ISHACK AI BOT

IBM AIX: java_nov2024_advisory (CVE-2024-21131): Vulnerability in IBM Java SDK affects AIX Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 07/16/2024 Created 11/21/2024 Added 11/20/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Solution(s) ibm-aix-java_nov2024_advisory References https://attackerkb.com/topics/cve-2024-21131 CVE - 2024-21131 https://aix.software.ibm.com/aix/efixes/security/java_nov2024_advisory.asc

Huawei EulerOS: CVE-2022-48788: kernel security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 07/16/2024 Created 01/23/2025 Added 01/21/2025 Modified 01/28/2025 Description In the Linux kernel, the following vulnerability has been resolved: nvme-rdma: fix possible use-after-free in transport error_recovery work While nvme_rdma_submit_async_event_work is checking the ctrl and queue state before preparing the AER command and scheduling io_work, in order to fully prevent a race where this check is not reliable the error recovery work must flush async_event_work before continuing to destroy the admin queue after setting the ctrl state to RESETTING such that there is no race .submit_async_event and the error recovery handler itself changing the ctrl state. Solution(s) huawei-euleros-2_0_sp8-upgrade-bpftool huawei-euleros-2_0_sp8-upgrade-kernel huawei-euleros-2_0_sp8-upgrade-kernel-devel huawei-euleros-2_0_sp8-upgrade-kernel-headers huawei-euleros-2_0_sp8-upgrade-kernel-tools huawei-euleros-2_0_sp8-upgrade-kernel-tools-libs huawei-euleros-2_0_sp8-upgrade-perf huawei-euleros-2_0_sp8-upgrade-python-perf huawei-euleros-2_0_sp8-upgrade-python3-perf References https://attackerkb.com/topics/cve-2022-48788 CVE - 2022-48788 EulerOS-SA-2025-1123

IBM AIX: java_nov2024_advisory (CVE-2024-21144): Vulnerability in IBM Java SDK affects AIX Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:P) Published 07/16/2024 Created 11/21/2024 Added 11/20/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Concurrency).Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23; Oracle GraalVM Enterprise Edition: 20.3.14 and21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). Solution(s) ibm-aix-java_nov2024_advisory References https://attackerkb.com/topics/cve-2024-21144 CVE - 2024-21144 https://aix.software.ibm.com/aix/efixes/security/java_nov2024_advisory.asc

