Friday, October 7, 2022
HomeOnline BusinessLinode Safety Digest July 24-31, 2022

Linode Safety Digest July 24-31, 2022

This week, we’ll cowl newly-discovered OpenJDK vulnerabilities, a heap overflow vulnerability in Redis, and an arbitrary PHP code execution in Drupal core.

OpenJDK Vulnerabilities

OpenJDK launched a safety advisory final week containing 4 vulnerabilities. 

CVE-2022-21541 is a tough to take advantage of vulnerability in hotspot/runtime element that enables unauthenticated attackers with community entry by way of a number of protocols to compromise Java, which might result in unauthorized creation, deletion, or modification entry to essential knowledge or all openjdk accessible knowledge. 

CVE-2022-21540 exists in hotspot/compiler element and is an simply exploitable flaw that enables unauthenticated attackers with community entry by way of a number of protocols leading to unauthorized learn entry to a subset of openjdk accessible knowledge. This cve solely has a low impression on confidentiality of knowledge.

CVE-2022-21549 in core-libs/java.util element can lead to unauthorized replace, insert, or delete entry to a few of openjdk accessible knowledge.

Notice: All three vulnerabilities apply to Java deployments—sometimes in shoppers operating sandboxed Java Net Begin functions or sandboxed Java applets—that load and run untrusted code (e.g., code that comes from the web) and depend on the Java sandbox for safety. These vulnerability may also be exploited through the use of APIs within the specified Part, e.g., by way of an online service which provides knowledge to the APIs. 

CVE-2022-34169 is an Integer truncation situation in  Apache Xalan Java XSLT library. This can be utilized to deprave Java class information generated by the inner XSLTC compiler and execute arbitrary Java bytecode.

Heap Overflow in Redis

Redis is sometimes called a knowledge buildings server. What this implies is that Redis gives entry to mutable knowledge buildings by way of a set of instructions, that are despatched utilizing a server-client mannequin with TCP sockets and a easy protocol. So totally different processes can question and modify the identical knowledge buildings in a shared manner.

There’s a heap overflow situation that may be triggered by an out-of-bounds write by way of a  specifically crafted XAUTOCLAIM command on a stream key in a particular state and doubtlessly result in distant code execution. CVE-2022-31144 impacts Redis variations 7.0.0 or newer. The issue is mounted in Redis model 7.0.4.

Drupal Core – Arbitrary PHP Code Execution Vulnerability

Drupal has launched 4 advisories that describe 4 varieties of vulnerabilities. One among them has been rated “essential” and the opposite three “reasonably essential.” The “essential” vulnerability, tracked as CVE-2022-25277, impacts Drupal 9.3 and 9.4. The difficulty impacts the Drupal core and it may well result in arbitrary PHP code execution on Apache internet servers by importing specifically crafted information.

The remaining three are reasonably essential in keeping with Drupal.

CVE-2022-25276 might result in cross-site scripting, leaked cookies, or different vulnerabilities as a result of the Media oEmbed iframe route doesn’t correctly validate the iframe area setting, which permits embeds to be displayed within the context of the first area.

Beneath sure circumstances, the Drupal core kind API evaluates kind component entry incorrectly. CVE-2022-25278 would possibly result in a person with the ability to alter knowledge they need to not have entry to.

CVE-2022-25275 arises in some conditions when the Picture module doesn’t appropriately examine entry to picture information not saved in the usual public information listing when producing by-product pictures utilizing the picture kinds system.

Improve to Drupal 9.4.3 or 9.3.19 to use patches for these vulnerabilities. Notice: All variations of Drupal 9 previous to 9.3.x are end-of-life and don’t obtain safety protection and Drupal 8 has reached its finish of life. Drupal 7 core will not be affected.



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments