ISHACK AI BOT

Amazon Linux AMI 2: CVE-2023-0160: Security patch for kernel (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 07/18/2023 Created 07/09/2024 Added 07/09/2024 Modified 01/28/2025 Description A deadlock flaw was found in the Linux kernel’s BPF subsystem. This flaw allows a local user to potentially crash the system. Solution(s) amazon-linux-ami-2-upgrade-bpftool amazon-linux-ami-2-upgrade-bpftool-debuginfo amazon-linux-ami-2-upgrade-kernel amazon-linux-ami-2-upgrade-kernel-debuginfo amazon-linux-ami-2-upgrade-kernel-debuginfo-common-aarch64 amazon-linux-ami-2-upgrade-kernel-debuginfo-common-x86_64 amazon-linux-ami-2-upgrade-kernel-devel amazon-linux-ami-2-upgrade-kernel-headers amazon-linux-ami-2-upgrade-kernel-livepatch-5-10-184-174-730 amazon-linux-ami-2-upgrade-kernel-livepatch-5-15-117-72-142 amazon-linux-ami-2-upgrade-kernel-tools amazon-linux-ami-2-upgrade-kernel-tools-debuginfo amazon-linux-ami-2-upgrade-kernel-tools-devel amazon-linux-ami-2-upgrade-perf amazon-linux-ami-2-upgrade-perf-debuginfo amazon-linux-ami-2-upgrade-python-perf amazon-linux-ami-2-upgrade-python-perf-debuginfo References https://attackerkb.com/topics/cve-2023-0160 AL2/ALASKERNEL-5.10-2023-034 AL2/ALASKERNEL-5.15-2023-021 AL2/ALASKERNEL-5.4-2023-047 CVE - 2023-0160

Amazon Linux AMI 2: CVE-2023-22036: Security patch for java-11-amazon-corretto, java-11-openjdk, java-17-amazon-corretto (Multiple Advisories) Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:P) Published 07/18/2023 Created 07/21/2023 Added 07/21/2023 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Utility).Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). Solution(s) amazon-linux-ami-2-upgrade-java-11-amazon-corretto amazon-linux-ami-2-upgrade-java-11-amazon-corretto-headless amazon-linux-ami-2-upgrade-java-11-amazon-corretto-javadoc amazon-linux-ami-2-upgrade-java-11-openjdk amazon-linux-ami-2-upgrade-java-11-openjdk-debug amazon-linux-ami-2-upgrade-java-11-openjdk-debuginfo amazon-linux-ami-2-upgrade-java-11-openjdk-demo amazon-linux-ami-2-upgrade-java-11-openjdk-demo-debug amazon-linux-ami-2-upgrade-java-11-openjdk-devel amazon-linux-ami-2-upgrade-java-11-openjdk-devel-debug amazon-linux-ami-2-upgrade-java-11-openjdk-headless amazon-linux-ami-2-upgrade-java-11-openjdk-headless-debug amazon-linux-ami-2-upgrade-java-11-openjdk-javadoc amazon-linux-ami-2-upgrade-java-11-openjdk-javadoc-debug amazon-linux-ami-2-upgrade-java-11-openjdk-javadoc-zip amazon-linux-ami-2-upgrade-java-11-openjdk-javadoc-zip-debug amazon-linux-ami-2-upgrade-java-11-openjdk-jmods amazon-linux-ami-2-upgrade-java-11-openjdk-jmods-debug amazon-linux-ami-2-upgrade-java-11-openjdk-src amazon-linux-ami-2-upgrade-java-11-openjdk-src-debug amazon-linux-ami-2-upgrade-java-11-openjdk-static-libs amazon-linux-ami-2-upgrade-java-11-openjdk-static-libs-debug amazon-linux-ami-2-upgrade-java-17-amazon-corretto amazon-linux-ami-2-upgrade-java-17-amazon-corretto-devel amazon-linux-ami-2-upgrade-java-17-amazon-corretto-headless amazon-linux-ami-2-upgrade-java-17-amazon-corretto-javadoc amazon-linux-ami-2-upgrade-java-17-amazon-corretto-jmods References https://attackerkb.com/topics/cve-2023-22036 AL2/ALAS-2023-2137 AL2/ALAS-2023-2138 AL2/ALASJAVA-OPENJDK11-2023-005 CVE - 2023-22036