Ubuntu: (Multiple Advisories) (CVE-2022-48808): Linux kernel vulnerabilities Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 07/16/2024 Created 07/30/2024 Added 07/29/2024 Modified 01/28/2025 Description In the Linux kernel, the following vulnerability has been resolved: net: dsa: fix panic when DSA master device unbinds on shutdown Rafael reports that on a system with LX2160A and Marvell DSA switches, if a reboot occurs while the DSA master (dpaa2-eth) is up, the following panic can be seen: systemd-shutdown[1]: Rebooting. Unable to handle kernel paging request at virtual address 00a0000800000041 [00a0000800000041] address between user and kernel address ranges Internal error: Oops: 96000004 [#1] PREEMPT SMP CPU: 6 PID: 1 Comm: systemd-shutdow Not tainted 5.16.5-00042-g8f5585009b24 #32 pc : dsa_slave_netdevice_event+0x130/0x3e4 lr : raw_notifier_call_chain+0x50/0x6c Call trace: dsa_slave_netdevice_event+0x130/0x3e4 raw_notifier_call_chain+0x50/0x6c call_netdevice_notifiers_info+0x54/0xa0 __dev_close_many+0x50/0x130 dev_close_many+0x84/0x120 unregister_netdevice_many+0x130/0x710 unregister_netdevice_queue+0x8c/0xd0 unregister_netdev+0x20/0x30 dpaa2_eth_remove+0x68/0x190 fsl_mc_driver_remove+0x20/0x5c __device_release_driver+0x21c/0x220 device_release_driver_internal+0xac/0xb0 device_links_unbind_consumers+0xd4/0x100 __device_release_driver+0x94/0x220 device_release_driver+0x28/0x40 bus_remove_device+0x118/0x124 device_del+0x174/0x420 fsl_mc_device_remove+0x24/0x40 __fsl_mc_device_remove+0xc/0x20 device_for_each_child+0x58/0xa0 dprc_remove+0x90/0xb0 fsl_mc_driver_remove+0x20/0x5c __device_release_driver+0x21c/0x220 device_release_driver+0x28/0x40 bus_remove_device+0x118/0x124 device_del+0x174/0x420 fsl_mc_bus_remove+0x80/0x100 fsl_mc_bus_shutdown+0xc/0x1c platform_shutdown+0x20/0x30 device_shutdown+0x154/0x330 __do_sys_reboot+0x1cc/0x250 __arm64_sys_reboot+0x20/0x30 invoke_syscall.constprop.0+0x4c/0xe0 do_el0_svc+0x4c/0x150 el0_svc+0x24/0xb0 el0t_64_sync_handler+0xa8/0xb0 el0t_64_sync+0x178/0x17c It can be seen from the stack trace that the problem is that the deregistration of the master causes a dev_close(), which gets notified as NETDEV_GOING_DOWN to dsa_slave_netdevice_event(). But dsa_switch_shutdown() has already run, and this has unregistered the DSA slave interfaces, and yet, the NETDEV_GOING_DOWN handler attempts to call dev_close_many() on those slave interfaces, leading to the problem. The previous attempt to avoid the NETDEV_GOING_DOWN on the master after dsa_switch_shutdown() was called seems improper. Unregistering the slave interfaces is unnecessary and unhelpful. Instead, after the slaves have stopped being uppers of the DSA master, we can now reset to NULL the master->dsa_ptr pointer, which will make DSA start ignoring all future notifier events on the master. Solution(s) ubuntu-upgrade-linux-image-5-15-0-1035-xilinx-zynqmp ubuntu-upgrade-linux-image-5-15-0-1058-raspi ubuntu-upgrade-linux-image-5-15-0-1065-gcp ubuntu-upgrade-linux-image-5-15-0-1068-azure ubuntu-upgrade-linux-image-5-15-0-1068-azure-fde ubuntu-upgrade-linux-image-azure ubuntu-upgrade-linux-image-azure-cvm ubuntu-upgrade-linux-image-azure-fde ubuntu-upgrade-linux-image-azure-fde-lts-22-04 ubuntu-upgrade-linux-image-azure-lts-22-04 ubuntu-upgrade-linux-image-gcp ubuntu-upgrade-linux-image-raspi ubuntu-upgrade-linux-image-raspi-nolpae ubuntu-upgrade-linux-image-xilinx-zynqmp References https://attackerkb.com/topics/cve-2022-48808 CVE - 2022-48808 USN-6917-1 USN-6919-1 USN-6927-1 USN-7019-1

