Posted by Onapsis Research via Fulldisclosure on May 04

# Onapsis Security Advisory 2022-0001: HTTP Request Smuggling in SAP Web
Dispatcher

## Impact on Business

By injecting an HTTP request as a prefix into a victim’s request, a
malicious user
is able to cause damage in different ways, such as producing a Denial of
Service by
setting an invalid request as a prefix.

It is also possible to inject a valid prefixed request that will include the
victim’s information from its original request….

Read More

SonicWall Global VPN Client 4.10.7.1117 installer (32-bit and 64-bit) and earlier versions have a DLL Search Order Hijacking vulnerability in one of the installer components. Successful exploitation via a local attacker could result in command execution in the target system.

Read More

FEDORA-2022-efaa7e8775

Packages in this update:

java-1.8.0-openjdk-aarch32-1.8.0.332.b09-1.fc34

Update description:

8u332 update

Read More

FEDORA-2022-0a719e8ba4

Packages in this update:

java-1.8.0-openjdk-aarch32-1.8.0.332.b09-1.fc35

Update description:

8u332 update

Read More

FEDORA-2022-eb9cc91549

Packages in this update:

java-1.8.0-openjdk-aarch32-1.8.0.332.b09-1.fc36

Update description:

8u332 update

Read More

FEDORA-2022-5e45671294

Packages in this update:

freetype-2.10.4-6.fc34

Update description:

Security fix for CVE-2022-27404, CVE-2022-27405 and CVE-2022-27406.

Read More

FEDORA-2022-80e1724780

Packages in this update:

freetype-2.11.0-6.fc35

Update description:

Security fix for CVE-2022-27404, CVE-2022-27405 and CVE-2022-27406.

Read More

Elison Niven discovered that OpenSSL incorrectly handled the c_rehash
script. A local attacker could possibly use this issue to execute arbitrary
commands when c_rehash is run. (CVE-2022-1292)

Raul Metsma discovered that OpenSSL incorrectly verified certain response
signing certificates. A remote attacker could possibly use this issue to
spoof certain response signing certificates. This issue only affected
Ubuntu 22.04 LTS. (CVE-2022-1343)

Tom Colley discovered that OpenSSL used the incorrect MAC key in the
RC4-MD5 ciphersuite. In non-default configurations were RC4-MD5 is enabled,
a remote attacker could possibly use this issue to modify encrypted
communications. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-1434)

Aliaksei Levin discovered that OpenSSL incorrectly handled resources when
decoding certificates and keys. A remote attacker could possibly use this
issue to cause OpenSSL to consume resources, leading to a denial of
service. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-1473)

Read More

USN-5400-1 fixed several vulnerabilities in MySQL. This update provides
the corresponding update for Ubuntu 16.04 ESM.

Original advisory details:

Multiple security issues were discovered in MySQL and this update includes
new upstream MySQL versions to fix these issues.

MySQL has been updated in Ubuntu 16.04 ESM to MySQL 5.7.38.

In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.

Please see the following for more information:

https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-38.html
https://www.oracle.com/security-alerts/cpuapr2022.html

Read More

Wenxiang Qian discovered that DPDK incorrectly checked certain payloads. An
attacker could use this issue to cause DPDK to crash, resulting in a denial
of service, or possibly execute arbitrary code. (CVE-2021-3839)

It was discovered that DPDK incorrectly handled inflight type messages. An
attacker could possibly use this issue to cause DPDK to consume resources,
leading to a denial of service. (CVE-2022-0669)

Read More