Internet-facing zero-day vulnerabilities were the most commonly used types of bugs in 2021 attacks, according to the international Joint Cybersecurity Advisory (JCSA).

Log4Shell, despite being disclosed only at the end of the year, topped 2021's list of most-exploited vulnerabilities, according to the Cybersecurity and Infrastructure Agency (CISA). The agency compiled the findings along with the cybersecurity agencies of Australia, Canada, New Zealand, and the United Kingdom. 

"Globally in 2021, malicious cyberactors targeted Internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities," CISA reported in its announcement of the findings.  "For most of the top exploited vulnerabilities, researchers or other actors released proof-of-concept (PoC) code within two weeks of the vulnerability’s disclosure, likely facilitating exploitation by a broader range of malicious actors." 

The top most commonly exploited vulnerabilities, according to CISA, include Log4Shell, which affects Apache’s Log4j library, and the ProxyLogon and ProxyShell vulnerabilities, which are bugs in Microsoft Exchange email servers.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

CISA: Log4Shell Was the Most-Exploited Vulnerability in 2021

The four-year-old firm, started by two industry veterans, focuses on gaining visibility into Internet-facing services as more companies seek insight into what attackers see.

Vulnerability and cybersecurity assessment firm Tenable announced on Tuesday plans to acquire 4-year-old startup Bit Discovery, becoming the latest company to acquire an attack-surface management business in the past year.

With the $44.5 million deal, Tenable aims to strengthen its capabilities for gathering external information on networks and deliver to customers more visibility into their digital footprints. Visibility is key, as misconfigured and vulnerable assets are a significant security weakness for most companies. Tenable intends to integrate the technology into all of its products, including its Nessus vulnerability scanning platform, and use the technology to augment its ability to analyze internal networks.

Acquiring Bit Discovery's technology gives Tenable and its customers an attacker's eye view of company networks, says Glen Pendley, chief technology officer at Tenable.

"Visibility is  literally the first step in every single cybersecurity framework," he says. "When you look at our acquisitions and strategy ... over the last few years, we are getting a bigger breadth of coverage over the attack surface. This is the biggest part of the attack surface that Tenable has yet to get visibility of."

The acquisition is the latest industry move to underscore the importance of the technologies and services that deliver attack surface management (ASM) capabilities. This month, Google announced it would buy Mandiant, which had previously acquired Intrigue, an ASM startup, in August 2021. In February, cybersecurity automation firm Darktrace announced it would acquire ASM firm Cybersprint for nearly $54 million. And in November, cyber-risk firm Team Cymru stated it would purchase Amplicy, a 2-year-old startup company focused on attack surface discovery for an undisclosed amount.

**ASM on the Rise  
**The interest is unsurprising. Business intelligence firm Gartner named ASM as the top trend in security and risk management for 2022, breaking down the technologies into three areas: cyber asset ASM, external ASM, and digital risk protection services (DRPS). Bit Discovery falls squarely in the external attack surface management (EASM) segment.

Companies should know all of the assets visible to attackers from the Internet, Gartner stated in the March announcement of its top 7 security and risk-management trends.

"Risks associated with the use of cyber-physical systems and IoT, open-source code, cloud applications, complex digital supply chains, social media and more have brought organizations’ exposed surfaces outside of a set of controllable assets," the firm stated. "Organizations must look beyond traditional approaches to security monitoring, detection and response to manage a wider set of security exposures."

Part of the growing importance of ASM is because companies are getting better about doing the basics. Businesses are paying more attention to common points of entry, such as remote desktop protocol (RDP) servers and virtual private network (VPN) appliances, but need to look beyond securing the front door, says Jeremiah Grossman, CEO of Bit Discovery.

"We got away with not knowing all of our assets for a long time in infosec because everything was just that insecure," he says. "But now the main front doors are getting sufficiently hardened, so the adversaries are looking for secondary and tertiary ways in."

Team Cymru, a cybersecurity risk firm, estimates that 60% of breaches start with the compromise of an exposed, unmanaged asset with an unpatched vulnerability. In addition, the company's research found that three-quarters of midsize to large companies have to rely on spreadsheets to track assets. Those companies were not ready for the shift to cloud infrastructure and employees working from home, says Lewis Henderson, a senior product manager at Team Cymru.