Ubuntu: (Multiple Advisories) (CVE-2022-48791): Linux kernel vulnerabilities Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 07/16/2024 Created 09/20/2024 Added 09/20/2024 Modified 01/28/2025 Description In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free for aborted TMF sas_task Currently a use-after-free may occur if a TMF sas_task is aborted before we handle the IO completion in mpi_ssp_completion(). The abort occurs due to timeout. When the timeout occurs, the SAS_TASK_STATE_ABORTED flag is set and the sas_task is freed in pm8001_exec_internal_tmf_task(). However, if the I/O completion occurs later, the I/O completion still thinks that the sas_task is available. Fix this by clearing the ccb->task if the TMF times out - the I/O completion handler does nothing if this pointer is cleared. Solution(s) ubuntu-upgrade-linux-image-4-15-0-1135-oracle ubuntu-upgrade-linux-image-4-15-0-1156-kvm ubuntu-upgrade-linux-image-4-15-0-1166-gcp ubuntu-upgrade-linux-image-4-15-0-1173-aws ubuntu-upgrade-linux-image-4-15-0-1181-azure ubuntu-upgrade-linux-image-4-15-0-229-generic ubuntu-upgrade-linux-image-4-15-0-229-lowlatency ubuntu-upgrade-linux-image-4-4-0-1136-aws ubuntu-upgrade-linux-image-4-4-0-1137-kvm ubuntu-upgrade-linux-image-4-4-0-1174-aws ubuntu-upgrade-linux-image-4-4-0-259-generic ubuntu-upgrade-linux-image-4-4-0-259-lowlatency ubuntu-upgrade-linux-image-5-4-0-1044-iot ubuntu-upgrade-linux-image-5-4-0-1052-xilinx-zynqmp ubuntu-upgrade-linux-image-5-4-0-1080-ibm ubuntu-upgrade-linux-image-5-4-0-1093-bluefield ubuntu-upgrade-linux-image-5-4-0-1100-gkeop ubuntu-upgrade-linux-image-5-4-0-1117-raspi ubuntu-upgrade-linux-image-5-4-0-1121-kvm ubuntu-upgrade-linux-image-5-4-0-1132-oracle ubuntu-upgrade-linux-image-5-4-0-1133-aws ubuntu-upgrade-linux-image-5-4-0-1137-gcp ubuntu-upgrade-linux-image-5-4-0-1138-azure ubuntu-upgrade-linux-image-5-4-0-196-generic ubuntu-upgrade-linux-image-5-4-0-196-generic-lpae ubuntu-upgrade-linux-image-5-4-0-196-lowlatency ubuntu-upgrade-linux-image-aws ubuntu-upgrade-linux-image-aws-hwe ubuntu-upgrade-linux-image-aws-lts-18-04 ubuntu-upgrade-linux-image-aws-lts-20-04 ubuntu-upgrade-linux-image-azure ubuntu-upgrade-linux-image-azure-lts-18-04 ubuntu-upgrade-linux-image-azure-lts-20-04 ubuntu-upgrade-linux-image-bluefield ubuntu-upgrade-linux-image-gcp ubuntu-upgrade-linux-image-gcp-lts-18-04 ubuntu-upgrade-linux-image-gcp-lts-20-04 ubuntu-upgrade-linux-image-generic ubuntu-upgrade-linux-image-generic-hwe-16-04 ubuntu-upgrade-linux-image-generic-hwe-18-04 ubuntu-upgrade-linux-image-generic-lpae ubuntu-upgrade-linux-image-generic-lts-utopic ubuntu-upgrade-linux-image-generic-lts-vivid ubuntu-upgrade-linux-image-generic-lts-wily ubuntu-upgrade-linux-image-generic-lts-xenial ubuntu-upgrade-linux-image-gke ubuntu-upgrade-linux-image-gkeop ubuntu-upgrade-linux-image-gkeop-5-4 ubuntu-upgrade-linux-image-ibm ubuntu-upgrade-linux-image-ibm-lts-20-04 ubuntu-upgrade-linux-image-kvm ubuntu-upgrade-linux-image-lowlatency ubuntu-upgrade-linux-image-lowlatency-hwe-16-04 ubuntu-upgrade-linux-image-lowlatency-hwe-18-04 ubuntu-upgrade-linux-image-lowlatency-lts-utopic ubuntu-upgrade-linux-image-lowlatency-lts-vivid ubuntu-upgrade-linux-image-lowlatency-lts-wily ubuntu-upgrade-linux-image-lowlatency-lts-xenial ubuntu-upgrade-linux-image-oem ubuntu-upgrade-linux-image-oem-osp1 ubuntu-upgrade-linux-image-oracle ubuntu-upgrade-linux-image-oracle-lts-18-04 ubuntu-upgrade-linux-image-oracle-lts-20-04 ubuntu-upgrade-linux-image-raspi ubuntu-upgrade-linux-image-raspi-hwe-18-04 ubuntu-upgrade-linux-image-raspi2 ubuntu-upgrade-linux-image-snapdragon-hwe-18-04 ubuntu-upgrade-linux-image-virtual ubuntu-upgrade-linux-image-virtual-hwe-16-04 ubuntu-upgrade-linux-image-virtual-hwe-18-04 ubuntu-upgrade-linux-image-virtual-lts-utopic ubuntu-upgrade-linux-image-virtual-lts-vivid ubuntu-upgrade-linux-image-virtual-lts-wily ubuntu-upgrade-linux-image-virtual-lts-xenial ubuntu-upgrade-linux-image-xilinx-zynqmp References https://attackerkb.com/topics/cve-2022-48791 CVE - 2022-48791 USN-7022-1 USN-7022-2 USN-7022-3 USN-7028-1 USN-7028-2 USN-7039-1 USN-7119-1 View more

