Monthly Archives: October 2022

Advisories

java-latest-openjdk-19.0.1.0.10-2.rolling.fc35

Read Time:1 Minute, 56 Second

FEDORA-2022-ec7de69ceb

Packages in this update:

java-latest-openjdk-19.0.1.0.10-2.rolling.fc35

Update description:

New in release OpenJDK 19.0.1 (2022-10-18)

Full release notes
This update depends on FEDORA-2022-10bb6f119e

CVEs Fixed

CVE-2022-21618
CVE-2022-21619
CVE-2022-21624
CVE-2022-21628
CVE-2022-39399

Security Fixes

JDK-8282252: Improve BigInteger/Decimal validation
JDK-8285662: Better permission resolution
JDK-8286077: Wider MultiByte conversions
JDK-8286511: Improve macro allocation
JDK-8286519: Better memory handling
JDK-8286526: Improve NTLM support
JDK-8286910: Improve JNDI lookups
JDK-8286918: Better HttpServer service
JDK-8287446: Enhance icon presentations
JDK-8288508: Enhance ECDSA usage
JDK-8289366: Improve HTTP/2 client usage
JDK-8289853: Update HarfBuzz to 4.4.1
JDK-8290334: Update FreeType to 2.12.1

Major Changes

JDK-8292654: G1 Remembered set memory footprint regression after JDK-8286115

JDK-8286115 changed ergonomic sizing of a component of the remembered sets in G1. This change causes increased native memory usage of the Hotspot VM for applications that create large remembered sets with the G1 collector.

In an internal benchmark total GC component native memory usage rose by almost 10% (from 1.2GB to 1.3GB).

This issue can be worked around by passing double the value of G1RemSetArrayOfCardsEntries as printed by running the application with -XX:+PrintFlagsFinal -XX:+UnlockExperimentalVMOptions to your application.

E.g. pass -XX:+UnlockExperimentalVMOptions -XX:G1RemSetArrayOfCardsEntries=128 if a previous run showed a value of 64 for G1RemSetArrayOfCardsEntries in the output of -XX:+PrintFlagsFinal.

JDK-8292579: Update Timezone Data to 2022c

This version includes changes from 2022b that merged multiple regions that have the same timestamp data post-1970 into a single time zone database. All time zone IDs remain the same but the merged time zones will point to a shared zone database.

As a result, pre-1970 data may not be compatible with earlier JDK versions. The affected zones are Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik, Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo, Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe, Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei, Pacific/Wake, Pacific/Wallis, Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland, Pacific/Ponape, Pacific/Truk, and Pacific/Yap.

For more details, refer to the announcement of 2022b

Read More

Advisories

CVE-2021-38397

Read Time:10 Second

Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to unrestricted file uploads, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition.

Read More

Advisories

CVE-2021-38395

Read Time:11 Second

Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to improper neutralization of special elements in output, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition.

Read More

Advisories

CVE-2021-36206

Read Time:10 Second

All versions of CEVAS prior to 1.01.46 do not sufficiently validate user-controllable input and could allow a user to bypass authentication and retrieve data with specially crafted SQL queries.

Read More

Advisories

USN-5705-1: LibTIFF vulnerabilities

Read Time:25 Second

Chintan Shah discovered that LibTIFF incorrectly handled memory in
certain conditions. An attacker could trick a user into processing a specially
crafted image file and potentially use this issue to allow for information
disclosure or to cause the application to crash. (CVE-2022-3570)

It was discovered that LibTIFF incorrectly handled memory in certain
conditions. An attacker could trick a user into processing a specially
crafted tiff file and potentially use this issue to cause a denial of service.
(CVE-2022-3598)

Read More

Advisories

USN-5706-1: Linux kernel (Azure CVM) vulnerabilities

Read Time:2 Minute, 9 Second

It was discovered that the BPF verifier in the Linux kernel did not
properly handle internal data structures. A local attacker could use this
to expose sensitive information (kernel memory). (CVE-2021-4159)

It was discovered that an out-of-bounds write vulnerability existed in the
Video for Linux 2 (V4L2) implementation in the Linux kernel. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2022-20369)

Duoming Zhou discovered that race conditions existed in the timer handling
implementation of the Linux kernel’s Rose X.25 protocol layer, resulting in
use-after-free vulnerabilities. A local attacker could use this to cause a
denial of service (system crash). (CVE-2022-2318)

Roger Pau Monné discovered that the Xen virtual block driver in the Linux
kernel did not properly initialize memory pages to be used for shared
communication with the backend. A local attacker could use this to expose
sensitive information (guest kernel memory). (CVE-2022-26365)

Pawan Kumar Gupta, Alyssa Milburn, Amit Peled, Shani Rehana, Nir Shildan
and Ariel Sabba discovered that some Intel processors with Enhanced
Indirect Branch Restricted Speculation (eIBRS) did not properly handle RET
instructions after a VM exits. A local attacker could potentially use this
to expose sensitive information. (CVE-2022-26373)

Eric Biggers discovered that a use-after-free vulnerability existed in the
io_uring subsystem in the Linux kernel. A local attacker could possibly use
this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2022-3176)

Roger Pau Monné discovered that the Xen paravirtualization frontend in the
Linux kernel did not properly initialize memory pages to be used for shared
communication with the backend. A local attacker could use this to expose
sensitive information (guest kernel memory). (CVE-2022-33740)

It was discovered that the Xen paravirtualization frontend in the Linux
kernel incorrectly shared unrelated data when communicating with certain
backends. A local attacker could use this to cause a denial of service
(guest crash) or expose sensitive information (guest kernel memory).
(CVE-2022-33741, CVE-2022-33742)

Oleksandr Tyshchenko discovered that the Xen paravirtualization platform in
the Linux kernel on ARM platforms contained a race condition in certain
situations. An attacker in a guest VM could use this to cause a denial of
service in the host OS. (CVE-2022-33744)

It was discovered that the Netlink Transformation (XFRM) subsystem in the
Linux kernel contained a reference counting error. A local attacker could
use this to cause a denial of service (system crash). (CVE-2022-36879)

Read More

News

BrandPost: 10 Best Practices for a Zero Trust Data Center

Read Time:48 Second

Today, there is no such thing as an enterprise network perimeter — the location of applications, users, and their devices are no longer static; BYOD is common; and data is everywhere. With ever-evolving cybersecurity threats and no fixed perimeter, traditional security strategies fail to protect highly distributed networks, users, and applications. Organizations need an innovative approach that is not only simple and promising, but also proven and sustainable. That is why Zero Trust is getting so much attention.

What is Zero Trust and why do we need it?

Zero Trust is an enterprise security framework based on the principle “never trust; always verify.” In other words, this approach does not trust any user, application, or device unless explicitly allowed by a security policy. By adopting the concepts and architectural components of Zero Trust, organizations can improve visibility and better secure their hybrid environments while meeting compliance requirements and reducing costs over time.

To read this article in full, please click here

Read More

News

BrandPost: Top 5 Regulatory Reasons for Implementing Zero Trust

Read Time:36 Second

We are beyond the point of viewing Zero Trust as a simple marketing feature for information technology or cybersecurity companies. It is a floor for any technology vendor who wants to provide high-value solutions to government or commercial customers.

Before getting into the details, let’s first settle on what we mean by Zero Trust. In 2017, Forrester’s Stephanie Balaouras provided what has become a common definition within the industry:

“A conceptual and architectural model for how security teams should redesign networks into secure microperimeters, increase data security through obfuscation techniques, limit the risks associated with excessive user privileges, and dramatically improve security detection and response through analytics and automation.”

To read this article in full, please click here

Read More