"The last two years have thrust organizations to expand far beyond their already eroded borders — \[basically\] digital transformation on steroids," he says. "When those organizations went to lean on their security vendors to understand what external assets, risks, vulnerabilities and threats they had, they were left totally exposed and on their own to figure it out."

EASM firms evolved to fill the gaps, he says.

**Four Years, $45 Million  
**Bit Discovery launched in March 2018 with $2.7 million in funding, upon the merger with OutsideIntel, a startup founded by Robert Hansen, a cybersecurity veteran who had discovered vulnerabilities under the handle "RSnake" and had previously worked with Grossman at WhiteHat Security. Last June, Bit Discovery gained another $4 million in investment during a Series B round of funding.

Grossman estimates that about half of breaches are enabled by a vulnerable asset that the company previously did not know about. He pointed to the massive data breach as Equifax as an example of the hazards.

"Nothing is more embarrassing than getting exploited by an asset that you didn't know you owned," he says. "That was the case with Equifax. Yes, they didn't patch the \[Apache\] Struts vuln, but they would have if they knew the asset existed."

While the deal must still weather the closing process, Tenable expects to complete the acquisition this quarter and integrate Bit Discovery’s external ASM technology across its other products and services. In the end, the company wants to provide businesses with ways to get meaningful visibility into the state of their security, both on the internal network and from an external view, says Tenable's Pendley.

"We want to reduce noise," he says. "That has been a problem in this space forever, and it's something we can improve."

Tenable's Bit Discovery Buy Underscores Demand for Deeper Visibility of IT Assets

IBM QRadar SIEM 7.3, 7.4, and 7.5 in some senarios may reveal authorized service tokens to other QRadar users. IBM X-Force ID: 210021

CVE-2021-38919: Security Bulletin: IBM QRadar SIEM is vulnerable to using components with Known Vulnerabilities

Four months after the critical flaw was discovered, attackers have a massive attack surface from which they can exploit the flaw and take over systems, researchers found.

Four months after the critical flaw was discovered, attackers have a massive attack surface from which they can exploit the flaw and take over systems, researchers found.

Four months after the discovery of the zero-day Log4Shell critical flaw, millions of Java applications still remain vulnerable to compromise, researchers have found.

Researchers at security firm Rezilion analyzed the current potential attack surface for the vulnerability in the popular open-source Apache Log4j framework that threatened to break the internet when it was discovered in December. The flaw in the ubiquitous Java logging library Apache Log4j is easily exploitable and can allow unauthenticated remote code execution (RCE) and complete server takeover.

Rezilion expected that due to the “massive amount of media coverage” the bug unsurprisingly received, the majority of applications would already be patched, Head of Vulnerability Research Yotam Perkal wrote in a report published Tuesday. However, their analysis found a very different story, he said.

“We learned that the landscape is far from ideal and many applications vulnerable to Log4Shell still exist in the wild,” Perkal wrote in the report.

****Supporting Evidence****

Researchers did a search on the Shodan search engine to see how many apps vulnerable to Log4Shell are exposed to the internet. They identified 90,000 potential vulnerable internet-facing applications, which they believe “is just the tip of the iceberg in terms of the actual vulnerable attack surface,” Perkal wrote.

Researchers divided the apps into three categories; the first two are containers that in their latest version, still contain obsolete versions of Log4j; and containers that while their latest version is up-to-date yet still show evidence of using previous versions.

The third category are publicly facing servers of the world’s favorite internet game Minecraft, which highlight the risks with outdated proprietary software, researchers noted.. Indeed, it Minecraft sites where the vulnerability first turned up and apparently still persists.

Researchers cited other sources for further proof that the Log4Shell attack surface remains vast. One was the Google service Open Source Insights, which scans millions of open-source packages. The service found that out of a total of 17,840 packages affected by the flaw, only 7,140 were patched, making nearly 60 percent still vulnerable.

Moreover many applications are still using Log4J version 1.x and likely aren’t patched because the original Log4Shell vulnerability, tracked as CVE-201-44228, doesn’t apply to this version, researchers noted.

However, this is a misconception as that version has been “in an end-of-life state since August 2015 (which means it does not get any security updates), and contains plenty of other vulnerabilities, including RCE vulnerabilities, Perkal noted.

“This should definitely worry organizations that are still using it,” he wrote.

