SB20230719104 - Multiple vulnerabilities in Middleware Common Libraries and Tools

Description

This security bulletin contains information about 9 secuirty vulnerabilities.

1) Incorrect Regular Expression (CVE-ID: CVE-2022-33879)

The vulnerability allows a remote attacker to perform DoS attack.

The vulnerability exists due to improper validation in the StandardsExtractingContentHandler. A remote attacker can pass specially crafted file to the application and perform a denial of service (DoS) attack.

The vulnerability exists due to incomplete fixes for #VU63404 (CVE-2022-30126) and #VU63904 (CVE-2022-30973).

2) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2023-22899)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to zip4j does not always perform validation of MAC when decrypting a ZIP archive. A remote attacker can submit a malicious archive or tamper with data inside one.

3) Input validation error (CVE-ID: CVE-2023-20861)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of SpEL expressions. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

4) Out-of-bounds write (CVE-ID: CVE-2022-40152)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error when processing untrusted input within the Woodstox XML parser. A remote attacker can pass a specially crafted input to the application, trigger an out-of-bounds write and crash the application.

5) Input validation error (CVE-ID: CVE-2022-29546)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when parsing the Processing Instruction (PI) data. A remote attacker can trick the victim to open a specially crafted web page and perform a denial of service (DoS) attack.

6) Stack-based buffer overflow (CVE-ID: CVE-2022-45688)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists in the XML.toJSONObject component. A remote unauthenticated attacker can send a specially crafted JSON or XML data, trigger stack-based buffer overflow and perform a denial of service attack.

7) Uncontrolled Recursion (CVE-ID: CVE-2023-1370)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to uncontrolled recursion when processing nested arrays and objects. A remote attacker can pass specially crafted JSON data to the application and perform a denial of service (DoS) attack.

8) Code Injection (CVE-ID: CVE-2020-13936)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation. A remote attacker with ability to modify Velocity templates can inject and execute arbitrary Java code on the system with the same privileges as the account running the Servlet container.

9) Exposed dangerous method or function (CVE-ID: CVE-2022-41853)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to missing authorization when using java.sql.Statement or java.sql.PreparedStatement in hsqldb. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution.

Remediation

Install update from vendor's website.

References

• https://www.oracle.com/security-alerts/cpujul2023.html?952644