Alma Linux: CVE-2022-48836: Important: kernel security update (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 07/16/2024 Created 09/27/2024 Added 09/26/2024 Modified 01/28/2025 Description In the Linux kernel, the following vulnerability has been resolved: Input: aiptek - properly check endpoint type Syzbot reported warning in usb_submit_urb() which is caused by wrong endpoint type. There was a check for the number of endpoints, but not for the type of endpoint. Fix it by replacing old desc.bNumEndpoints check with usb_find_common_endpoints() helper for finding endpoints Fail log: usb 5-1: BOGUS urb xfer, pipe 1 != type 3 WARNING: CPU: 2 PID: 48 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502 Modules linked in: CPU: 2 PID: 48 Comm: kworker/2:2 Not tainted 5.17.0-rc6-syzkaller-00226-g07ebd38a0da2 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Workqueue: usb_hub_wq hub_event ... Call Trace: <TASK> aiptek_open+0xd5/0x130 drivers/input/tablet/aiptek.c:830 input_open_device+0x1bb/0x320 drivers/input/input.c:629 kbd_connect+0xfe/0x160 drivers/tty/vt/keyboard.c:1593 Solution(s) alma-upgrade-bpftool alma-upgrade-kernel alma-upgrade-kernel-abi-stablelists alma-upgrade-kernel-core alma-upgrade-kernel-cross-headers alma-upgrade-kernel-debug alma-upgrade-kernel-debug-core alma-upgrade-kernel-debug-devel alma-upgrade-kernel-debug-modules alma-upgrade-kernel-debug-modules-extra alma-upgrade-kernel-devel alma-upgrade-kernel-doc alma-upgrade-kernel-headers alma-upgrade-kernel-modules alma-upgrade-kernel-modules-extra alma-upgrade-kernel-rt alma-upgrade-kernel-rt-core alma-upgrade-kernel-rt-debug alma-upgrade-kernel-rt-debug-core alma-upgrade-kernel-rt-debug-devel alma-upgrade-kernel-rt-debug-kvm alma-upgrade-kernel-rt-debug-modules alma-upgrade-kernel-rt-debug-modules-extra alma-upgrade-kernel-rt-devel alma-upgrade-kernel-rt-kvm alma-upgrade-kernel-rt-modules alma-upgrade-kernel-rt-modules-extra alma-upgrade-kernel-tools alma-upgrade-kernel-tools-libs alma-upgrade-kernel-tools-libs-devel alma-upgrade-kernel-zfcpdump alma-upgrade-kernel-zfcpdump-core alma-upgrade-kernel-zfcpdump-devel alma-upgrade-kernel-zfcpdump-modules alma-upgrade-kernel-zfcpdump-modules-extra alma-upgrade-perf alma-upgrade-python3-perf References https://attackerkb.com/topics/cve-2022-48836 CVE - 2022-48836 https://errata.almalinux.org/8/ALSA-2024-7000.html https://errata.almalinux.org/8/ALSA-2024-7001.html

