Anolis OS update for maven:3.5 module
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2022-29599 |
| CWE-ID | CWE-78 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Anolis OS Operating systems & Components / Operating system maven-shared-utils Operating systems & Components / Operating system package or component jansi-native Operating systems & Components / Operating system package or component slf4j Operating systems & Components / Operating system package or component sisu-plexus Operating systems & Components / Operating system package or component sisu-inject Operating systems & Components / Operating system package or component plexus-utils Operating systems & Components / Operating system package or component plexus-sec-dispatcher Operating systems & Components / Operating system package or component plexus-interpolation Operating systems & Components / Operating system package or component plexus-containers-component-annotations Operating systems & Components / Operating system package or component plexus-classworlds Operating systems & Components / Operating system package or component plexus-cipher Operating systems & Components / Operating system package or component maven-wagon-provider-api Operating systems & Components / Operating system package or component maven-wagon-http-shared Operating systems & Components / Operating system package or component maven-wagon-http Operating systems & Components / Operating system package or component maven-wagon-file Operating systems & Components / Operating system package or component maven-resolver-util Operating systems & Components / Operating system package or component maven-resolver-transport-wagon Operating systems & Components / Operating system package or component maven-resolver-spi Operating systems & Components / Operating system package or component maven-resolver-impl Operating systems & Components / Operating system package or component maven-resolver-connector-basic Operating systems & Components / Operating system package or component maven-resolver-api Operating systems & Components / Operating system package or component maven-lib Operating systems & Components / Operating system package or component maven Operating systems & Components / Operating system package or component jsoup Operating systems & Components / Operating system package or component jcl-over-slf4j Operating systems & Components / Operating system package or component jboss-interceptors-1.2-api Operating systems & Components / Operating system package or component jansi Operating systems & Components / Operating system package or component httpcomponents-core Operating systems & Components / Operating system package or component httpcomponents-client Operating systems & Components / Operating system package or component hawtjni-runtime Operating systems & Components / Operating system package or component guava20 Operating systems & Components / Operating system package or component google-guice Operating systems & Components / Operating system package or component glassfish-el-api Operating systems & Components / Operating system package or component geronimo-annotation Operating systems & Components / Operating system package or component cdi-api Operating systems & Components / Operating system package or component atinject Operating systems & Components / Operating system package or component apache-commons-logging Operating systems & Components / Operating system package or component apache-commons-lang3 Operating systems & Components / Operating system package or component apache-commons-io Operating systems & Components / Operating system package or component apache-commons-codec Operating systems & Components / Operating system package or component apache-commons-cli Operating systems & Components / Operating system package or component aopalliance Operating systems & Components / Operating system package or component |
| Vendor | OpenAnolis |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) OS Command Injection
EUVDB-ID: #VU62608
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-29599
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation when processing double-quoted strings. A remote attacker can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
maven-shared-utils: before 3.2.1-0.2
jansi-native: before 1.7-7
slf4j: before 1.7.25-4
sisu-plexus: before 0.3.3-6
sisu-inject: before 0.3.3-6
plexus-utils: before 3.1.0-3
plexus-sec-dispatcher: before 1.4-26
plexus-interpolation: before 1.22-9
plexus-containers-component-annotations: before 1.7.1-8
plexus-classworlds: before 2.5.2-9
plexus-cipher: before 1.7-14
maven-wagon-provider-api: before 3.1.0-1
maven-wagon-http-shared: before 3.1.0-1
maven-wagon-http: before 3.1.0-1
maven-wagon-file: before 3.1.0-1
maven-resolver-util: before 1.1.1-2
maven-resolver-transport-wagon: before 1.1.1-2
maven-resolver-spi: before 1.1.1-2
maven-resolver-impl: before 1.1.1-2
maven-resolver-connector-basic: before 1.1.1-2
maven-resolver-api: before 1.1.1-2
maven-lib: before 3.5.4-5
maven: before 3.5.4-5
jsoup: before 1.11.3-3
jcl-over-slf4j: before 1.7.25-4
jboss-interceptors-1.2-api: before 1.0.0-8
jansi: before 1.17.1-1
httpcomponents-core: before 4.4.10-3
httpcomponents-client: before 4.5.5-5
hawtjni-runtime: before 1.16-2
guava20: before 20.0-8
google-guice: before 4.1-11
glassfish-el-api: before 3.0.1-0.7.b08
geronimo-annotation: before 1.0-23
cdi-api: before 1.2-8
atinject: before 1-28.20100611svn86
apache-commons-logging: before 1.2-13
apache-commons-lang3: before 3.7-3
apache-commons-io: before 2.6-3
apache-commons-codec: before 1.11-3
apache-commons-cli: before 1.4-4
aopalliance: before 1.0-17
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:a:openanolis:maven-shared-utils:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:jansi-native:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:slf4j:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:sisu-plexus:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:sisu-inject:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:plexus-utils:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:plexus-sec-dispatcher:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:plexus-interpolation:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:plexus-containers-component-annotations:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:plexus-classworlds:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:plexus-cipher:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:maven-wagon-provider-api:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:maven-wagon-http-shared:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:maven-wagon-http:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:maven-wagon-file:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:maven-resolver-util:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:maven-resolver-transport-wagon:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:maven-resolver-spi:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:maven-resolver-impl:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:maven-resolver-connector-basic:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:maven-resolver-api:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:maven-lib:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:maven:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:jsoup:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:jcl-over-slf4j:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:jboss-interceptors-1_2-api:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:jansi:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:httpcomponents-core:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:httpcomponents-client:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:hawtjni-runtime:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:guava20:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:google-guice:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:glassfish-el-api:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:geronimo-annotation:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:cdi-api:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:atinject:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:apache-commons-logging:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:apache-commons-lang3:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:apache-commons-io:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:apache-commons-codec:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:apache-commons-cli:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:aopalliance:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2022:0528
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
