ISHACK AI BOT

Amazon Linux AMI 2: CVE-2024-21096: Security patch for mariadb (ALASMARIADB10.5-2024-006) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/16/2024 Created 07/23/2024 Added 07/23/2024 Modified 07/23/2024 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Client: mysqldump).Supported versions that are affected are 8.0.36 and prior and8.3.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server.Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of MySQL Server accessible data as well asunauthorized read access to a subset of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Confidentiality, Integrity and Availability impacts).CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L). Solution(s) amazon-linux-ami-2-upgrade-mariadb amazon-linux-ami-2-upgrade-mariadb-backup amazon-linux-ami-2-upgrade-mariadb-common amazon-linux-ami-2-upgrade-mariadb-config amazon-linux-ami-2-upgrade-mariadb-connect-engine amazon-linux-ami-2-upgrade-mariadb-cracklib-password-check amazon-linux-ami-2-upgrade-mariadb-debuginfo amazon-linux-ami-2-upgrade-mariadb-devel amazon-linux-ami-2-upgrade-mariadb-embedded amazon-linux-ami-2-upgrade-mariadb-embedded-devel amazon-linux-ami-2-upgrade-mariadb-errmsg amazon-linux-ami-2-upgrade-mariadb-gssapi-server amazon-linux-ami-2-upgrade-mariadb-libs amazon-linux-ami-2-upgrade-mariadb-oqgraph-engine amazon-linux-ami-2-upgrade-mariadb-pam amazon-linux-ami-2-upgrade-mariadb-rocksdb-engine amazon-linux-ami-2-upgrade-mariadb-s3-engine amazon-linux-ami-2-upgrade-mariadb-server amazon-linux-ami-2-upgrade-mariadb-server-galera amazon-linux-ami-2-upgrade-mariadb-server-utils amazon-linux-ami-2-upgrade-mariadb-sphinx-engine amazon-linux-ami-2-upgrade-mariadb-test References https://attackerkb.com/topics/cve-2024-21096 AL2/ALASMARIADB10.5-2024-006 CVE - 2024-21096

Ubuntu: (Multiple Advisories) (CVE-2024-3853): Firefox vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/16/2024 Created 04/25/2024 Added 04/25/2024 Modified 05/03/2024 Description A use-after-free could result if a JavaScript realm was in the process of being initialized when a garbage collection started. This vulnerability affects Firefox < 125. Solution(s) ubuntu-upgrade-firefox References https://attackerkb.com/topics/cve-2024-3853 CVE - 2024-3853 USN-6747-1 USN-6747-2

Alpine Linux: CVE-2022-24810: Vulnerability in Multiple Components Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:C/A:N) Published 04/16/2024 Created 06/11/2024 Added 06/06/2024 Modified 02/12/2025 Description net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a user with read-write credentials can use a malformed OID in a SET to the nsVacmAccessTable to cause a NULL pointer dereference. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range. Solution(s) alpine-linux-upgrade-net-snmp References https://attackerkb.com/topics/cve-2022-24810 CVE - 2022-24810 https://security.alpinelinux.org/vuln/CVE-2022-24810

Alpine Linux: CVE-2022-24808: Vulnerability in Multiple Components Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:C/A:N) Published 04/16/2024 Created 06/11/2024 Added 06/06/2024 Modified 01/20/2025 Description net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a user with read-write credentials can use a malformed OID in a `SET` request to `NET-SNMP-AGENT-MIB::nsLogTable` to cause a NULL pointer dereference. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range. Solution(s) alpine-linux-upgrade-net-snmp References https://attackerkb.com/topics/cve-2022-24808 CVE - 2022-24808 https://security.alpinelinux.org/vuln/CVE-2022-24808

Java CPU April 2024 Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition vulnerability (CVE-2024-21094) Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 04/16/2024 Created 05/06/2024 Added 05/06/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Solution(s) jre-upgrade-latest References https://attackerkb.com/topics/cve-2024-21094 CVE - 2024-21094 http://www.oracle.com/security-alerts/cpuapr2024.html