****Under Active Exploitation****

Perhaps most worrying about the vulnerable attack surface is that Log4Shell remains a hot target for threat actors, researchers noted. Indeed, attackers immediately set upon the bug once it was discovered—already under active exploitation—and haven’t let up much since.

While Apache released a patch for Log4Shell within a day of discovery, it, too, had issues that could lead to DoS attacks—and apparently still hasn’t been applied in many cases.

Initial attempts to exploit the bug in the wild were aimed at ransomware deployment and coin miners; however, as time when on APT groups joined the fray and began pummeling the flaw in earnest, researchers said.

Most recently, active exploitation of Log4Shell has been linked to the Chinese APT 41 group and Deep Panda, Perkal said. Before that, the Chinese state-sponsored espionage group HAFNIUM and Iranian-backed groups APT35 (aka Newscaster) and Tunnel Vision also targeted the flaw.

Currently there are still dozens of recorded daily exploitation attempts of Log4Shell, according to a honeypot set up by the SANS Internet Storm Center, researchers noted.

Millions of Java Apps Remain Vulnerable to Log4Shell

Four months after the Log4Shell vulnerability was disclosed, most affected open source components remain unpatched, and companies continue to use vulnerable versions of the logging tool.

Attackers who want to exploit the critical remote code execution vulnerability disclosed in the Apache Log4j logging tool over four months ago still have a vast array of targets to go after.

In a recent scan using the Shodan search engine, Rezilion found more than 90,000 Internet-exposed servers containing a vulnerable version of the software. The security vendor believes the number represents only a small fraction of available attacker targets because it only considers publicly facing servers running open source software. If internal network servers and servers running proprietary applications are factored in, the total number of vulnerable targets is likely much higher, Rezilion said.

A Rezilion report this week that summarized the results of its study pointed to other data points that appear to bolster the company's conclusion.

Among them is data from a Google open source scanning service called Open Source Insights, which showed that just 7,140 Java packages out of a total of 17,840 affected packages have been patched for Log4Shell since the flaw was disclosed. Another data point from Sonatype found that as of Apr. 20, 2022, some 36% of Log4j versions being actively downloaded from the Maven Central Java application repository were still vulnerable to Log4Shell — a number that has remained largely unchanged since February.

"Similar to other historic high-profile vulnerabilities, even though four months have passed, there is still a huge attack surface that is vulnerable to Log4Shell," says Yotam Perkal, director of vulnerability research at Rezilion. "The 90,000 publicly accessible vulnerable servers are probably only the tip of the iceberg in terms of actual vulnerable attack surface."

The Apache Foundation disclosed the Log4Shell vulnerability (CVE-2021-44228) along with an updated and fixed version of the software on Dec. 9, 2021. The flaw is present in virtually every Java application environment, is considered trivially easy to exploit, and gives attackers a way to gain complete control over vulnerable systems. Many security experts consider the flaw to be one of the most dangerous to be disclosed in recent memory, and they have urged organizations to install the updated and fixed version of the software as soon as possible.

Despite the high concerns, there have been very few publicly reported instances of the flaw being exploited in a major breach. However, there are considerable fears that in many cases attackers may have already quietly exploited the flaw to gain access to enterprise networks and are waiting for an opportune moment to strike.

Security experts have pointed to the ubiquity of the flaw and the difficulty involved in detecting it — Java files containing the flaw can sometimes be buried deep inside applications — as potential reasons for the slow remediation pace so far.

Rezilion said one issue is that many people are unwittingly using software that relies on vulnerable versions of Log4j either because they don't have visibility into their software components or are using vulnerable third-party software. The Log4j flaw has also proven to be challenging to detect in production environments.

**Tip of the Iceberg?**  
Perkal says that the 90,000 vulnerable servers that Rezilion found via a Shodan search contained open source components with obsolete — and therefore potentially vulnerable — versions of Log4j; components with up-to-date Log4j versions that contained evidence of use of previous, potential vulnerable versions; and public-facing Minecraft servers with vulnerable Log4j versions.

"There are probably a lot of servers running these applications on internal networks and hence not visible publicly through Shodan," Perkal says. "We must assume that there are also proprietary applications as well as commercial products still running vulnerable versions of Log4j."

Significantly, all the exposed open source components contained a significant number of additional vulnerabilities that were unrelated to Log4j. On average, half of the vulnerabilities were disclosed prior to 2020 but were still present in the "latest" version of the open source components, he says. Rezilion's analysis showed that in many cases when open source components were patched, it took more than 100 days for the patched version to become available via platforms like Docker Hub.