Alma Linux: CVE-2022-48804: Important: kernel security update (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 07/16/2024 Created 09/27/2024 Added 09/26/2024 Modified 01/28/2025 Description In the Linux kernel, the following vulnerability has been resolved: vt_ioctl: fix array_index_nospec in vt_setactivate array_index_nospec ensures that an out-of-bounds value is set to zero on the transient path. Decreasing the value by one afterwards causes a transient integer underflow. vsa.console should be decreased first and then sanitized with array_index_nospec. Kasper Acknowledgements: Jakob Koschel, Brian Johannesmeyer, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida from the VUSec group at VU Amsterdam. Solution(s) alma-upgrade-bpftool alma-upgrade-kernel alma-upgrade-kernel-abi-stablelists alma-upgrade-kernel-core alma-upgrade-kernel-cross-headers alma-upgrade-kernel-debug alma-upgrade-kernel-debug-core alma-upgrade-kernel-debug-devel alma-upgrade-kernel-debug-modules alma-upgrade-kernel-debug-modules-extra alma-upgrade-kernel-devel alma-upgrade-kernel-doc alma-upgrade-kernel-headers alma-upgrade-kernel-modules alma-upgrade-kernel-modules-extra alma-upgrade-kernel-rt alma-upgrade-kernel-rt-core alma-upgrade-kernel-rt-debug alma-upgrade-kernel-rt-debug-core alma-upgrade-kernel-rt-debug-devel alma-upgrade-kernel-rt-debug-kvm alma-upgrade-kernel-rt-debug-modules alma-upgrade-kernel-rt-debug-modules-extra alma-upgrade-kernel-rt-devel alma-upgrade-kernel-rt-kvm alma-upgrade-kernel-rt-modules alma-upgrade-kernel-rt-modules-extra alma-upgrade-kernel-tools alma-upgrade-kernel-tools-libs alma-upgrade-kernel-tools-libs-devel alma-upgrade-kernel-zfcpdump alma-upgrade-kernel-zfcpdump-core alma-upgrade-kernel-zfcpdump-devel alma-upgrade-kernel-zfcpdump-modules alma-upgrade-kernel-zfcpdump-modules-extra alma-upgrade-perf alma-upgrade-python3-perf References https://attackerkb.com/topics/cve-2022-48804 CVE - 2022-48804 https://errata.almalinux.org/8/ALSA-2024-7000.html https://errata.almalinux.org/8/ALSA-2024-7001.html

Debian: CVE-2024-2884: chromium -- security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 07/16/2024 Created 07/22/2024 Added 07/22/2024 Modified 01/28/2025 Description Out of bounds read in V8 in Google Chrome prior to 121.0.6167.139 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2024-2884 CVE - 2024-2884 DSA-5612-1

Debian: CVE-2024-21138: openjdk-11, openjdk-17 -- security update Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:P) Published 07/16/2024 Created 08/08/2024 Added 08/07/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). Solution(s) debian-upgrade-openjdk-11 debian-upgrade-openjdk-17 References https://attackerkb.com/topics/cve-2024-21138 CVE - 2024-21138 DSA-5736-1

Debian: CVE-2024-21144: openjdk-11 -- security update Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:P) Published 07/16/2024 Created 08/08/2024 Added 08/07/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Concurrency).Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23; Oracle GraalVM Enterprise Edition: 20.3.14 and21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). Solution(s) debian-upgrade-openjdk-11 References https://attackerkb.com/topics/cve-2024-21144 CVE - 2024-21144 DSA-5736-1

Debian: CVE-2023-7011: chromium -- security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 07/16/2024 Created 07/22/2024 Added 07/22/2024 Modified 01/28/2025 Description Inappropriate implementation in Picture in Picture in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2023-7011 CVE - 2023-7011 DSA-5546-1