Oracle E-Business Suite: CVE-2024-21079: Critical Patch Update Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 04/16/2024 Created 05/06/2024 Added 05/06/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Marketing product of Oracle E-Business Suite (component: Campaign LOV).Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Marketing.Successful attacks of this vulnerability can result inunauthorized access to critical data or complete access to all Oracle Marketing accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Solution(s) oracle-ebs-apr-2024-cpu-12_2 References https://attackerkb.com/topics/cve-2024-21079 CVE - 2024-21079 https://support.oracle.com/epmos/faces/DocumentDisplay?id=3007752.1 https://www.oracle.com/security-alerts/cpuapr2024.html

Oracle MySQL Vulnerability: CVE-2024-20994 Severity 6 CVSS (AV:N/AC:M/Au:S/C:N/I:N/A:C) Published 04/16/2024 Created 05/13/2024 Added 05/10/2024 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema).Supported versions that are affected are 8.0.36 and prior and8.3.0 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H). Solution(s) mysql-upgrade-latest References https://attackerkb.com/topics/cve-2024-20994 CVE - 2024-20994 https://www.oracle.com/security-alerts/cpuapr2024.html

Alma Linux: CVE-2022-24810: Moderate: net-snmp security update (ALSA-2024-7260) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/16/2024 Created 10/01/2024 Added 09/30/2024 Modified 02/12/2025 Description net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a user with read-write credentials can use a malformed OID in a SET to the nsVacmAccessTable to cause a NULL pointer dereference. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range. Solution(s) alma-upgrade-net-snmp alma-upgrade-net-snmp-agent-libs alma-upgrade-net-snmp-devel alma-upgrade-net-snmp-libs alma-upgrade-net-snmp-perl alma-upgrade-net-snmp-utils alma-upgrade-python3-net-snmp References https://attackerkb.com/topics/cve-2022-24810 CVE - 2022-24810 https://errata.almalinux.org/9/ALSA-2024-7260.html

Oracle E-Business Suite: CVE-2024-21045: Critical Patch Update Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 04/16/2024 Created 05/06/2024 Added 05/06/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Complex Maintenance, Repair, and Overhaul product of Oracle E-Business Suite (component: LOV).Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Complex Maintenance, Repair, and Overhaul.Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Complex Maintenance, Repair, and Overhaul, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Complex Maintenance, Repair, and Overhaul accessible data as well asunauthorized read access to a subset of Oracle Complex Maintenance, Repair, and Overhaul accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). Solution(s) oracle-ebs-apr-2024-cpu-12_2 References https://attackerkb.com/topics/cve-2024-21045 CVE - 2024-21045 https://support.oracle.com/epmos/faces/DocumentDisplay?id=3007752.1 https://www.oracle.com/security-alerts/cpuapr2024.html

Oracle E-Business Suite: CVE-2024-21044: Critical Patch Update Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 04/16/2024 Created 05/06/2024 Added 05/06/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Complex Maintenance, Repair, and Overhaul product of Oracle E-Business Suite (component: LOV).Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Complex Maintenance, Repair, and Overhaul.Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Complex Maintenance, Repair, and Overhaul, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Complex Maintenance, Repair, and Overhaul accessible data as well asunauthorized read access to a subset of Oracle Complex Maintenance, Repair, and Overhaul accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). Solution(s) oracle-ebs-apr-2024-cpu-12_2 References https://attackerkb.com/topics/cve-2024-21044 CVE - 2024-21044 https://support.oracle.com/epmos/faces/DocumentDisplay?id=3007752.1 https://www.oracle.com/security-alerts/cpuapr2024.html

Oracle E-Business Suite: CVE-2024-21089: Critical Patch Update Severity 7 CVSS (AV:N/AC:L/Au:S/C:C/I:N/A:N) Published 04/16/2024 Created 05/06/2024 Added 05/06/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: Request Submission and Scheduling).Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Concurrent Processing.Successful attacks of this vulnerability can result inunauthorized access to critical data or complete access to all Oracle Concurrent Processing accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). Solution(s) oracle-ebs-apr-2024-cpu-12_2 References https://attackerkb.com/topics/cve-2024-21089 CVE - 2024-21089 https://support.oracle.com/epmos/faces/DocumentDisplay?id=3007752.1 https://www.oracle.com/security-alerts/cpuapr2024.html

