloud login page,they did not restrict the `CustomLoginUrlTemplate`, allowing it to be set freely. Commit fcb8432aa77d5b2e147624fe954cb150c568e0b8 introduces `TemplateClassResolver.SAFER_RESOLVER` to disable the resolution of commonly exploited classes in FreeMarker template injection. As of time of publication, this fix is expected to be part of version 15.0.4.

 
org.openidentityplatform.openam:openam-oauth2
     impacts versions: <= 15.0.3 fixed in: 15.0.4

Published Wednesday, July 24, 2024

Additional Java CVEs

N/A	CVE-2024-41601 Insecure Permissions vulnerability in lin-CMS v.0.2.0 and before allows a remote attacker to obtain sensitive information via the login method in the UserController.java component. Published Friday, July 19, 2024
N/A	CVE-2024-41600 Insecure Permissions vulnerability in lin-CMS Springboot v.0.2.1 and before allows a remote attacker to obtain sensitive information via the login method in the UserController.java component. Published Friday, July 19, 2024
N/A	CVE-2024-6960 The H2O machine learning platform uses "Iced" classes as the primary means of moving Java Objects around the cluster. The Iced format supports inclusion of serialized Java objects. When a model is deserialized, any class is allowed to be deserialized (no class whitelist). An attacker can construct a crafted Iced model that uses Java gadgets and leads to arbitrary code execution when imported to the H2O platform. Published Sunday, July 21, 2024
N/A	CVE-2024-24507 Cross Site Scripting vulnerability in Act-On 2023 allows a remote attacker to execute arbitrary code via the newUser parameter in the login.jsp component. Published Monday, July 22, 2024