Bengt Jonsson

**Name of the Vulnerable Software and Affected Versions** Java SE versions 11.0.6 and 14 **Description** The issue is related to insufficient access control in the JSSE component of Java SE, allowing an unauthenticated attacker with network access via HTTPS to compromise Java SE. Successful attacks can result in unauthorized update, insert, or delete access to some of Java SE's accessible data, as well as unauthorized read access to a subset of Java SE's accessible data. This issue can be exploited through sandboxed Java Web Start applications, sandboxed Java applets, or by supplying data to APIs in the specified component without using sandboxed applications or applets. **Recommendations** For Java SE version 11.0.6, update to a version that includes the fix for this issue. For Java SE version 14, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the JSSE component until a patch is available. Avoid using the JSSE component for sensitive operations until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Java SE versions 11.0.5 and 13.0.1 **Description** The issue is related to a vulnerability in the Java Secure Socket Extension (JSSE) component of Oracle Java SE, which is difficult to exploit and allows an unauthenticated attacker with network access via HTTPS to compromise Java SE. This can result in unauthorized update, insert, or delete access to some of Java SE's accessible data, as well as unauthorized read access to a subset of Java SE's accessible data. The vulnerability applies to Java deployments that load and run untrusted code and rely on the Java sandbox for security. It can also be exploited by using APIs in the specified component. **Recommendations** For Java SE version 11.0.5, update to a version that contains a fix for this issue. For Java SE version 13.0.1, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to the JSSE component until a patch is available. Avoid using the JSSE component for client authentication until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Oracle Solaris version 11 **Description** The issue is related to inadequate access control in the Consolidation Infrastructure component of Oracle Solaris, allowing a low-privileged attacker with logon access to the infrastructure to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker and can significantly impact additional products, potentially resulting in the takeover of Oracle Solaris. **Recommendations** For Oracle Solaris version 11, consider restricting access to the Consolidation Infrastructure component to minimize the risk of exploitation until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ruby versions 2.4.7 and earlier, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 **Description** The issue allows code injection if the first argument to `Shell#[]` or `Shell#test` in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method. This is due to incorrect neutralization of special elements in output used by an incoming component. **Recommendations** For Ruby versions 2.4.7 and earlier, update to version 2.4.8. For Ruby versions 2.5.x through 2.5.6, update to version 2.5.7. For Ruby versions 2.6.x through 2.6.4, update to version 2.6.5. As a temporary workaround, consider validating and sanitizing the first argument to `Shell#[]` and `Shell#test` to prevent code injection.