ISHACK AI BOT

Citrix ADC (NetScaler) Forms SSO Target RCE Disclosed 07/18/2023 Created 08/03/2023 Description A vulnerability exists within Citrix ADC that allows an unauthenticated attacker to trigger a stack buffer overflow of the nsppe process by making a specially crafted HTTP GET request. Successful exploitation results in remote code execution as root. Author(s) Ron Bowes Douglass McKee Spencer McIntyre rwincey Platform Unix Architectures cmd Development Source Code History

Red Hat OpenShift: CVE-2023-37788: goproxy: Denial of service (DoS) via unspecified vectors. Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 07/18/2023 Created 11/01/2023 Added 11/01/2023 Modified 01/28/2025 Description goproxy v1.1 was discovered to contain an issue which can lead to a Denial of service (DoS) via unspecified vectors. Solution(s) linuxrpm-upgrade-openshift References https://attackerkb.com/topics/cve-2023-37788 CVE - 2023-37788 RHSA-2023:5006 RHSA-2023:5007 RHSA-2023:5009 RHSA-2023:5407 RHSA-2023:6832 RHSA-2023:7198 RHSA-2024:2773 RHSA-2024:3479 RHSA-2024:4468 RHSA-2024:4959 RHSA-2024:7184 RHSA-2024:8974 View more

FreeBSD: VID-759A5599-3CE8-11EE-A0D1-84A93843EB75 (CVE-2023-22053): MySQL -- Multiple vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:S/C:P/I:N/A:C) Published 07/18/2023 Created 08/21/2023 Added 08/18/2023 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Client programs).Supported versions that are affected are 5.7.42 and prior and8.0.33 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server andunauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H). Solution(s) freebsd-upgrade-package-mysql-client57 freebsd-upgrade-package-mysql-client80 freebsd-upgrade-package-mysql-connector-c freebsd-upgrade-package-mysql-server57 freebsd-upgrade-package-mysql-server80 References CVE-2023-22053

FreeBSD: VID-759A5599-3CE8-11EE-A0D1-84A93843EB75 (CVE-2023-22054): MySQL -- Multiple vulnerabilities Severity 6 CVSS (AV:N/AC:L/Au:M/C:N/I:N/A:C) Published 07/18/2023 Created 08/21/2023 Added 08/18/2023 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) freebsd-upgrade-package-mysql-client57 freebsd-upgrade-package-mysql-client80 freebsd-upgrade-package-mysql-connector-c freebsd-upgrade-package-mysql-server57 freebsd-upgrade-package-mysql-server80 References CVE-2023-22054

Amazon Linux 2023: CVE-2022-41409: Low priority package update for pcre2 Severity 5 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:P) Published 07/18/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description Integer overflow vulnerability in pcre2test before 10.41 allows attackers to cause a denial of service or other unspecified impacts via negative input. A flaw was found in PCRE2, where it is susceptible to an integer overflow vulnerability triggered by a negative repeat value in the pcre2test subject line that causes infinite looping. This flaw allows a remote attacker to pass specially crafted data to the application, initiating an integer overflow and executing a denial of service (DoS) attack. Solution(s) amazon-linux-2023-upgrade-pcre2 amazon-linux-2023-upgrade-pcre2-debuginfo amazon-linux-2023-upgrade-pcre2-debugsource amazon-linux-2023-upgrade-pcre2-devel amazon-linux-2023-upgrade-pcre2-static amazon-linux-2023-upgrade-pcre2-syntax amazon-linux-2023-upgrade-pcre2-tools amazon-linux-2023-upgrade-pcre2-tools-debuginfo amazon-linux-2023-upgrade-pcre2-utf16 amazon-linux-2023-upgrade-pcre2-utf16-debuginfo amazon-linux-2023-upgrade-pcre2-utf32 amazon-linux-2023-upgrade-pcre2-utf32-debuginfo References https://attackerkb.com/topics/cve-2022-41409 CVE - 2022-41409 https://alas.aws.amazon.com/AL2023/ALAS-2023-286.html