Oracle MySQL Vulnerability: CVE-2024-21157 Severity 6 CVSS (AV:N/AC:L/Au:M/C:N/I:N/A:C) Published 07/16/2024 Created 07/27/2024 Added 07/26/2024 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).Supported versions that are affected are 8.0.36 and prior and8.4.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) mysql-upgrade-latest References https://attackerkb.com/topics/cve-2024-21157 CVE - 2024-21157 https://www.oracle.com/security-alerts/cpujul2024.html

Azul Zulu: CVE-2024-21140: Vulnerability in the Hotspot component Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 07/16/2024 Created 07/19/2024 Added 07/22/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well asunauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). Solution(s) azul-zulu-upgrade-latest References https://attackerkb.com/topics/cve-2024-21140 CVE - 2024-21140 https://www.azul.com/downloads/

Oracle E-Business Suite: CVE-2024-21169: Critical Patch Update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/16/2024 Created 07/27/2024 Added 07/26/2024 Modified 07/26/2024 Description Vulnerability in the Oracle Marketing product of Oracle E-Business Suite (component: Partners).Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Marketing.Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Marketing accessible data as well asunauthorized read access to a subset of Oracle Marketing accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). Solution(s) oracle-ebs-jul-2024-cpu-12_2 References https://attackerkb.com/topics/cve-2024-21169 CVE - 2024-21169 https://support.oracle.com/epmos/faces/DocumentDisplay?id=3029477.1 https://www.oracle.com/security-alerts/cpujul2024.html

Azul Zulu: CVE-2024-21131: Vulnerability in the Hotspot component Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 07/16/2024 Created 07/19/2024 Added 07/22/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Solution(s) azul-zulu-upgrade-latest References https://attackerkb.com/topics/cve-2024-21131 CVE - 2024-21131 https://www.azul.com/downloads/

Oracle MySQL Vulnerability: CVE-2024-21165 Severity 6 CVSS (AV:N/AC:L/Au:M/C:N/I:N/A:C) Published 07/16/2024 Created 07/27/2024 Added 07/26/2024 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Pluggable Auth).Supported versions that are affected are 8.0.37 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) mysql-upgrade-latest References https://attackerkb.com/topics/cve-2024-21165 CVE - 2024-21165 https://www.oracle.com/security-alerts/cpujul2024.html

Oracle MySQL Vulnerability: CVE-2024-21166 Severity 7 CVSS (AV:N/AC:M/Au:M/C:N/I:C/A:C) Published 07/16/2024 Created 07/27/2024 Added 07/26/2024 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).Supported versions that are affected are 8.0.36 and prior and8.3.0 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result inunauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.9 (Integrity and Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H). Solution(s) mysql-upgrade-latest References https://attackerkb.com/topics/cve-2024-21166 CVE - 2024-21166 https://www.oracle.com/security-alerts/cpujul2024.html

Oracle MySQL Vulnerability: CVE-2024-21160 Severity 6 CVSS (AV:N/AC:L/Au:M/C:N/I:N/A:C) Published 07/16/2024 Created 07/27/2024 Added 07/26/2024 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).Supported versions that are affected are 8.0.36 and prior and8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) mysql-upgrade-latest References https://attackerkb.com/topics/cve-2024-21160 CVE - 2024-21160 https://www.oracle.com/security-alerts/cpujul2024.html

Oracle MySQL Vulnerability: CVE-2024-21159 Severity 6 CVSS (AV:N/AC:L/Au:M/C:N/I:N/A:C) Published 07/16/2024 Created 07/27/2024 Added 07/26/2024 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).Supported versions that are affected are 8.0.36 and prior and8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Solution(s) mysql-upgrade-latest References https://attackerkb.com/topics/cve-2024-21159 CVE - 2024-21159 https://www.oracle.com/security-alerts/cpujul2024.html