Amazon Linux AMI 2: CVE-2023-22006: Security patch for java-11-amazon-corretto, java-17-amazon-corretto (Multiple Advisories) Severity 3 CVSS (AV:N/AC:H/Au:N/C:N/I:P/A:N) Published 07/18/2023 Created 07/21/2023 Added 07/21/2023 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Networking).Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N). Solution(s) amazon-linux-ami-2-upgrade-java-11-amazon-corretto amazon-linux-ami-2-upgrade-java-11-amazon-corretto-headless amazon-linux-ami-2-upgrade-java-11-amazon-corretto-javadoc amazon-linux-ami-2-upgrade-java-17-amazon-corretto amazon-linux-ami-2-upgrade-java-17-amazon-corretto-devel amazon-linux-ami-2-upgrade-java-17-amazon-corretto-headless amazon-linux-ami-2-upgrade-java-17-amazon-corretto-javadoc amazon-linux-ami-2-upgrade-java-17-amazon-corretto-jmods References https://attackerkb.com/topics/cve-2023-22006 AL2/ALAS-2023-2137 AL2/ALAS-2023-2138 CVE - 2023-22006

Amazon Linux 2023: CVE-2023-22041: Medium priority package update for java-11-amazon-corretto (Multiple Advisories) Severity 4 CVSS (AV:L/AC:H/Au:N/C:C/I:N/A:N) Published 07/18/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).Supported versions that are affected are Oracle Java SE: 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.Successful attacks of this vulnerability can result inunauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.1 (Confidentiality impacts).CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). Solution(s) amazon-linux-2023-upgrade-java-11-amazon-corretto amazon-linux-2023-upgrade-java-11-amazon-corretto-devel amazon-linux-2023-upgrade-java-11-amazon-corretto-headless amazon-linux-2023-upgrade-java-11-amazon-corretto-javadoc amazon-linux-2023-upgrade-java-11-amazon-corretto-jmods amazon-linux-2023-upgrade-java-17-amazon-corretto amazon-linux-2023-upgrade-java-17-amazon-corretto-devel amazon-linux-2023-upgrade-java-17-amazon-corretto-headless amazon-linux-2023-upgrade-java-17-amazon-corretto-javadoc amazon-linux-2023-upgrade-java-17-amazon-corretto-jmods References https://attackerkb.com/topics/cve-2023-22041 CVE - 2023-22041 https://alas.aws.amazon.com/AL2023/ALAS-2023-257.html https://alas.aws.amazon.com/AL2023/ALAS-2023-258.html

Amazon Linux 2023: CVE-2023-22045: Medium priority package update for java-1.8.0-amazon-corretto (Multiple Advisories) Severity 3 CVSS (AV:N/AC:H/Au:N/C:P/I:N/A:N) Published 07/18/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.Successful attacks of this vulnerability can result inunauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Confidentiality impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). Solution(s) amazon-linux-2023-upgrade-java-11-amazon-corretto amazon-linux-2023-upgrade-java-11-amazon-corretto-devel amazon-linux-2023-upgrade-java-11-amazon-corretto-headless amazon-linux-2023-upgrade-java-11-amazon-corretto-javadoc amazon-linux-2023-upgrade-java-11-amazon-corretto-jmods amazon-linux-2023-upgrade-java-17-amazon-corretto amazon-linux-2023-upgrade-java-17-amazon-corretto-devel amazon-linux-2023-upgrade-java-17-amazon-corretto-headless amazon-linux-2023-upgrade-java-17-amazon-corretto-javadoc amazon-linux-2023-upgrade-java-17-amazon-corretto-jmods amazon-linux-2023-upgrade-java-1-8-0-amazon-corretto amazon-linux-2023-upgrade-java-1-8-0-amazon-corretto-devel References https://attackerkb.com/topics/cve-2023-22045 CVE - 2023-22045 https://alas.aws.amazon.com/AL2023/ALAS-2023-256.html https://alas.aws.amazon.com/AL2023/ALAS-2023-257.html https://alas.aws.amazon.com/AL2023/ALAS-2023-258.html

Amazon Linux 2023: CVE-2023-22044: Medium priority package update for java-17-amazon-corretto Severity 3 CVSS (AV:N/AC:H/Au:N/C:P/I:N/A:N) Published 07/18/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).Supported versions that are affected are Oracle Java SE: 8u371-perf, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.Successful attacks of this vulnerability can result inunauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Confidentiality impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). Solution(s) amazon-linux-2023-upgrade-java-17-amazon-corretto amazon-linux-2023-upgrade-java-17-amazon-corretto-devel amazon-linux-2023-upgrade-java-17-amazon-corretto-headless amazon-linux-2023-upgrade-java-17-amazon-corretto-javadoc amazon-linux-2023-upgrade-java-17-amazon-corretto-jmods References https://attackerkb.com/topics/cve-2023-22044 CVE - 2023-22044 https://alas.aws.amazon.com/AL2023/ALAS-2023-258.html