FreeBSD: VID-759A5599-3CE8-11EE-A0D1-84A93843EB75 (CVE-2023-22007): MySQL -- Multiple vulnerabilities Severity 6 CVSS (AV:N/AC:L/Au:M/C:N/I:N/A:C) Published 07/18/2023 Created 08/21/2023 Added 08/18/2023 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication).Supported versions that are affected are 5.7.41 and prior and8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) freebsd-upgrade-package-mysql-client57 freebsd-upgrade-package-mysql-client80 freebsd-upgrade-package-mysql-connector-c freebsd-upgrade-package-mysql-server57 freebsd-upgrade-package-mysql-server80 References CVE-2023-22007

Amazon Linux 2023: CVE-2023-22043: Medium priority package update for java-1.8.0-amazon-corretto (Multiple Advisories) Severity 5 CVSS (AV:N/AC:H/Au:N/C:N/I:C/A:N) Published 07/18/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description Vulnerability in Oracle Java SE (component: JavaFX). The supported version that is affected is Oracle Java SE: 8u371. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE.Successful attacks of this vulnerability can result inunauthorized creation, deletion or modification access to critical data or all Oracle Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.9 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N). Solution(s) amazon-linux-2023-upgrade-java-11-amazon-corretto amazon-linux-2023-upgrade-java-11-amazon-corretto-devel amazon-linux-2023-upgrade-java-11-amazon-corretto-headless amazon-linux-2023-upgrade-java-11-amazon-corretto-javadoc amazon-linux-2023-upgrade-java-11-amazon-corretto-jmods amazon-linux-2023-upgrade-java-17-amazon-corretto amazon-linux-2023-upgrade-java-17-amazon-corretto-devel amazon-linux-2023-upgrade-java-17-amazon-corretto-headless amazon-linux-2023-upgrade-java-17-amazon-corretto-javadoc amazon-linux-2023-upgrade-java-17-amazon-corretto-jmods amazon-linux-2023-upgrade-java-1-8-0-amazon-corretto amazon-linux-2023-upgrade-java-1-8-0-amazon-corretto-devel References https://attackerkb.com/topics/cve-2023-22043 CVE - 2023-22043 https://alas.aws.amazon.com/AL2023/ALAS-2023-256.html https://alas.aws.amazon.com/AL2023/ALAS-2023-257.html https://alas.aws.amazon.com/AL2023/ALAS-2023-258.html

FreeBSD: VID-759A5599-3CE8-11EE-A0D1-84A93843EB75 (CVE-2023-22005): MySQL -- Multiple vulnerabilities Severity 6 CVSS (AV:N/AC:M/Au:M/C:N/I:N/A:C) Published 07/18/2023 Created 08/21/2023 Added 08/18/2023 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication).Supported versions that are affected are 8.0.33 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) freebsd-upgrade-package-mysql-client57 freebsd-upgrade-package-mysql-client80 freebsd-upgrade-package-mysql-connector-c freebsd-upgrade-package-mysql-server57 freebsd-upgrade-package-mysql-server80 References CVE-2023-22005

Huawei EulerOS: CVE-2022-41409: pcre2 security update Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 07/18/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/28/2025 Description Integer overflow vulnerability in pcre2test before 10.41 allows attackers to cause a denial of service or other unspecified impacts via negative input. Solution(s) huawei-euleros-2_0_sp11-upgrade-pcre2 References https://attackerkb.com/topics/cve-2022-41409 CVE - 2022-41409 EulerOS-SA-2023-2865

Citrix Gateway/Application Delivery Controller: CVE-2023-3519: Unauthenticated remote code execution Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 07/18/2023 Created 07/18/2023 Added 07/18/2023 Modified 07/20/2023 Description A vulnerability has been discovered in Citrix Gateway and Citrix ADC (formerly known as NetScaler ADC), that, if exploited, could allow an unauthenticated remote attacker to perform remote code execution on the appliance. Solution(s) citrix-adc-upgrade-latest References https://attackerkb.com/topics/cve-2023-3519 CVE - 2023-3519 https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467