Oracle E-Business Suite: CVE-2024-21153: Critical Patch Update Severity 9 CVSS (AV:N/AC:L/Au:S/C:C/I:C/A:N) Published 07/16/2024 Created 07/27/2024 Added 07/26/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Process Manufacturing Product Development product of Oracle E-Business Suite (component: Quality Management Specs). The supported version that is affected is 12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Process Manufacturing Product Development.Successful attacks of this vulnerability can result inunauthorized creation, deletion or modification access to critical data or all Oracle Process Manufacturing Product Development accessible data as well asunauthorized access to critical data or complete access to all Oracle Process Manufacturing Product Development accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). Solution(s) oracle-ebs-jul-2024-cpu-12_2 References https://attackerkb.com/topics/cve-2024-21153 CVE - 2024-21153 https://support.oracle.com/epmos/faces/DocumentDisplay?id=3029477.1 https://www.oracle.com/security-alerts/cpujul2024.html

Oracle E-Business Suite: CVE-2024-21167: Critical Patch Update Severity 9 CVSS (AV:N/AC:L/Au:S/C:C/I:C/A:N) Published 07/16/2024 Created 07/27/2024 Added 07/26/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Trading Community product of Oracle E-Business Suite (component: Party Search UI).Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Trading Community.Successful attacks of this vulnerability can result inunauthorized creation, deletion or modification access to critical data or all Oracle Trading Community accessible data as well asunauthorized access to critical data or complete access to all Oracle Trading Community accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). Solution(s) oracle-ebs-jul-2024-cpu-12_2 References https://attackerkb.com/topics/cve-2024-21167 CVE - 2024-21167 https://support.oracle.com/epmos/faces/DocumentDisplay?id=3029477.1 https://www.oracle.com/security-alerts/cpujul2024.html

Debian: CVE-2019-25154: chromium -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 07/16/2024 Created 07/22/2024 Added 07/22/2024 Modified 01/28/2025 Description Inappropriate implementation in iframe in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2019-25154 CVE - 2019-25154 DSA-4562-1

Amazon Linux AMI 2: CVE-2024-6655: Security patch for gtk2, gtk3 (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/16/2024 Created 08/14/2024 Added 08/14/2024 Modified 08/14/2024 Description A flaw was found in the GTK library. Under certain conditions, it is possible for a library to be injected into a GTK application from the current working directory. Solution(s) amazon-linux-ami-2-upgrade-gtk-update-icon-cache amazon-linux-ami-2-upgrade-gtk2 amazon-linux-ami-2-upgrade-gtk2-debuginfo amazon-linux-ami-2-upgrade-gtk2-devel amazon-linux-ami-2-upgrade-gtk2-devel-docs amazon-linux-ami-2-upgrade-gtk2-immodule-xim amazon-linux-ami-2-upgrade-gtk2-immodules amazon-linux-ami-2-upgrade-gtk3 amazon-linux-ami-2-upgrade-gtk3-debuginfo amazon-linux-ami-2-upgrade-gtk3-devel amazon-linux-ami-2-upgrade-gtk3-devel-docs amazon-linux-ami-2-upgrade-gtk3-immodule-xim amazon-linux-ami-2-upgrade-gtk3-immodules amazon-linux-ami-2-upgrade-gtk3-tests References https://attackerkb.com/topics/cve-2024-6655 AL2/ALAS-2024-2602 AL2/ALAS-2024-2603 CVE - 2024-6655

SUSE: CVE-2024-6775: SUSE Linux Security Advisory Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 07/16/2024 Created 07/23/2024 Added 07/23/2024 Modified 01/28/2025 Description Use after free in Media Stream in Google Chrome prior to 126.0.6478.182 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) suse-upgrade-chromedriver suse-upgrade-chromium suse-upgrade-opera References https://attackerkb.com/topics/cve-2024-6775 CVE - 2024-6775

SUSE: CVE-2024-6773: SUSE Linux Security Advisory Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 07/16/2024 Created 07/23/2024 Added 07/23/2024 Modified 01/28/2025 Description Inappropriate implementation in V8 in Google Chrome prior to 126.0.6478.182 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) suse-upgrade-chromedriver suse-upgrade-chromium suse-upgrade-opera References https://attackerkb.com/topics/cve-2024-6773 CVE - 2024-6773