Oracle E-Business Suite: CVE-2024-21088: Critical Patch Update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/16/2024 Created 05/06/2024 Added 05/06/2024 Modified 05/06/2024 Description Vulnerability in the Oracle Production Scheduling product of Oracle E-Business Suite (component: Import Utility).Supported versions that are affected are 12.2.4-12.2.12. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Production Scheduling.Successful attacks of this vulnerability can result inunauthorized creation, deletion or modification access to critical data or all Oracle Production Scheduling accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). Solution(s) oracle-ebs-apr-2024-cpu-12_2 References https://attackerkb.com/topics/cve-2024-21088 CVE - 2024-21088 https://support.oracle.com/epmos/faces/DocumentDisplay?id=3007752.1 https://www.oracle.com/security-alerts/cpuapr2024.html

Oracle E-Business Suite: CVE-2024-21042: Critical Patch Update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/16/2024 Created 05/06/2024 Added 05/06/2024 Modified 05/06/2024 Description Vulnerability in the Oracle Complex Maintenance, Repair, and Overhaul product of Oracle E-Business Suite (component: LOV).Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Complex Maintenance, Repair, and Overhaul.Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Complex Maintenance, Repair, and Overhaul, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Complex Maintenance, Repair, and Overhaul accessible data as well asunauthorized read access to a subset of Oracle Complex Maintenance, Repair, and Overhaul accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). Solution(s) oracle-ebs-apr-2024-cpu-12_2 References https://attackerkb.com/topics/cve-2024-21042 CVE - 2024-21042 https://support.oracle.com/epmos/faces/DocumentDisplay?id=3007752.1 https://www.oracle.com/security-alerts/cpuapr2024.html

Oracle E-Business Suite: CVE-2024-21078: Critical Patch Update Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 04/16/2024 Created 05/06/2024 Added 05/06/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Marketing product of Oracle E-Business Suite (component: Campaign LOV).Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Marketing.Successful attacks of this vulnerability can result inunauthorized access to critical data or complete access to all Oracle Marketing accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Solution(s) oracle-ebs-apr-2024-cpu-12_2 References https://attackerkb.com/topics/cve-2024-21078 CVE - 2024-21078 https://support.oracle.com/epmos/faces/DocumentDisplay?id=3007752.1 https://www.oracle.com/security-alerts/cpuapr2024.html

Oracle E-Business Suite: CVE-2024-21035: Critical Patch Update Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 04/16/2024 Created 05/06/2024 Added 05/06/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Complex Maintenance, Repair, and Overhaul product of Oracle E-Business Suite (component: LOV).Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Complex Maintenance, Repair, and Overhaul.Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Complex Maintenance, Repair, and Overhaul, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Complex Maintenance, Repair, and Overhaul accessible data as well asunauthorized read access to a subset of Oracle Complex Maintenance, Repair, and Overhaul accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). Solution(s) oracle-ebs-apr-2024-cpu-12_2 References https://attackerkb.com/topics/cve-2024-21035 CVE - 2024-21035 https://support.oracle.com/epmos/faces/DocumentDisplay?id=3007752.1 https://www.oracle.com/security-alerts/cpuapr2024.html

MFSA2024-18 Firefox: Security Vulnerabilities fixed in Firefox 125 (CVE-2024-3862) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/16/2024 Created 04/17/2024 Added 04/17/2024 Modified 04/18/2024 Description The MarkStack assignment operator, part of the JavaScript engine, could access uninitialized memory if it were used in a self-assignment. This vulnerability affects Firefox < 125. Solution(s) mozilla-firefox-upgrade-125_0 References https://attackerkb.com/topics/cve-2024-3862 CVE - 2024-3862 http://www.mozilla.org/security/announce/2024/mfsa2024-18.html