Amazon Linux AMI 2: CVE-2022-41409: Security patch for pcre2 (ALAS-2024-2449) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 07/18/2023 Created 02/09/2024 Added 02/08/2024 Modified 01/28/2025 Description Integer overflow vulnerability in pcre2test before 10.41 allows attackers to cause a denial of service or other unspecified impacts via negative input. Solution(s) amazon-linux-ami-2-upgrade-pcre2 amazon-linux-ami-2-upgrade-pcre2-debuginfo amazon-linux-ami-2-upgrade-pcre2-devel amazon-linux-ami-2-upgrade-pcre2-static amazon-linux-ami-2-upgrade-pcre2-tools amazon-linux-ami-2-upgrade-pcre2-utf16 amazon-linux-ami-2-upgrade-pcre2-utf32 References https://attackerkb.com/topics/cve-2022-41409 AL2/ALAS-2024-2449 CVE - 2022-41409

Debian: CVE-2023-22043: openjfx -- security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 07/18/2023 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description Vulnerability in Oracle Java SE (component: JavaFX). The supported version that is affected is Oracle Java SE: 8u371. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE.Successful attacks of this vulnerability can result inunauthorized creation, deletion or modification access to critical data or all Oracle Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.9 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N). Solution(s) debian-upgrade-openjfx References https://attackerkb.com/topics/cve-2023-22043 CVE - 2023-22043

Debian: CVE-2023-22049: openjdk-11, openjdk-17 -- security update Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 07/18/2023 Created 08/18/2023 Added 08/18/2023 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Libraries).Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Solution(s) debian-upgrade-openjdk-11 debian-upgrade-openjdk-17 References https://attackerkb.com/topics/cve-2023-22049 CVE - 2023-22049 DSA-5458-1 DSA-5478-1

Debian: CVE-2023-22006: openjdk-11, openjdk-17 -- security update Severity 3 CVSS (AV:N/AC:H/Au:N/C:N/I:P/A:N) Published 07/18/2023 Created 08/18/2023 Added 08/18/2023 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Networking).Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N). Solution(s) debian-upgrade-openjdk-11 debian-upgrade-openjdk-17 References https://attackerkb.com/topics/cve-2023-22006 CVE - 2023-22006 DSA-5458-1 DSA-5478-1

Debian: CVE-2022-41409: pcre2 -- security update Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 07/18/2023 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description Integer overflow vulnerability in pcre2test before 10.41 allows attackers to cause a denial of service or other unspecified impacts via negative input. Solution(s) debian-upgrade-pcre2 References https://attackerkb.com/topics/cve-2022-41409 CVE - 2022-41409

Debian: CVE-2023-22041: openjdk-11, openjdk-17 -- security update Severity 5 CVSS (AV:L/AC:M/Au:N/C:C/I:N/A:N) Published 07/18/2023 Created 08/18/2023 Added 08/18/2023 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).Supported versions that are affected are Oracle Java SE: 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.Successful attacks of this vulnerability can result inunauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.1 (Confidentiality impacts).CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). Solution(s) debian-upgrade-openjdk-11 debian-upgrade-openjdk-17 References https://attackerkb.com/topics/cve-2023-22041 CVE - 2023-22041 DSA-5458-1 DSA-5478-1

CentOS Linux: CVE-2023-37450: Important: webkit2gtk3 security update (Multiple Advisories) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 07/18/2023 Created 07/25/2023 Added 07/24/2023 Modified 01/28/2025 Description The issue was addressed with improved checks. This issue is fixed in iOS 16.6 and iPadOS 16.6, Safari 16.5.2, tvOS 16.6, macOS Ventura 13.5, watchOS 9.6. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Solution(s) centos-upgrade-webkit2gtk3 centos-upgrade-webkit2gtk3-debuginfo centos-upgrade-webkit2gtk3-debugsource centos-upgrade-webkit2gtk3-devel centos-upgrade-webkit2gtk3-devel-debuginfo centos-upgrade-webkit2gtk3-jsc centos-upgrade-webkit2gtk3-jsc-debuginfo centos-upgrade-webkit2gtk3-jsc-devel centos-upgrade-webkit2gtk3-jsc-devel-debuginfo References CVE-2023-37450