Nicolai Thorndahl, head of professional services at Logpoint, says flaw detection continues to be a challenge for many organizations because while Log4j is used for logging in many applications, the providers of software don't always disclose its presence in software notes. "So, many companies don't actually know if it is being used in their system or not," Thorndahl says.

Often, many applications are using old versions of Log4j that are no longer being supported and are vulnerable. "Very few, if any, companies have a \[configuration management database\] so detailed that it would show where they are using Log4j," he says.

Thorndahl expects there will be more attacks exploiting the flaw, even though there have been very few so far.

"Most likely what we will see down the line, maybe four months, maybe a year, as we have seen before, is that incidents will be disclosed \[where\] companies detected they have been breached and the Log4j vulnerability was used and they probably had access for a long period of time," he says.

Log4j Attack Surface Remains Massive

An issue was discovered in CipherMail Webmail Messenger 1.1.1 through 4.1.4. A local attacker could access secret keys (found in a Roundcube configuration file) that are used to protect Webmail user passwords and two-factor authentication (2FA).

CVE-2022-28218: Webmail Messenger release notes - CipherMail Email Encryption

Apache Doris, prior to 1.0.0, used a hardcoded key and IV to initialize the cipher used for ldap password, which may lead to information disclosure.

**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2022-23942

Red Hat Security Advisory 2022-1490-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