Rocky Linux: CVE-2024-21094: java-11-openjdk (Multiple Advisories) Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 04/16/2024 Created 05/08/2024 Added 05/08/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Solution(s) rocky-upgrade-java-1.8.0-openjdk rocky-upgrade-java-1.8.0-openjdk-accessibility rocky-upgrade-java-1.8.0-openjdk-accessibility-fastdebug rocky-upgrade-java-1.8.0-openjdk-accessibility-slowdebug rocky-upgrade-java-1.8.0-openjdk-debuginfo rocky-upgrade-java-1.8.0-openjdk-debugsource rocky-upgrade-java-1.8.0-openjdk-demo rocky-upgrade-java-1.8.0-openjdk-demo-debuginfo rocky-upgrade-java-1.8.0-openjdk-demo-fastdebug rocky-upgrade-java-1.8.0-openjdk-demo-fastdebug-debuginfo rocky-upgrade-java-1.8.0-openjdk-demo-slowdebug rocky-upgrade-java-1.8.0-openjdk-demo-slowdebug-debuginfo rocky-upgrade-java-1.8.0-openjdk-devel rocky-upgrade-java-1.8.0-openjdk-devel-debuginfo rocky-upgrade-java-1.8.0-openjdk-devel-fastdebug rocky-upgrade-java-1.8.0-openjdk-devel-fastdebug-debuginfo rocky-upgrade-java-1.8.0-openjdk-devel-slowdebug rocky-upgrade-java-1.8.0-openjdk-devel-slowdebug-debuginfo rocky-upgrade-java-1.8.0-openjdk-fastdebug rocky-upgrade-java-1.8.0-openjdk-fastdebug-debuginfo rocky-upgrade-java-1.8.0-openjdk-headless rocky-upgrade-java-1.8.0-openjdk-headless-debuginfo rocky-upgrade-java-1.8.0-openjdk-headless-fastdebug rocky-upgrade-java-1.8.0-openjdk-headless-fastdebug-debuginfo rocky-upgrade-java-1.8.0-openjdk-headless-slowdebug rocky-upgrade-java-1.8.0-openjdk-headless-slowdebug-debuginfo rocky-upgrade-java-1.8.0-openjdk-slowdebug rocky-upgrade-java-1.8.0-openjdk-slowdebug-debuginfo rocky-upgrade-java-1.8.0-openjdk-src rocky-upgrade-java-1.8.0-openjdk-src-fastdebug rocky-upgrade-java-1.8.0-openjdk-src-slowdebug rocky-upgrade-java-11-openjdk rocky-upgrade-java-11-openjdk-debuginfo rocky-upgrade-java-11-openjdk-debugsource rocky-upgrade-java-11-openjdk-demo rocky-upgrade-java-11-openjdk-demo-fastdebug rocky-upgrade-java-11-openjdk-demo-slowdebug rocky-upgrade-java-11-openjdk-devel rocky-upgrade-java-11-openjdk-devel-debuginfo rocky-upgrade-java-11-openjdk-devel-fastdebug rocky-upgrade-java-11-openjdk-devel-fastdebug-debuginfo rocky-upgrade-java-11-openjdk-devel-slowdebug rocky-upgrade-java-11-openjdk-devel-slowdebug-debuginfo rocky-upgrade-java-11-openjdk-fastdebug rocky-upgrade-java-11-openjdk-fastdebug-debuginfo rocky-upgrade-java-11-openjdk-headless rocky-upgrade-java-11-openjdk-headless-debuginfo rocky-upgrade-java-11-openjdk-headless-fastdebug rocky-upgrade-java-11-openjdk-headless-fastdebug-debuginfo rocky-upgrade-java-11-openjdk-headless-slowdebug rocky-upgrade-java-11-openjdk-headless-slowdebug-debuginfo rocky-upgrade-java-11-openjdk-javadoc rocky-upgrade-java-11-openjdk-javadoc-zip rocky-upgrade-java-11-openjdk-jmods rocky-upgrade-java-11-openjdk-jmods-fastdebug rocky-upgrade-java-11-openjdk-jmods-slowdebug rocky-upgrade-java-11-openjdk-slowdebug rocky-upgrade-java-11-openjdk-slowdebug-debuginfo rocky-upgrade-java-11-openjdk-src rocky-upgrade-java-11-openjdk-src-fastdebug rocky-upgrade-java-11-openjdk-src-slowdebug rocky-upgrade-java-11-openjdk-static-libs rocky-upgrade-java-11-openjdk-static-libs-fastdebug rocky-upgrade-java-11-openjdk-static-libs-slowdebug References https://attackerkb.com/topics/cve-2024-21094 CVE - 2024-21094 https://errata.rockylinux.org/RLSA-2024:1818 https://errata.rockylinux.org/RLSA-2024:1822