Oracle MySQL Vulnerability: CVE-2023-22038 Severity 3 CVSS (AV:N/AC:L/Au:M/C:N/I:P/A:N) Published 07/18/2023 Created 07/27/2023 Added 07/27/2023 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges).Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N). Solution(s) mysql-upgrade-latest References https://attackerkb.com/topics/cve-2023-22038 CVE - 2023-22038 https://www.oracle.com/security-alerts/cpujul2023.html

Oracle MySQL Vulnerability: CVE-2023-22005 Severity 6 CVSS (AV:N/AC:M/Au:M/C:N/I:N/A:C) Published 07/18/2023 Created 07/27/2023 Added 07/27/2023 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication).Supported versions that are affected are 8.0.33 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) mysql-upgrade-latest References https://attackerkb.com/topics/cve-2023-22005 CVE - 2023-22005 https://www.oracle.com/security-alerts/cpujul2023.html

Ubuntu: USN-6471-1 (CVE-2022-33065): libsndfile vulnerability Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 07/18/2023 Created 11/04/2023 Added 11/03/2023 Modified 01/28/2025 Description Multiple signed integers overflow in function au_read_header in src/au.c and in functions mat4_open and mat4_read_header in src/mat4.c in Libsndfile, allows an attacker to cause Denial of Service or other unspecified impacts. Solution(s) ubuntu-pro-upgrade-libsndfile1 ubuntu-pro-upgrade-sndfile-programs References https://attackerkb.com/topics/cve-2022-33065 CVE - 2022-33065 USN-6471-1

Amazon Linux AMI 2: CVE-2023-22043: Security patch for java-1.8.0-amazon-corretto, java-1.8.0-openjdk, java-11-amazon-corretto, java-11-openjdk, java-17-amazon-corretto (Multiple Advisories) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 07/18/2023 Created 07/21/2023 Added 07/21/2023 Modified 01/28/2025 Description Vulnerability in Oracle Java SE (component: JavaFX). The supported version that is affected is Oracle Java SE: 8u371. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE.Successful attacks of this vulnerability can result inunauthorized creation, deletion or modification access to critical data or all Oracle Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.9 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N). Solution(s) amazon-linux-ami-2-upgrade-java-1-8-0-amazon-corretto amazon-linux-ami-2-upgrade-java-1-8-0-amazon-corretto-devel amazon-linux-ami-2-upgrade-java-1-8-0-openjdk amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-accessibility amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-accessibility-debug amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-debug amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-debuginfo amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-demo amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-demo-debug amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-devel amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-devel-debug amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-headless amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-headless-debug amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-javadoc amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-javadoc-debug amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-javadoc-zip amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-javadoc-zip-debug amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-src amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-src-debug amazon-linux-ami-2-upgrade-java-11-amazon-corretto amazon-linux-ami-2-upgrade-java-11-amazon-corretto-headless amazon-linux-ami-2-upgrade-java-11-amazon-corretto-javadoc amazon-linux-ami-2-upgrade-java-11-openjdk amazon-linux-ami-2-upgrade-java-11-openjdk-debug amazon-linux-ami-2-upgrade-java-11-openjdk-debuginfo amazon-linux-ami-2-upgrade-java-11-openjdk-demo amazon-linux-ami-2-upgrade-java-11-openjdk-demo-debug amazon-linux-ami-2-upgrade-java-11-openjdk-devel amazon-linux-ami-2-upgrade-java-11-openjdk-devel-debug amazon-linux-ami-2-upgrade-java-11-openjdk-headless amazon-linux-ami-2-upgrade-java-11-openjdk-headless-debug amazon-linux-ami-2-upgrade-java-11-openjdk-javadoc amazon-linux-ami-2-upgrade-java-11-openjdk-javadoc-debug amazon-linux-ami-2-upgrade-java-11-openjdk-javadoc-zip amazon-linux-ami-2-upgrade-java-11-openjdk-javadoc-zip-debug amazon-linux-ami-2-upgrade-java-11-openjdk-jmods amazon-linux-ami-2-upgrade-java-11-openjdk-jmods-debug amazon-linux-ami-2-upgrade-java-11-openjdk-src amazon-linux-ami-2-upgrade-java-11-openjdk-src-debug amazon-linux-ami-2-upgrade-java-11-openjdk-static-libs amazon-linux-ami-2-upgrade-java-11-openjdk-static-libs-debug amazon-linux-ami-2-upgrade-java-17-amazon-corretto amazon-linux-ami-2-upgrade-java-17-amazon-corretto-devel amazon-linux-ami-2-upgrade-java-17-amazon-corretto-headless amazon-linux-ami-2-upgrade-java-17-amazon-corretto-javadoc amazon-linux-ami-2-upgrade-java-17-amazon-corretto-jmods References https://attackerkb.com/topics/cve-2023-22043 AL2/ALAS-2023-2137 AL2/ALAS-2023-2138 AL2/ALAS-2023-2189 AL2/ALASCORRETTO8-2023-007 AL2/ALASJAVA-OPENJDK11-2023-005 CVE - 2023-22043

