Anolis OS update for pki-deps:10.6 and pki-core:10.6 modules

Published: 2025-03-28

Risk	Medium
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2020-36518
CWE-ID	CWE-787
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	Anolis OS Operating systems & Components / Operating system resteasy Operating systems & Components / Operating system package or component python3-idm-pki Operating systems & Components / Operating system package or component pki-servlet-engine Operating systems & Components / Operating system package or component jackson-parent Operating systems & Components / Operating system package or component jackson-jaxrs-providers Operating systems & Components / Operating system package or component jackson-jaxrs-json-provider Operating systems & Components / Operating system package or component jackson-databind Operating systems & Components / Operating system package or component jackson-core Operating systems & Components / Operating system package or component jackson-bom Operating systems & Components / Operating system package or component jackson-annotations Operating systems & Components / Operating system package or component idm-tomcatjss Operating systems & Components / Operating system package or component idm-pki-server Operating systems & Components / Operating system package or component idm-pki-kra Operating systems & Components / Operating system package or component idm-pki-ca Operating systems & Components / Operating system package or component idm-pki-base-java Operating systems & Components / Operating system package or component idm-pki-base Operating systems & Components / Operating system package or component idm-pki-acme Operating systems & Components / Operating system package or component idm-ldapjdk-javadoc Operating systems & Components / Operating system package or component idm-ldapjdk Operating systems & Components / Operating system package or component glassfish-jaxb-txw2 Operating systems & Components / Operating system package or component glassfish-jaxb-runtime Operating systems & Components / Operating system package or component glassfish-jaxb-core Operating systems & Components / Operating system package or component fasterxml-oss-parent Operating systems & Components / Operating system package or component idm-pki-tools Operating systems & Components / Operating system package or component idm-pki-symkey Operating systems & Components / Operating system package or component idm-jss-javadoc Operating systems & Components / Operating system package or component idm-jss Operating systems & Components / Operating system package or component xsom Operating systems & Components / Operating system package or component xmlstreambuffer Operating systems & Components / Operating system package or component xml-commons-resolver Operating systems & Components / Operating system package or component xml-commons-apis Operating systems & Components / Operating system package or component xerces-j2 Operating systems & Components / Operating system package or component xalan-j2 Operating systems & Components / Operating system package or component velocity Operating systems & Components / Operating system package or component stax-ex Operating systems & Components / Operating system package or component slf4j-jdk14 Operating systems & Components / Operating system package or component relaxngDatatype Operating systems & Components / Operating system package or component javassist-javadoc Operating systems & Components / Operating system package or component javassist Operating systems & Components / Operating system package or component jakarta-commons-httpclient Operating systems & Components / Operating system package or component jackson-module-jaxb-annotations Operating systems & Components / Operating system package or component glassfish-jaxb-api Operating systems & Components / Operating system package or component glassfish-fastinfoset Operating systems & Components / Operating system package or component bea-stax-api Operating systems & Components / Operating system package or component apache-commons-net Operating systems & Components / Operating system package or component apache-commons-lang Operating systems & Components / Operating system package or component apache-commons-collections Operating systems & Components / Operating system package or component slf4j Operating systems & Components / Operating system package or component
Vendor	OpenAnolis

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Out-of-bounds write

EUVDB-ID: #VU61799

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-36518

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error when processing untrusted input. A remote attacker can trigger out-of-bounds write and cause a denial of service condition on the target system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

resteasy: before 3.0.26-7

python3-idm-pki: before 10.15.0-1

pki-servlet-engine: before 9.0.62-1

jackson-parent: before 2.14-1

jackson-jaxrs-providers: before 2.14.2-1

jackson-jaxrs-json-provider: before 2.14.2-1

jackson-databind: before 2.14.2-1

jackson-core: before 2.14.2-1

jackson-bom: before 2.14.2-1

jackson-annotations: before 2.14.2-1

idm-tomcatjss: before 7.8.0-1

idm-pki-server: before 10.15.0-1

idm-pki-kra: before 10.15.0-1

idm-pki-ca: before 10.15.0-1

idm-pki-base-java: before 10.15.0-1

idm-pki-base: before 10.15.0-1

idm-pki-acme: before 10.15.0-1

idm-ldapjdk-javadoc: before 4.24.0-1

idm-ldapjdk: before 4.24.0-1

glassfish-jaxb-txw2: before 2.2.11-12

glassfish-jaxb-runtime: before 2.2.11-12

glassfish-jaxb-core: before 2.2.11-12

fasterxml-oss-parent: before 49-1

idm-pki-tools: before 10.15.0-1

idm-pki-symkey: before 10.15.0-1

idm-jss-javadoc: before 4.11.0-1

idm-jss: before 4.11.0-1

xsom: before 0-19.20110809svn

xmlstreambuffer: before 1.5.4-8

xml-commons-resolver: before 1.2-26

xml-commons-apis: before 1.4.01-25

xerces-j2: before 2.11.0-34

xalan-j2: before 2.7.1-38

velocity: before 1.7-24

stax-ex: before 1.7.7-8

slf4j-jdk14: before 1.7.25-4

relaxngDatatype: before 2011.1-7

javassist-javadoc: before 3.18.1-8

javassist: before 3.18.1-8

jakarta-commons-httpclient: before 3.1-28

jackson-module-jaxb-annotations: before 2.7.6-4

glassfish-jaxb-api: before 2.2.12-8

glassfish-fastinfoset: before 1.2.13-9

bea-stax-api: before 1.2.0-16

apache-commons-net: before 3.6-3

apache-commons-lang: before 2.6-21

apache-commons-collections: before 3.2.2-10

slf4j: before 1.7.25-4

CPE2.3

External links

https://anas.openanolis.cn/errata/detail/ANSA-2024:0498

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.