`-----BEGIN PGP SIGNED MESSAGE-----   Hash: SHA256  ====================================================================   Red Hat Security Advisory  Synopsis: Important: java-1.8.0-openjdk security update   Advisory ID: RHSA-2022:1490-01   Product: Red Hat Enterprise Linux   Advisory URL: https://access.redhat.com/errata/RHSA-2022:1490   Issue date: 2022-04-25   CVE Names: CVE-2022-21426 CVE-2022-21434 CVE-2022-21443   CVE-2022-21476 CVE-2022-21496   ====================================================================   1. Summary:  An update for java-1.8.0-openjdk is now available for Red Hat Enterprise   Linux 8.4 Extended Update Support.  Red Hat Product Security has rated this update as having a security impact   of Important. A Common Vulnerability Scoring System (CVSS) base score,   which gives a detailed severity rating, is available for each vulnerability   from the CVE link(s) in the References section.  2. Relevant releases/architectures:  Red Hat CodeReady Linux Builder EUS (v. 8.4) - aarch64, ppc64le, x86_64   Red Hat Enterprise Linux AppStream EUS (v.8.4) - aarch64, noarch, ppc64le, s390x, x86_64  3. Description:  The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime   Environment and the OpenJDK 8 Java Software Development Kit.  Security Fix(es):  * OpenJDK: Defective secure validation in Apache Santuario (Libraries,   8278008) (CVE-2022-21476)  * OpenJDK: Unbounded memory allocation when compiling crafted XPath   expressions (JAXP, 8270504) (CVE-2022-21426)  * OpenJDK: Improper object-to-string conversion in   AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)  * OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   (CVE-2022-21443)  * OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)  For more details about the security issue(s), including the impact, a CVSS   score, acknowledgments, and other related information, refer to the CVE   page(s) listed in the References section.  4. Solution:  For details on how to apply this update, which includes the changes   described in this advisory, refer to:  https://access.redhat.com/articles/11258  All running instances of OpenJDK Java must be restarted for this update to   take effect.  5. Bugs fixed (https://bugzilla.redhat.com/):  2075788 - CVE-2022-21426 OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)   2075793 - CVE-2022-21443 OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   2075836 - CVE-2022-21434 OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)   2075842 - CVE-2022-21476 OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008)   2075849 - CVE-2022-21496 OpenJDK: URI parsing inconsistencies (JNDI, 8278972)  6. Package List:  Red Hat Enterprise Linux AppStream EUS (v.8.4):  Source:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_4.src.rpm  aarch64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_4.aarch64.rpm  noarch:   java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el8_4.noarch.rpm   java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el8_4.noarch.rpm  ppc64le:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_4.ppc64le.rpm  s390x:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_4.s390x.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_4.s390x.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_4.s390x.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_4.s390x.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_4.s390x.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_4.s390x.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_4.s390x.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_4.s390x.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_4.s390x.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_4.s390x.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_4.s390x.rpm  x86_64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-demo-fastdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-devel-fastdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-fastdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-headless-fastdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_4.x86_64.rpm  Red Hat CodeReady Linux Builder EUS (v. 8.4):  aarch64:   java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-demo-slowdebug-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-devel-slowdebug-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-headless-slowdebug-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-slowdebug-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-src-slowdebug-1.8.0.332.b09-1.el8_4.aarch64.rpm  ppc64le:   java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-demo-slowdebug-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-devel-slowdebug-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-headless-slowdebug-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-slowdebug-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-src-slowdebug-1.8.0.332.b09-1.el8_4.ppc64le.rpm  x86_64:   java-1.8.0-openjdk-accessibility-fastdebug-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-demo-fastdebug-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-demo-fastdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-demo-slowdebug-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-devel-fastdebug-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-devel-fastdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-devel-slowdebug-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-fastdebug-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-fastdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-headless-fastdebug-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-headless-fastdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-headless-slowdebug-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-slowdebug-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-src-fastdebug-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-src-slowdebug-1.8.0.332.b09-1.el8_4.x86_64.rpm  These packages are GPG signed by Red Hat for security. Our key and   details on how to verify the signature are available from   https://access.redhat.com/security/team/key/  7. References:  https://access.redhat.com/security/cve/CVE-2022-21426   https://access.redhat.com/security/cve/CVE-2022-21434   https://access.redhat.com/security/cve/CVE-2022-21443   https://access.redhat.com/security/cve/CVE-2022-21476   https://access.redhat.com/security/cve/CVE-2022-21496   https://access.redhat.com/security/updates/classification/#important  8. Contact:  The Red Hat security contact is <secalert@redhat.com>. More contact   details at https://access.redhat.com/security/team/contact/  Copyright 2022 Red Hat, Inc.   -----BEGIN PGP SIGNATURE-----   Version: GnuPG v1  iQIVAwUBYmbJltzjgjWX9erEAQixhg/9FlN+3plAc+A56+yeOsQFp10F8gb8c3Du   rKpHuht4ZZtfSXf9RjW/DigMdpo9+2d2LAQc3rVEZydM7CwP2v051CUxU6Okukz2   MDYLcT4xV9SVl0XJxw3YMbOuH1HgSL3qkypnOOL7G5WeQHV5iU3khQ07IlousGQu   jKYzdOLwzm/LqAWgKhj+hRCruS+ZlVjsX+FuU09wpwI1BjtW7e7Kcl6lzO/9QoBa   29h+bmEYBR6cZWdqfxtvIwtOOqbx7csnl3oOOxhOiDHbgn6aq/7kyfeexvk0uiSw   IeSijMTcxeE0/HbI+QXkI3iws2yetf8mZSrXZYCzhDulwRyKNY8x04FpkDq1YUrT   xZTGzlw7iiZaeMqVRfHQCBBnQy1di4hQiGdafeIvWZBT730BpVkrjLGcvzG5v1Ul   PGyjq4LoCPUJUGUITi/1O3GDiizXH/qSeYxjxcD5K4KjoMuCxIbqoBoB21nQVxcN   NIG+iiuwaojdK1UWGGJ2wAwui4PLh+wCujXYGXuSgeK3GVtaWPAwAJU7kPO3F2y7   n00IB9CmxIDXLLHwuxRCpWoVxcK/lXRyH28iNvyys7+b9ZUvpEeFthrM/BcZi0UL   kldsaQETrT6TLIaBu00+ImXzLOsc8QnqJGpcXZ80tj7YURXVloin57kHQtf5OiJd   nznTOjxJ3RE=U1D6   -----END PGP SIGNATURE-----   --   RHSA-announce mailing list   RHSA-announce@redhat.com   https://listman.redhat.com/mailman/listinfo/rhsa-announce  `

Red Hat Security Advisory 2022-1490-01

Red Hat Security Advisory 2022-1491-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

