2024-36 Java Security Weekly News - Adobe, Red Hat, Spring

2024 » Published on September 20, 2024

Adobe Security Bulletins and Advisories

Security updates available for Adobe ColdFusion | APSB24-71

Red Hat Security Advisory

(RHSA-2024:6595) Moderate: java-1.8.0-ibm security update

Spring Security Advisories

cve-2024-38816 - High - CVE-2024-38816: Path traversal vulnerability in functional web frameworks

org.keycloak:keycloak-services

6.5

CVE-2024-4629
A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.

 
org.keycloak:keycloak-services
     impacts versions: < 22.0.12 fixed in: 22.0.12 
     impacts versions: >= 23.0.0, < 24.0.7 fixed in: 24.0.7 
     impacts versions: >= 25.0.0, < 25.0.4 fixed in: 25.0.4

Published Tuesday, September 3, 2024

com.google.protobuf:protobuf-kotlin-lite

HIGH

CVE-2024-7254
Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

 
com.google.protobuf:protobuf-kotlin-lite
     impacts versions: < 3.25.5 fixed in: 3.25.5 
     impacts versions: >= 4.0.0.rc.1, < 4.27.5 fixed in: 4.27.5 
     impacts versions: >= 4.28.0.rc.1, < 4.28.2 fixed in: 4.28.2 
 
com.google.protobuf:protobuf-kotlin
     impacts versions: < 3.25.5 fixed in: 3.25.5 
     impacts versions: >= 4.0.0.rc.1, < 4.27.5 fixed in: 4.27.5 
     impacts versions: >= 4.28.0.rc.1, < 4.28.2 fixed in: 4.28.2 
 
com.google.protobuf:protobuf-javalite
     impacts versions: < 3.25.5 fixed in: 3.25.5 
     impacts versions: >= 4.0.0.rc.1, < 4.27.5 fixed in: 4.27.5 
     impacts versions: >= 4.28.0.rc.1, < 4.28.2 fixed in: 4.28.2 
 
com.google.protobuf:protobuf-java
     impacts versions: < 3.25.5 fixed in: 3.25.5 
     impacts versions: >= 4.0.0.rc.1, < 4.27.5 fixed in: 4.27.5 
     impacts versions: >= 4.28.0.rc.1, < 4.28.2 fixed in: 4.28.2

Published Thursday, September 19, 2024

Additional Java CVEs

8.8	CVE-2024-42489 Pro Macros provides XWiki rendering macros. Missing escaping in the Viewpdf macro allows any user with view right on the `CKEditor.HTMLConverter` page or edit or comment right on any page to perform remote code execution. Other macros like Viewppt are vulnerable to the same kind of attack. This vulnerability is fixed in 1.10.1. Published Monday, August 12, 2024
N/A	CVE-2024-46382 A SQL injection vulnerability in linlinjava litemall 1.8.0 allows a remote attacker to obtain sensitive information via the goodsId, goodsSn, and name parameters in AdminGoodscontroller.java. Published Thursday, September 19, 2024
N/A	CVE-2024-46983 sofa-hessian is an internal improved version of Hessian3/4 powered by Ant Group CO., Ltd. The SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components. This issue is fixed by an update to the blacklist, users can upgrade to sofahessian version 3.5.5 to avoid this issue. Users unable to upgrade may maintain a blacklist themselves in the directory `external/serialize.blacklist`. Published Thursday, September 19, 2024