Amazon Linux 2023: CVE-2023-22049: Medium priority package update for java-1.8.0-amazon-corretto (Multiple Advisories) Severity 3 CVSS (AV:N/AC:H/Au:N/C:N/I:P/A:N) Published 07/18/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Libraries).Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Solution(s) amazon-linux-2023-upgrade-java-11-amazon-corretto amazon-linux-2023-upgrade-java-11-amazon-corretto-devel amazon-linux-2023-upgrade-java-11-amazon-corretto-headless amazon-linux-2023-upgrade-java-11-amazon-corretto-javadoc amazon-linux-2023-upgrade-java-11-amazon-corretto-jmods amazon-linux-2023-upgrade-java-17-amazon-corretto amazon-linux-2023-upgrade-java-17-amazon-corretto-devel amazon-linux-2023-upgrade-java-17-amazon-corretto-headless amazon-linux-2023-upgrade-java-17-amazon-corretto-javadoc amazon-linux-2023-upgrade-java-17-amazon-corretto-jmods amazon-linux-2023-upgrade-java-1-8-0-amazon-corretto amazon-linux-2023-upgrade-java-1-8-0-amazon-corretto-devel References https://attackerkb.com/topics/cve-2023-22049 CVE - 2023-22049 https://alas.aws.amazon.com/AL2023/ALAS-2023-256.html https://alas.aws.amazon.com/AL2023/ALAS-2023-257.html https://alas.aws.amazon.com/AL2023/ALAS-2023-258.html

FreeBSD: VID-759A5599-3CE8-11EE-A0D1-84A93843EB75 (CVE-2023-22058): MySQL -- Multiple vulnerabilities Severity 6 CVSS (AV:N/AC:M/Au:M/C:N/I:N/A:C) Published 07/18/2023 Created 08/21/2023 Added 08/18/2023 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).Supported versions that are affected are 8.0.33 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) freebsd-upgrade-package-mysql-client57 freebsd-upgrade-package-mysql-client80 freebsd-upgrade-package-mysql-connector-c freebsd-upgrade-package-mysql-server57 freebsd-upgrade-package-mysql-server80 References CVE-2023-22058

FreeBSD: VID-BC90E894-264B-11EE-A468-80FA5B29D485 (CVE-2023-22018): virtualbox-ose -- multiple vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 07/18/2023 Created 07/25/2023 Added 07/21/2023 Modified 01/28/2025 Description Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core).Supported versions that are affected are Prior to 6.1.46 andPrior to 7.0.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via RDP to compromise Oracle VM VirtualBox.Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). Solution(s) freebsd-upgrade-package-virtualbox-ose References CVE-2023-22018

Debian: CVE-2023-38427: linux -- security update Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 07/18/2023 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description An issue was discovered in the Linux kernel before 6.3.8. fs/smb/server/smb2pdu.c in ksmbd has an integer underflow and out-of-bounds read in deassemble_neg_contexts. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2023-38427 CVE - 2023-38427

Debian: CVE-2023-38428: linux -- security update Severity 9 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:C) Published 07/18/2023 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/smb2pdu.c in ksmbd does not properly check the UserName value because it does not consider the address of security buffer, leading to an out-of-bounds read. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2023-38428 CVE - 2023-38428

Oracle Linux: CVE-2023-22057: ELSA-2024-1141:mysql security update (MODERATE) (Multiple Advisories) Severity 6 CVSS (AV:N/AC:L/Au:M/C:N/I:N/A:C) Published 07/18/2023 Created 02/24/2024 Added 02/22/2024 Modified 01/07/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication).Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) oracle-linux-upgrade-mecab oracle-linux-upgrade-mecab-devel oracle-linux-upgrade-mecab-ipadic oracle-linux-upgrade-mecab-ipadic-eucjp oracle-linux-upgrade-mysql oracle-linux-upgrade-mysql-common oracle-linux-upgrade-mysql-devel oracle-linux-upgrade-mysql-errmsg oracle-linux-upgrade-mysql-libs oracle-linux-upgrade-mysql-server oracle-linux-upgrade-mysql-test References https://attackerkb.com/topics/cve-2023-22057 CVE - 2023-22057 ELSA-2024-1141 ELSA-2024-0894