Ubuntu: (Multiple Advisories) (CVE-2024-3862): Firefox vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/16/2024 Created 04/25/2024 Added 04/25/2024 Modified 05/03/2024 Description The MarkStack assignment operator, part of the JavaScript engine, could access uninitialized memory if it were used in a self-assignment. This vulnerability affects Firefox < 125. Solution(s) ubuntu-upgrade-firefox References https://attackerkb.com/topics/cve-2024-3862 CVE - 2024-3862 USN-6747-1 USN-6747-2

Amazon Linux AMI 2: CVE-2024-21068: Security patch for java-1.8.0-amazon-corretto, java-1.8.0-openjdk, java-11-amazon-corretto, java-11-openjdk, java-17-amazon-corretto (Multiple Advisories) Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 04/16/2024 Created 05/01/2024 Added 05/01/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).Supported versions that are affected are Oracle Java SE: 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2 and22; Oracle GraalVM Enterprise Edition: 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Solution(s) amazon-linux-ami-2-upgrade-java-1-8-0-amazon-corretto amazon-linux-ami-2-upgrade-java-1-8-0-amazon-corretto-devel amazon-linux-ami-2-upgrade-java-1-8-0-openjdk amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-accessibility amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-accessibility-debug amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-debug amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-debuginfo amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-demo amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-demo-debug amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-devel amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-devel-debug amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-headless amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-headless-debug amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-javadoc amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-javadoc-debug amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-javadoc-zip amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-javadoc-zip-debug amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-src amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-src-debug amazon-linux-ami-2-upgrade-java-11-amazon-corretto amazon-linux-ami-2-upgrade-java-11-amazon-corretto-headless amazon-linux-ami-2-upgrade-java-11-amazon-corretto-javadoc amazon-linux-ami-2-upgrade-java-11-openjdk amazon-linux-ami-2-upgrade-java-11-openjdk-debug amazon-linux-ami-2-upgrade-java-11-openjdk-debuginfo amazon-linux-ami-2-upgrade-java-11-openjdk-demo amazon-linux-ami-2-upgrade-java-11-openjdk-demo-debug amazon-linux-ami-2-upgrade-java-11-openjdk-devel amazon-linux-ami-2-upgrade-java-11-openjdk-devel-debug amazon-linux-ami-2-upgrade-java-11-openjdk-headless amazon-linux-ami-2-upgrade-java-11-openjdk-headless-debug amazon-linux-ami-2-upgrade-java-11-openjdk-javadoc amazon-linux-ami-2-upgrade-java-11-openjdk-javadoc-debug amazon-linux-ami-2-upgrade-java-11-openjdk-javadoc-zip amazon-linux-ami-2-upgrade-java-11-openjdk-javadoc-zip-debug amazon-linux-ami-2-upgrade-java-11-openjdk-jmods amazon-linux-ami-2-upgrade-java-11-openjdk-jmods-debug amazon-linux-ami-2-upgrade-java-11-openjdk-src amazon-linux-ami-2-upgrade-java-11-openjdk-src-debug amazon-linux-ami-2-upgrade-java-11-openjdk-static-libs amazon-linux-ami-2-upgrade-java-11-openjdk-static-libs-debug amazon-linux-ami-2-upgrade-java-17-amazon-corretto amazon-linux-ami-2-upgrade-java-17-amazon-corretto-devel amazon-linux-ami-2-upgrade-java-17-amazon-corretto-headless amazon-linux-ami-2-upgrade-java-17-amazon-corretto-javadoc amazon-linux-ami-2-upgrade-java-17-amazon-corretto-jmods References https://attackerkb.com/topics/cve-2024-21068 AL2/ALAS-2024-2527 AL2/ALAS-2024-2528 AL2/ALAS-2024-2540 AL2/ALASCORRETTO8-2024-011 AL2/ALASJAVA-OPENJDK11-2024-008 CVE - 2024-21068

CentOS Linux: CVE-2024-21012: Moderate: java-11-openjdk security update (CESA-2024:1821) Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 04/16/2024 Created 04/24/2024 Added 04/23/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).Supported versions that are affected are Oracle Java SE: 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Solution(s) centos-upgrade-java-11-openjdk centos-upgrade-java-11-openjdk-debuginfo centos-upgrade-java-11-openjdk-demo centos-upgrade-java-11-openjdk-devel centos-upgrade-java-11-openjdk-headless centos-upgrade-java-11-openjdk-javadoc centos-upgrade-java-11-openjdk-javadoc-zip centos-upgrade-java-11-openjdk-jmods centos-upgrade-java-11-openjdk-src centos-upgrade-java-11-openjdk-static-libs References CVE-2024-21012