`-----BEGIN PGP SIGNED MESSAGE-----   Hash: SHA256  =====================================================================   Red Hat Security Advisory  Synopsis: Important: java-1.8.0-openjdk security update   Advisory ID: RHSA-2022:1491-01   Product: Red Hat Enterprise Linux   Advisory URL: https://access.redhat.com/errata/RHSA-2022:1491   Issue date: 2022-04-25   CVE Names: CVE-2022-21426 CVE-2022-21434 CVE-2022-21443   CVE-2022-21476 CVE-2022-21496   =====================================================================  1. Summary:  An update for java-1.8.0-openjdk is now available for Red Hat Enterprise   Linux 8.  Red Hat Product Security has rated this update as having a security impact   of Important. A Common Vulnerability Scoring System (CVSS) base score,   which gives a detailed severity rating, is available for each vulnerability   from the CVE link(s) in the References section.  2. Relevant releases/architectures:  Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, x86_64   Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64  3. Description:  The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime   Environment and the OpenJDK 8 Java Software Development Kit.  Security Fix(es):  * OpenJDK: Defective secure validation in Apache Santuario (Libraries,   8278008) (CVE-2022-21476)  * OpenJDK: Unbounded memory allocation when compiling crafted XPath   expressions (JAXP, 8270504) (CVE-2022-21426)  * OpenJDK: Improper object-to-string conversion in   AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)  * OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   (CVE-2022-21443)  * OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)  For more details about the security issue(s), including the impact, a CVSS   score, acknowledgments, and other related information, refer to the CVE   page(s) listed in the References section.  4. Solution:  For details on how to apply this update, which includes the changes   described in this advisory, refer to:  https://access.redhat.com/articles/11258  All running instances of OpenJDK Java must be restarted for this update to   take effect.  5. Bugs fixed (https://bugzilla.redhat.com/):  2075788 - CVE-2022-21426 OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)   2075793 - CVE-2022-21443 OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   2075836 - CVE-2022-21434 OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)   2075842 - CVE-2022-21476 OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008)   2075849 - CVE-2022-21496 OpenJDK: URI parsing inconsistencies (JNDI, 8278972)  6. Package List:  Red Hat Enterprise Linux AppStream (v. 8):  Source:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_5.src.rpm  aarch64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_5.aarch64.rpm  noarch:   java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el8_5.noarch.rpm   java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el8_5.noarch.rpm  ppc64le:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_5.ppc64le.rpm  s390x:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_5.s390x.rpm  x86_64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_5.x86_64.rpm  Red Hat CodeReady Linux Builder (v. 8):  aarch64:   java-1.8.0-openjdk-accessibility-fastdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-demo-fastdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-demo-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-demo-slowdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-devel-fastdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-devel-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-devel-slowdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-fastdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-headless-fastdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-headless-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-headless-slowdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-slowdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-src-fastdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-src-slowdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm  ppc64le:   java-1.8.0-openjdk-accessibility-fastdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-demo-fastdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-demo-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-demo-slowdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-devel-fastdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-devel-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-devel-slowdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-fastdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-headless-fastdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-headless-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-headless-slowdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-slowdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-src-fastdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-src-slowdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm  x86_64:   java-1.8.0-openjdk-accessibility-fastdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-demo-fastdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-demo-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-demo-slowdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-devel-fastdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-devel-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-devel-slowdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-fastdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-headless-fastdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-headless-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-headless-slowdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-slowdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-src-fastdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-src-slowdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm  These packages are GPG signed by Red Hat for security. Our key and   details on how to verify the signature are available from   https://access.redhat.com/security/team/key/  7. References:  https://access.redhat.com/security/cve/CVE-2022-21426   https://access.redhat.com/security/cve/CVE-2022-21434   https://access.redhat.com/security/cve/CVE-2022-21443   https://access.redhat.com/security/cve/CVE-2022-21476   https://access.redhat.com/security/cve/CVE-2022-21496   https://access.redhat.com/security/updates/classification/#important  8. Contact:  The Red Hat security contact is <secalert@redhat.com>. More contact   details at https://access.redhat.com/security/team/contact/  Copyright 2022 Red Hat, Inc.   -----BEGIN PGP SIGNATURE-----   Version: GnuPG v1  iQIVAwUBYmbJi9zjgjWX9erEAQiJFw//aHWpEtdVlArGK/D4EUJG8P7QKzMgLGYh   y6WHYvXmMjiwhl/1o7PXUzUXjmGkAQQ4bOOkyWndbc4DsBMwuz7/otmF64h0Ol5K   LMEiW1EZPkn8zaVzRJegL9y8GbP0jEg0MNFJ6SUtYS1fkYIxXc22LfFskzeNKxFy   vNfWIPx7lN1+jQgubTi0WKVcBnXjBwQ/ZloPQzzRanrW6QfM3K8a0C7X+DeJO5wR   lWGMYCkRZCKXxSCEWDv81pNwXy2S9SuV6Mo9VgW3TG+UfLkhIePA4yebDhnFQi/p   BizL9/b8UIb6CEgdNIj4csK49b7Ae8ABArhWSi1aAscQZNO9gAwgWGTKZAh7ZhQt   jEnaZpf9U/V+imLXyiqsknUQHH/vqIVYWTSnAwgYwNDDrPWtnHwBuRUh2MzE3cUY   CCHTneQ3GRYSm3hVlixf8L27uLh7ofad9vVHo/Jo33XM+o7dbC3/HGQasxWljNgY   j6aEKnNgtFTrLc4fARgKwC2j0qbZm9Nb5KXTmzdbtwgzFOGBlMnEmFWuDWncZ/Y/   el7MVYb/BiEGFhUH520mOPE+heeJYdRladjbgaq9+wu5zDyZ3K4CFIND81JPY1OT   X6QTIP8K0NGoAxOrhOOKQYDWi07I1AjCy86QPGIoMBaOW+RezxKjp3PDQovaNAAl   HNuIUczreHE=   =Kska   -----END PGP SIGNATURE-----   --   RHSA-announce mailing list   RHSA-announce@redhat.com   https://listman.redhat.com/mailman/listinfo/rhsa-announce  `