Rocky Linux: CVE-2023-22049: java-1.8.0-openjdk (Multiple Advisories) Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 07/18/2023 Created 03/07/2024 Added 03/05/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Libraries).Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Solution(s) rocky-upgrade-java-1.8.0-openjdk rocky-upgrade-java-1.8.0-openjdk-accessibility rocky-upgrade-java-1.8.0-openjdk-accessibility-fastdebug rocky-upgrade-java-1.8.0-openjdk-accessibility-slowdebug rocky-upgrade-java-1.8.0-openjdk-debuginfo rocky-upgrade-java-1.8.0-openjdk-debugsource rocky-upgrade-java-1.8.0-openjdk-demo rocky-upgrade-java-1.8.0-openjdk-demo-debuginfo rocky-upgrade-java-1.8.0-openjdk-demo-fastdebug rocky-upgrade-java-1.8.0-openjdk-demo-fastdebug-debuginfo rocky-upgrade-java-1.8.0-openjdk-demo-slowdebug rocky-upgrade-java-1.8.0-openjdk-demo-slowdebug-debuginfo rocky-upgrade-java-1.8.0-openjdk-devel rocky-upgrade-java-1.8.0-openjdk-devel-debuginfo rocky-upgrade-java-1.8.0-openjdk-devel-fastdebug rocky-upgrade-java-1.8.0-openjdk-devel-fastdebug-debuginfo rocky-upgrade-java-1.8.0-openjdk-devel-slowdebug rocky-upgrade-java-1.8.0-openjdk-devel-slowdebug-debuginfo rocky-upgrade-java-1.8.0-openjdk-fastdebug rocky-upgrade-java-1.8.0-openjdk-fastdebug-debuginfo rocky-upgrade-java-1.8.0-openjdk-headless rocky-upgrade-java-1.8.0-openjdk-headless-debuginfo rocky-upgrade-java-1.8.0-openjdk-headless-fastdebug rocky-upgrade-java-1.8.0-openjdk-headless-fastdebug-debuginfo rocky-upgrade-java-1.8.0-openjdk-headless-slowdebug rocky-upgrade-java-1.8.0-openjdk-headless-slowdebug-debuginfo rocky-upgrade-java-1.8.0-openjdk-slowdebug rocky-upgrade-java-1.8.0-openjdk-slowdebug-debuginfo rocky-upgrade-java-1.8.0-openjdk-src rocky-upgrade-java-1.8.0-openjdk-src-fastdebug rocky-upgrade-java-1.8.0-openjdk-src-slowdebug References https://attackerkb.com/topics/cve-2023-22049 CVE - 2023-22049 https://errata.rockylinux.org/RLSA-2023:4176 https://errata.rockylinux.org/RLSA-2023:4178

Oracle Linux: CVE-2023-22005: ELSA-2024-1141:mysql security update (MODERATE) (Multiple Advisories) Severity 5 CVSS (AV:N/AC:H/Au:M/C:N/I:N/A:C) Published 07/18/2023 Created 02/24/2024 Added 02/22/2024 Modified 01/07/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication).Supported versions that are affected are 8.0.33 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) oracle-linux-upgrade-mecab oracle-linux-upgrade-mecab-devel oracle-linux-upgrade-mecab-ipadic oracle-linux-upgrade-mecab-ipadic-eucjp oracle-linux-upgrade-mysql oracle-linux-upgrade-mysql-common oracle-linux-upgrade-mysql-devel oracle-linux-upgrade-mysql-errmsg oracle-linux-upgrade-mysql-libs oracle-linux-upgrade-mysql-server oracle-linux-upgrade-mysql-test References https://attackerkb.com/topics/cve-2023-22005 CVE - 2023-22005 ELSA-2024-1141 ELSA-2024-0894

Oracle WebLogic: CVE-2023-22031 : Critical Patch Update Severity 6 CVSS (AV:N/AC:M/Au:M/C:N/I:N/A:C) Published 07/18/2023 Created 07/19/2023 Added 07/19/2023 Modified 01/28/2025 Description Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core).Supported versions that are affected are 14.1.1.0.0 and12.2.1.4.0. Difficult to exploit vulnerability allows high privileged attacker with network access via T3, IIOP to compromise Oracle WebLogic Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server. CVSS 3.1 Base Score 4.4 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) oracle-weblogic-jul-2023-cpu-12_2_1_4_0 oracle-weblogic-jul-2023-cpu-14_1_1_0_0 References https://attackerkb.com/topics/cve-2023-22031 CVE - 2023-22031 http://www.oracle.com/security-alerts/cpujul2023.html https://support.oracle.com/rs?type=doc&id=2958367.2

