This week, we’ll cowl newly-discovered OpenJDK vulnerabilities, a heap overflow vulnerability in Redis, and an arbitrary PHP code execution in Drupal core.
OpenJDK Vulnerabilities
OpenJDK launched a safety advisory final week containing 4 vulnerabilities.
CVE-2022-21541 is a tough to take advantage of vulnerability in hotspot/runtime element that permits unauthenticated attackers with community entry through a number of protocols to compromise Java, which might result in unauthorized creation, deletion, or modification entry to vital knowledge or all openjdk accessible knowledge.
CVE-2022-21540 exists in hotspot/compiler element and is an simply exploitable flaw that permits unauthenticated attackers with community entry through a number of protocols leading to unauthorized learn entry to a subset of openjdk accessible knowledge. This cve solely has a low impression on confidentiality of information.
CVE-2022-21549 in core-libs/java.util element can lead to unauthorized replace, insert, or delete entry to a few of openjdk accessible knowledge.
Observe: All three vulnerabilities apply to Java deployments—sometimes in shoppers operating sandboxed Java Internet Begin purposes or sandboxed Java applets—that load and run untrusted code (e.g., code that comes from the web) and depend on the Java sandbox for safety. These vulnerability can be exploited by utilizing APIs within the specified Part, e.g., by means of an internet service which provides knowledge to the APIs.
CVE-2022-34169 is an Integer truncation challenge in Apache Xalan Java XSLT library. This can be utilized to deprave Java class recordsdata generated by the interior XSLTC compiler and execute arbitrary Java bytecode.
Heap Overflow in Redis
Redis is sometimes called a knowledge buildings server. What this implies is that Redis gives entry to mutable knowledge buildings through a set of instructions, that are despatched utilizing a server-client mannequin with TCP sockets and a easy protocol. So completely different processes can question and modify the identical knowledge buildings in a shared method.
There’s a heap overflow situation that may be triggered by an out-of-bounds write by means of a specifically crafted XAUTOCLAIM command on a stream key in a selected state and doubtlessly result in distant code execution. CVE-2022-31144 impacts Redis variations 7.0.0 or newer. The issue is mounted in Redis model 7.0.4.
Drupal Core – Arbitrary PHP Code Execution Vulnerability
Drupal has launched 4 advisories that describe 4 kinds of vulnerabilities. One in all them has been rated “vital” and the opposite three “reasonably vital.” The “vital” vulnerability, tracked as CVE-2022-25277, impacts Drupal 9.3 and 9.4. The problem impacts the Drupal core and it may result in arbitrary PHP code execution on Apache internet servers by importing specifically crafted recordsdata.
The remaining three are reasonably vital in accordance with Drupal.
CVE-2022-25276 might result in cross-site scripting, leaked cookies, or different vulnerabilities as a result of the Media oEmbed iframe route doesn’t correctly validate the iframe area setting, which permits embeds to be displayed within the context of the first area.
Beneath sure circumstances, the Drupal core kind API evaluates kind ingredient entry incorrectly. CVE-2022-25278 may result in a consumer with the ability to alter knowledge they need to not have entry to.
CVE-2022-25275 arises in some conditions when the Picture module doesn’t appropriately test entry to picture recordsdata not saved in the usual public recordsdata listing when producing spinoff pictures utilizing the picture kinds system.
Improve to Drupal 9.4.3 or 9.3.19 to use patches for these vulnerabilities. Observe: All variations of Drupal 9 previous to 9.3.x are end-of-life and don’t obtain safety protection and Drupal 8 has reached its finish of life. Drupal 7 core is just not affected.