Red Hat Security Advisory 2022-1491-01

Red Hat Security Advisory 2022-1487-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

`-----BEGIN PGP SIGNED MESSAGE-----   Hash: SHA256  =====================================================================   Red Hat Security Advisory  Synopsis: Important: java-1.8.0-openjdk security, bug fix, and enhancement update   Advisory ID: RHSA-2022:1487-01   Product: Red Hat Enterprise Linux   Advisory URL: https://access.redhat.com/errata/RHSA-2022:1487   Issue date: 2022-04-25   CVE Names: CVE-2022-21426 CVE-2022-21434 CVE-2022-21443   CVE-2022-21476 CVE-2022-21496   =====================================================================  1. Summary:  An update for java-1.8.0-openjdk is now available for Red Hat Enterprise   Linux 7.  Red Hat Product Security has rated this update as having a security impact   of Important. A Common Vulnerability Scoring System (CVSS) base score,   which gives a detailed severity rating, is available for each vulnerability   from the CVE link(s) in the References section.  2. Relevant releases/architectures:  Red Hat Enterprise Linux Client (v. 7) - x86_64   Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64   Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64   Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64   Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64   Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64   Red Hat Enterprise Linux Workstation (v. 7) - x86_64   Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64  3. Description:  The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime   Environment and the OpenJDK 8 Java Software Development Kit.  Security Fix(es):  * OpenJDK: Defective secure validation in Apache Santuario (Libraries,   8278008) (CVE-2022-21476)  * OpenJDK: Unbounded memory allocation when compiling crafted XPath   expressions (JAXP, 8270504) (CVE-2022-21426)  * OpenJDK: Improper object-to-string conversion in   AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)  * OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   (CVE-2022-21443)  * OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)  For more details about the security issue(s), including the impact, a CVSS   score, acknowledgments, and other related information, refer to the CVE   page(s) listed in the References section.  4. Solution:  For details on how to apply this update, which includes the changes   described in this advisory, refer to:  https://access.redhat.com/articles/11258  All running instances of OpenJDK Java must be restarted for this update to   take effect.  5. Bugs fixed (https://bugzilla.redhat.com/):  2047529 - Prepare for the next quarterly OpenJDK upstream release (2022-04, 8u332) [rhel-7]   2075788 - CVE-2022-21426 OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)   2075793 - CVE-2022-21443 OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   2075836 - CVE-2022-21434 OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)   2075842 - CVE-2022-21476 OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008)   2075849 - CVE-2022-21496 OpenJDK: URI parsing inconsistencies (JNDI, 8278972)  6. Package List:  Red Hat Enterprise Linux Client (v. 7):  Source:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.src.rpm  x86_64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.x86_64.rpm  Red Hat Enterprise Linux Client Optional (v. 7):  noarch:   java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el7_9.noarch.rpm   java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el7_9.noarch.rpm  x86_64:   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.x86_64.rpm  Red Hat Enterprise Linux ComputeNode (v. 7):  Source:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.src.rpm  x86_64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.x86_64.rpm  Red Hat Enterprise Linux ComputeNode Optional (v. 7):  noarch:   java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el7_9.noarch.rpm   java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el7_9.noarch.rpm  x86_64:   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.x86_64.rpm  Red Hat Enterprise Linux Server (v. 7):  Source:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.src.rpm  ppc64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.ppc64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.ppc64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.ppc64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.ppc64.rpm  ppc64le:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.ppc64le.