Alpine Linux: CVE-2023-22044: Vulnerability in Multiple Components Severity 4 CVSS (AV:N/AC:M/Au:N/C:P/I:N/A:N) Published 07/18/2023 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).Supported versions that are affected are Oracle Java SE: 8u371-perf, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.Successful attacks of this vulnerability can result inunauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Confidentiality impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). Solution(s) alpine-linux-upgrade-openjdk17 References https://attackerkb.com/topics/cve-2023-22044 CVE - 2023-22044 https://security.alpinelinux.org/vuln/CVE-2023-22044

Alpine Linux: CVE-2022-33064: Off-by-one Error Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 07/18/2023 Created 03/22/2024 Added 03/21/2024 Modified 03/22/2024 Description An off-by-one error in function wav_read_header in src/wav.c in Libsndfile 1.1.0, results in a write out of bound, which allows an attacker to execute arbitrary code, Denial of Service or other unspecified impacts. Solution(s) alpine-linux-upgrade-libsndfile References https://attackerkb.com/topics/cve-2022-33064 CVE - 2022-33064 https://security.alpinelinux.org/vuln/CVE-2022-33064

Red Hat: CVE-2022-33065: libsndfile: integer overflow in src/mat4.c and src/au.c leads to DoS (Multiple Advisories) Severity 7 CVSS (AV:L/AC:L/Au:N/C:C/I:C/A:C) Published 07/18/2023 Created 05/01/2024 Added 05/01/2024 Modified 09/03/2024 Description Multiple signed integers overflow in function au_read_header in src/au.c and in functions mat4_open and mat4_read_header in src/mat4.c in Libsndfile, allows an attacker to cause Denial of Service or other unspecified impacts. Solution(s) redhat-upgrade-libsndfile redhat-upgrade-libsndfile-debuginfo redhat-upgrade-libsndfile-debugsource redhat-upgrade-libsndfile-devel redhat-upgrade-libsndfile-utils redhat-upgrade-libsndfile-utils-debuginfo References CVE-2022-33065 RHSA-2024:2184 RHSA-2024:3030

Amazon Linux AMI 2: CVE-2023-22044: Security patch for java-17-amazon-corretto (ALAS-2023-2138) Severity 4 CVSS (AV:N/AC:M/Au:N/C:P/I:N/A:N) Published 07/18/2023 Created 07/21/2023 Added 07/21/2023 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).Supported versions that are affected are Oracle Java SE: 8u371-perf, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.Successful attacks of this vulnerability can result inunauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Confidentiality impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). Solution(s) amazon-linux-ami-2-upgrade-java-17-amazon-corretto amazon-linux-ami-2-upgrade-java-17-amazon-corretto-devel amazon-linux-ami-2-upgrade-java-17-amazon-corretto-headless amazon-linux-ami-2-upgrade-java-17-amazon-corretto-javadoc amazon-linux-ami-2-upgrade-java-17-amazon-corretto-jmods References https://attackerkb.com/topics/cve-2023-22044 AL2/ALAS-2023-2138 CVE - 2023-22044