Amazon Linux AMI 2: CVE-2023-22045: Security patch for java-1.8.0-amazon-corretto, java-1.8.0-openjdk, java-11-amazon-corretto, java-11-openjdk, java-17-amazon-corretto (Multiple Advisories) Severity 4 CVSS (AV:N/AC:M/Au:N/C:P/I:N/A:N) Published 07/18/2023 Created 07/21/2023 Added 07/21/2023 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.Successful attacks of this vulnerability can result inunauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Confidentiality impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). Solution(s) amazon-linux-ami-2-upgrade-java-1-8-0-amazon-corretto amazon-linux-ami-2-upgrade-java-1-8-0-amazon-corretto-devel amazon-linux-ami-2-upgrade-java-1-8-0-openjdk amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-accessibility amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-accessibility-debug amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-debug amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-debuginfo amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-demo amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-demo-debug amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-devel amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-devel-debug amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-headless amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-headless-debug amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-javadoc amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-javadoc-debug amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-javadoc-zip amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-javadoc-zip-debug amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-src amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-src-debug amazon-linux-ami-2-upgrade-java-11-amazon-corretto amazon-linux-ami-2-upgrade-java-11-amazon-corretto-headless amazon-linux-ami-2-upgrade-java-11-amazon-corretto-javadoc amazon-linux-ami-2-upgrade-java-11-openjdk amazon-linux-ami-2-upgrade-java-11-openjdk-debug amazon-linux-ami-2-upgrade-java-11-openjdk-debuginfo amazon-linux-ami-2-upgrade-java-11-openjdk-demo amazon-linux-ami-2-upgrade-java-11-openjdk-demo-debug amazon-linux-ami-2-upgrade-java-11-openjdk-devel amazon-linux-ami-2-upgrade-java-11-openjdk-devel-debug amazon-linux-ami-2-upgrade-java-11-openjdk-headless amazon-linux-ami-2-upgrade-java-11-openjdk-headless-debug amazon-linux-ami-2-upgrade-java-11-openjdk-javadoc amazon-linux-ami-2-upgrade-java-11-openjdk-javadoc-debug amazon-linux-ami-2-upgrade-java-11-openjdk-javadoc-zip amazon-linux-ami-2-upgrade-java-11-openjdk-javadoc-zip-debug amazon-linux-ami-2-upgrade-java-11-openjdk-jmods amazon-linux-ami-2-upgrade-java-11-openjdk-jmods-debug amazon-linux-ami-2-upgrade-java-11-openjdk-src amazon-linux-ami-2-upgrade-java-11-openjdk-src-debug amazon-linux-ami-2-upgrade-java-11-openjdk-static-libs amazon-linux-ami-2-upgrade-java-11-openjdk-static-libs-debug amazon-linux-ami-2-upgrade-java-17-amazon-corretto amazon-linux-ami-2-upgrade-java-17-amazon-corretto-devel amazon-linux-ami-2-upgrade-java-17-amazon-corretto-headless amazon-linux-ami-2-upgrade-java-17-amazon-corretto-javadoc amazon-linux-ami-2-upgrade-java-17-amazon-corretto-jmods References https://attackerkb.com/topics/cve-2023-22045 AL2/ALAS-2023-2137 AL2/ALAS-2023-2138 AL2/ALAS-2023-2189 AL2/ALASCORRETTO8-2023-007 AL2/ALASJAVA-OPENJDK11-2023-005 CVE - 2023-22045

