Anolis OS update for pki-deps:10.6 and pki-core:10.6 modules
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2022-2414 |
| CWE-ID | CWE-611 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software |
Anolis OS Operating systems & Components / Operating system python3-nss Operating systems & Components / Operating system package or component python-nss-doc Operating systems & Components / Operating system package or component jss-javadoc Operating systems & Components / Operating system package or component jss Operating systems & Components / Operating system package or component idm-pki-tools Operating systems & Components / Operating system package or component idm-pki-symkey Operating systems & Components / Operating system package or component xsom Operating systems & Components / Operating system package or component xmlstreambuffer Operating systems & Components / Operating system package or component xml-commons-resolver Operating systems & Components / Operating system package or component xml-commons-apis Operating systems & Components / Operating system package or component xerces-j2 Operating systems & Components / Operating system package or component xalan-j2 Operating systems & Components / Operating system package or component velocity Operating systems & Components / Operating system package or component stax-ex Operating systems & Components / Operating system package or component slf4j-jdk14 Operating systems & Components / Operating system package or component resteasy Operating systems & Components / Operating system package or component relaxngDatatype Operating systems & Components / Operating system package or component python3-idm-pki Operating systems & Components / Operating system package or component pki-servlet-engine Operating systems & Components / Operating system package or component pki-servlet-4.0-api Operating systems & Components / Operating system package or component javassist-javadoc Operating systems & Components / Operating system package or component javassist Operating systems & Components / Operating system package or component jakarta-commons-httpclient Operating systems & Components / Operating system package or component jackson-module-jaxb-annotations Operating systems & Components / Operating system package or component jackson-jaxrs-providers Operating systems & Components / Operating system package or component jackson-jaxrs-json-provider Operating systems & Components / Operating system package or component jackson-databind Operating systems & Components / Operating system package or component jackson-core Operating systems & Components / Operating system package or component jackson-annotations Operating systems & Components / Operating system package or component idm-pki-server Operating systems & Components / Operating system package or component idm-pki-kra Operating systems & Components / Operating system package or component idm-pki-ca Operating systems & Components / Operating system package or component idm-pki-base-java Operating systems & Components / Operating system package or component idm-pki-base Operating systems & Components / Operating system package or component idm-pki-acme Operating systems & Components / Operating system package or component glassfish-jaxb-txw2 Operating systems & Components / Operating system package or component glassfish-jaxb-runtime Operating systems & Components / Operating system package or component glassfish-jaxb-core Operating systems & Components / Operating system package or component glassfish-jaxb-api Operating systems & Components / Operating system package or component glassfish-fastinfoset Operating systems & Components / Operating system package or component bea-stax-api Operating systems & Components / Operating system package or component apache-commons-net Operating systems & Components / Operating system package or component apache-commons-lang Operating systems & Components / Operating system package or component apache-commons-collections Operating systems & Components / Operating system package or component tomcatjss Operating systems & Components / Operating system package or component ldapjdk-javadoc Operating systems & Components / Operating system package or component ldapjdk Operating systems & Components / Operating system package or component slf4j Operating systems & Components / Operating system package or component |
| Vendor | OpenAnolis |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) XML External Entity injection
EUVDB-ID: #VU68953
Risk: Medium
CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2022-2414
CWE-ID:
CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied XML input. A remote attacker can pass a specially crafted XML code to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.
Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
python3-nss: before 1.0.1-10
python-nss-doc: before 1.0.1-10
jss-javadoc: before 4.9.4-1
jss: before 4.9.4-1
idm-pki-tools: before 10.12.0-4
idm-pki-symkey: before 10.12.0-4
xsom: before 0-19.20110809svn
xmlstreambuffer: before 1.5.4-8
xml-commons-resolver: before 1.2-26
xml-commons-apis: before 1.4.01-25
xerces-j2: before 2.11.0-34
xalan-j2: before 2.7.1-38
velocity: before 1.7-24
stax-ex: before 1.7.7-8
slf4j-jdk14: before 1.7.25-4
resteasy: before 3.0.26-6
relaxngDatatype: before 2011.1-7
python3-idm-pki: before 10.12.0-4
pki-servlet-engine: before 9.0.50-1
pki-servlet-4.0-api: before 9.0.50-1
javassist-javadoc: before 3.18.1-8
javassist: before 3.18.1-8
jakarta-commons-httpclient: before 3.1-28
jackson-module-jaxb-annotations: before 2.7.6-4
jackson-jaxrs-providers: before 2.9.9-1
jackson-jaxrs-json-provider: before 2.9.9-1
jackson-databind: before 2.10.0-1
jackson-core: before 2.10.0-1
jackson-annotations: before 2.10.0-1
idm-pki-server: before 10.12.0-4
idm-pki-kra: before 10.12.0-4
idm-pki-ca: before 10.12.0-4
idm-pki-base-java: before 10.12.0-4
idm-pki-base: before 10.12.0-4
idm-pki-acme: before 10.12.0-4
glassfish-jaxb-txw2: before 2.2.11-11
glassfish-jaxb-runtime: before 2.2.11-11
glassfish-jaxb-core: before 2.2.11-11
glassfish-jaxb-api: before 2.2.12-8
glassfish-fastinfoset: before 1.2.13-9
bea-stax-api: before 1.2.0-16
apache-commons-net: before 3.6-3
apache-commons-lang: before 2.6-21
apache-commons-collections: before 3.2.2-10
tomcatjss: before 7.7.1-1
ldapjdk-javadoc: before 4.23.0-1
ldapjdk: before 4.23.0-1
slf4j: before 1.7.25-4
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:a:openanolis:python3-nss:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:python-nss-doc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:jss-javadoc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:jss:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:idm-pki-tools:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:idm-pki-symkey:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:xsom:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:xmlstreambuffer:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:xml-commons-resolver:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:xml-commons-apis:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:xerces-j2:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:xalan-j2:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:velocity:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:stax-ex:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:slf4j-jdk14:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:resteasy:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:relaxngdatatype:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:python3-idm-pki:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:pki-servlet-engine:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:pki-servlet-4_0-api:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:javassist-javadoc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:javassist:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:jakarta-commons-httpclient:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:jackson-module-jaxb-annotations:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:jackson-jaxrs-providers:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:jackson-jaxrs-json-provider:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:jackson-databind:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:jackson-core:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:jackson-annotations:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:idm-pki-server:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:idm-pki-kra:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:idm-pki-ca:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:idm-pki-base-java:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:idm-pki-base:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:idm-pki-acme:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:glassfish-jaxb-txw2:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:glassfish-jaxb-runtime:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:glassfish-jaxb-core:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:glassfish-jaxb-api:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:glassfish-fastinfoset:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:bea-stax-api:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:apache-commons-net:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:apache-commons-lang:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:apache-commons-collections:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:tomcatjss:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:ldapjdk-javadoc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:ldapjdk:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:slf4j:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2022:0806
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