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.ppc64le.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.ppc64le.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.ppc64le.rpm  s390x:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.s390x.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.s390x.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.s390x.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.s390x.rpm  x86_64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.x86_64.rpm  Red Hat Enterprise Linux Server Optional (v. 7):  noarch:   java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el7_9.noarch.rpm   java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el7_9.noarch.rpm  ppc64:   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.ppc64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.ppc64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.ppc64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.ppc64.rpm  ppc64le:   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.ppc64le.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.ppc64le.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.ppc64le.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.ppc64le.rpm  s390x:   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.s390x.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.s390x.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.s390x.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.s390x.rpm  x86_64:   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.x86_64.rpm  Red Hat Enterprise Linux Workstation (v. 7):  Source:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.src.rpm  x86_64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.x86_64.rpm  Red Hat Enterprise Linux Workstation Optional (v. 7):  noarch:   java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el7_9.noarch.rpm   java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el7_9.noarch.rpm  x86_64:   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.x86_64.rpm  These packages are GPG signed by Red Hat for security. Our key and   details on how to verify the signature are available from   https://access.redhat.com/security/team/key/  7. References:  https://access.redhat.com/security/cve/CVE-2022-21426   https://access.redhat.com/security/cve/CVE-2022-21434   https://access.redhat.com/security/cve/CVE-2022-21443   https://access.redhat.com/security/cve/CVE-2022-21476   https://access.redhat.com/security/cve/CVE-2022-21496   https://access.redhat.com/security/updates/classification/#important  8. Contact:  The Red Hat security contact is <secalert@redhat.com>. More contact   details at https://access.redhat.com/security/team/contact/  Copyright 2022 Red Hat, Inc.   -----BEGIN PGP SIGNATURE-----   Version: GnuPG v1  iQIVAwUBYmbJhNzjgjWX9erEAQhPuw//Zb0N99JyndrQMfmjrUw7kGh4hagh5/6v   EmZbNfmYZ3WtF7kOdNWzJ1bVnND5FsUZD1gHKz12ico5O+L+3yfkvqbPZe6F8DtE   XM391+BBLRe5A27rArHPpx1gM76N01BO7SBdawDXR7ZOHw0qF8nWa7AGzmzbNAYx   mn6RXFVvmlCLGDI83/aRY5wi7WPssQ0FAj4HB5ngeYLMEzzlQ63bQM6zoysW5aD9   K/Y0b1b/zpdawLaHJSCMLGPjNd5rRgBmQtNK94OVITMcgbYBEvQU9buDq9NoGrbK   Qp+MXaweMYtFJoDVP3PqiiZdu20nagfH8sfnBpw6LXqh2yWjvrSPJpniNm0jRPLk   YBReD1bLSk8JpQkTKjdSq8S6hQlNqzTHukNFTi4O7wkI031h2G/EV9kGf3nF7/uX   hGiwl2WAgwfM1CnFm9keiVZYj5aGHsLaxHqe0At8SU0c60UqAqJ4Ms924XKAkxrK   5+qAErYzOENysGss43zcwW2ru585gJzQmXUwLZmQ4AKeNp19xSwBro4RFJfKtZgv   N6rukoMIr3X9AE++k7iNTYh3c5wWoExU3yri8TYaap8sCk+Uys0kLHhMTW7eXH9X   U81tTAy5JVvLLmlijIe4/exnpdBXcJTeruKpNX7NT6BR/kQtApDORJcLoOK5Eowg   kmZ0zK+vqwM=   =TsnX   -----END PGP SIGNATURE-----   --   RHSA-announce mailing list   RHSA-announce@redhat.com   https://listman.redhat.com/mailman/listinfo/rhsa-announce  `

Tag

#apache