CentOS Linux: CVE-2024-3302: Important: firefox security update (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/16/2024 Created 04/24/2024 Added 04/23/2024 Modified 04/26/2024 Description There was no limit to the number of HTTP/2 CONTINUATION frames that would be processed. A server could abuse this to create an Out of Memory condition in the browser. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10. Solution(s) centos-upgrade-firefox centos-upgrade-firefox-debuginfo centos-upgrade-thunderbird centos-upgrade-thunderbird-debuginfo References CVE-2024-3302

CentOS Linux: CVE-2024-3864: Important: firefox security update (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/16/2024 Created 04/19/2024 Added 04/19/2024 Modified 04/29/2024 Description Memory safety bug present in Firefox 124, Firefox ESR 115.9, and Thunderbird 115.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10. Solution(s) centos-upgrade-firefox centos-upgrade-firefox-debuginfo centos-upgrade-thunderbird centos-upgrade-thunderbird-debuginfo References CVE-2024-3864

CentOS Linux: CVE-2024-21085: Moderate: java-1.8.0-openjdk security update (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/16/2024 Created 04/18/2024 Added 04/18/2024 Modified 04/23/2024 Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Concurrency).Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22; Oracle GraalVM Enterprise Edition: 20.3.13 and21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). Solution(s) centos-upgrade-java-1-8-0-openjdk centos-upgrade-java-1-8-0-openjdk-accessibility centos-upgrade-java-1-8-0-openjdk-debuginfo centos-upgrade-java-1-8-0-openjdk-demo centos-upgrade-java-1-8-0-openjdk-devel centos-upgrade-java-1-8-0-openjdk-headless centos-upgrade-java-1-8-0-openjdk-javadoc centos-upgrade-java-1-8-0-openjdk-javadoc-zip centos-upgrade-java-1-8-0-openjdk-src centos-upgrade-java-11-openjdk centos-upgrade-java-11-openjdk-debuginfo centos-upgrade-java-11-openjdk-demo centos-upgrade-java-11-openjdk-devel centos-upgrade-java-11-openjdk-headless centos-upgrade-java-11-openjdk-javadoc centos-upgrade-java-11-openjdk-javadoc-zip centos-upgrade-java-11-openjdk-jmods centos-upgrade-java-11-openjdk-src centos-upgrade-java-11-openjdk-static-libs References CVE-2024-21085

CentOS Linux: CVE-2024-21011: Moderate: java-1.8.0-openjdk security update (Multiple Advisories) Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:P) Published 04/16/2024 Created 04/18/2024 Added 04/18/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). Solution(s) centos-upgrade-java-1-8-0-openjdk centos-upgrade-java-1-8-0-openjdk-accessibility centos-upgrade-java-1-8-0-openjdk-debuginfo centos-upgrade-java-1-8-0-openjdk-demo centos-upgrade-java-1-8-0-openjdk-devel centos-upgrade-java-1-8-0-openjdk-headless centos-upgrade-java-1-8-0-openjdk-javadoc centos-upgrade-java-1-8-0-openjdk-javadoc-zip centos-upgrade-java-1-8-0-openjdk-src centos-upgrade-java-11-openjdk centos-upgrade-java-11-openjdk-debuginfo centos-upgrade-java-11-openjdk-demo centos-upgrade-java-11-openjdk-devel centos-upgrade-java-11-openjdk-headless centos-upgrade-java-11-openjdk-javadoc centos-upgrade-java-11-openjdk-javadoc-zip centos-upgrade-java-11-openjdk-jmods centos-upgrade-java-11-openjdk-src centos-upgrade-java-11-openjdk-static-libs References CVE-2024-21011

CentOS Linux: CVE-2024-3859: Important: firefox security update (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/16/2024 Created 04/19/2024 Added 04/19/2024 Modified 04/29/2024 Description On 32-bit versions there were integer-overflows that led to an out-of-bounds-read that potentially could be triggered by a malformed OpenType font. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10. Solution(s) centos-upgrade-firefox centos-upgrade-firefox-debuginfo centos-upgrade-thunderbird centos-upgrade-thunderbird-debuginfo References CVE-2024-3859