Alma Linux: CVE-2023-38409: Moderate: kernel security, bug fix, and enhancement update (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 07/17/2023 Created 06/01/2024 Added 05/31/2024 Modified 01/28/2025 Description An issue was discovered in set_con2fb_map in drivers/video/fbdev/core/fbcon.c in the Linux kernel before 6.2.12. Because an assignment occurs only for the first vc, the fbcon_registered_fb and fbcon_display arrays can be desynchronized in fbcon_mode_deleted (the con2fb_map points at the old fb_info). Solution(s) alma-upgrade-bpftool alma-upgrade-kernel alma-upgrade-kernel-abi-stablelists alma-upgrade-kernel-core alma-upgrade-kernel-cross-headers alma-upgrade-kernel-debug alma-upgrade-kernel-debug-core alma-upgrade-kernel-debug-devel alma-upgrade-kernel-debug-modules alma-upgrade-kernel-debug-modules-extra alma-upgrade-kernel-devel alma-upgrade-kernel-doc alma-upgrade-kernel-headers alma-upgrade-kernel-modules alma-upgrade-kernel-modules-extra alma-upgrade-kernel-rt alma-upgrade-kernel-rt-core alma-upgrade-kernel-rt-debug alma-upgrade-kernel-rt-debug-core alma-upgrade-kernel-rt-debug-devel alma-upgrade-kernel-rt-debug-kvm alma-upgrade-kernel-rt-debug-modules alma-upgrade-kernel-rt-debug-modules-extra alma-upgrade-kernel-rt-devel alma-upgrade-kernel-rt-kvm alma-upgrade-kernel-rt-modules alma-upgrade-kernel-rt-modules-extra alma-upgrade-kernel-tools alma-upgrade-kernel-tools-libs alma-upgrade-kernel-tools-libs-devel alma-upgrade-kernel-zfcpdump alma-upgrade-kernel-zfcpdump-core alma-upgrade-kernel-zfcpdump-devel alma-upgrade-kernel-zfcpdump-modules alma-upgrade-kernel-zfcpdump-modules-extra alma-upgrade-perf alma-upgrade-python3-perf References https://attackerkb.com/topics/cve-2023-38409 CVE - 2023-38409 https://errata.almalinux.org/8/ALSA-2024-2950.html https://errata.almalinux.org/8/ALSA-2024-3138.html

Debian: CVE-2021-3838: php-dompdf -- security update Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 07/17/2023 Created 07/17/2023 Added 07/17/2023 Modified 01/28/2025 Description DomPDF before version 2.0.0 is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the file_get_contents() function. An attacker who can upload files of any type to the server can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution, especially when DOMPdf is used with frameworks with documented POP chains like Laravel or vulnerable developer code. Solution(s) debian-upgrade-php-dompdf References https://attackerkb.com/topics/cve-2021-3838 CVE - 2021-3838 DLA-3495-1

Amazon Linux AMI 2: CVE-2023-38403: Security patch for iperf3 (ALAS-2023-2153) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 07/17/2023 Created 07/27/2023 Added 07/27/2023 Modified 01/28/2025 Description iperf3 before 3.14 allows peers to cause an integer overflow and heap corruption via a crafted length field. Solution(s) amazon-linux-ami-2-upgrade-iperf3 amazon-linux-ami-2-upgrade-iperf3-debuginfo amazon-linux-ami-2-upgrade-iperf3-devel References https://attackerkb.com/topics/cve-2023-38403 AL2/ALAS-2023-2153 CVE - 2023-38403

OS X update for iperf3 (CVE-2023-38403) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 07/17/2023 Created 10/27/2023 Added 10/26/2023 Modified 01/28/2025 Description iperf3 before 3.14 allows peers to cause an integer overflow and heap corruption via a crafted length field. Solution(s) apple-osx-upgrade-13_6_1 apple-osx-upgrade-14_1 References https://attackerkb.com/topics/cve-2023-38403 CVE - 2023-38403 https://support.apple.com/kb/HT213984 https://support.apple.com/kb/HT213985

Red Hat: CVE-2023-38409: kernel: fbcon: out-of-sync arrays in fbcon_mode_deleted due to wrong con2fb_map assignment (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 07/17/2023 Created 11/30/2023 Added 11/29/2023 Modified 01/28/2025 Description An issue was discovered in set_con2fb_map in drivers/video/fbdev/core/fbcon.c in the Linux kernel before 6.2.12. Because an assignment occurs only for the first vc, the fbcon_registered_fb and fbcon_display arrays can be desynchronized in fbcon_mode_deleted (the con2fb_map points at the old fb_info). Solution(s) redhat-upgrade-kernel redhat-upgrade-kernel-rt References CVE-2023-38409 RHSA-2023:7539 RHSA-2024:0412 RHSA-2024:0439 RHSA-2024:0448 RHSA-2024:0461 RHSA-2024:1249 RHSA-2024:1250 RHSA-2024:1306 RHSA-2024:1332 RHSA-2024:2950 RHSA-2024:3138 View more

Alma Linux: CVE-2023-38403: Important: iperf3 security update (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 07/17/2023 Created 08/10/2023 Added 08/10/2023 Modified 01/28/2025 Description iperf3 before 3.14 allows peers to cause an integer overflow and heap corruption via a crafted length field. Solution(s) alma-upgrade-iperf3 References https://attackerkb.com/topics/cve-2023-38403 CVE - 2023-38403 https://errata.almalinux.org/8/ALSA-2023-4570.html https://errata.almalinux.org/9/ALSA-2023-4571.html