Amazon Linux AMI 2: CVE-2023-22049: Security patch for java-1.8.0-amazon-corretto, java-11-amazon-corretto, java-17-amazon-corretto (Multiple Advisories) Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 07/18/2023 Created 07/21/2023 Added 07/21/2023 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Libraries).Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Solution(s) amazon-linux-ami-2-upgrade-java-1-8-0-amazon-corretto amazon-linux-ami-2-upgrade-java-1-8-0-amazon-corretto-devel amazon-linux-ami-2-upgrade-java-11-amazon-corretto amazon-linux-ami-2-upgrade-java-11-amazon-corretto-headless amazon-linux-ami-2-upgrade-java-11-amazon-corretto-javadoc amazon-linux-ami-2-upgrade-java-17-amazon-corretto amazon-linux-ami-2-upgrade-java-17-amazon-corretto-devel amazon-linux-ami-2-upgrade-java-17-amazon-corretto-headless amazon-linux-ami-2-upgrade-java-17-amazon-corretto-javadoc amazon-linux-ami-2-upgrade-java-17-amazon-corretto-jmods References https://attackerkb.com/topics/cve-2023-22049 AL2/ALAS-2023-2137 AL2/ALAS-2023-2138 AL2/ALASCORRETTO8-2023-007 CVE - 2023-22049

Oracle Database: Critical Patch Update - July 2023 (CVE-2023-22052) Severity 4 CVSS (AV:N/AC:M/Au:S/C:N/I:P/A:N) Published 07/18/2023 Created 07/19/2023 Added 07/18/2023 Modified 01/28/2025 Description Vulnerability in the Java VM component of Oracle Database Server.Supported versions that are affected are 19.3-19.19 and21.3-21.10. Difficult to exploit vulnerability allows low privileged attacker having Create Session, Create Procedure privilege with network access via multiple protocols to compromise Java VM.Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Java VM accessible data. CVSS 3.1 Base Score 3.1 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N). Solution(s) oracle-apply-jul-2023-cpu References https://attackerkb.com/topics/cve-2023-22052 CVE - 2023-22052 http://www.oracle.com/security-alerts/cpujul2023.html https://support.oracle.com/rs?type=doc&id=2946185.1

Oracle Database: Critical Patch Update - July 2023 (CVE-2023-22034) Severity 6 CVSS (AV:N/AC:L/Au:M/C:N/I:C/A:N) Published 07/18/2023 Created 07/19/2023 Added 07/18/2023 Modified 01/28/2025 Description Vulnerability in the Unified Audit component of Oracle Database Server.Supported versions that are affected are 19.3-19.19 and21.3-21.10. Easily exploitable vulnerability allows high privileged attacker having SYSDBA privilege with network access via Oracle Net to compromise Unified Audit.Successful attacks of this vulnerability can result inunauthorized creation, deletion or modification access to critical data or all Unified Audit accessible data. CVSS 3.1 Base Score 4.9 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N). Solution(s) oracle-apply-jul-2023-cpu References https://attackerkb.com/topics/cve-2023-22034 CVE - 2023-22034 http://www.oracle.com/security-alerts/cpujul2023.html https://support.oracle.com/rs?type=doc&id=2946185.1