Markus Loewe

**Name of the Vulnerable Software and Affected Versions** Oracle Java SE versions 8u351, 8u351-perf, 11.0.17, 17.0.5, 19.0.1 Oracle GraalVM Enterprise Edition versions 20.3.8, 21.3.4, 22.3.0 **Description** A difficult to exploit vulnerability in the Oracle Java SE and Oracle GraalVM Enterprise Edition allows an unauthenticated attacker with network access via multiple protocols to compromise the system. Successful attacks can result in unauthorized update, insert, or delete access to some accessible data. This vulnerability applies to Java deployments in clients running sandboxed Java Web Start applications or sandboxed Java applets that load and run untrusted code and rely on the Java sandbox for security. **Recommendations** For Oracle Java SE versions 8u351, 8u351-perf, 11.0.17, 17.0.5, 19.0.1, consider disabling the Sound component until a patch is available. For Oracle GraalVM Enterprise Edition versions 20.3.8, 21.3.4, 22.3.0, consider disabling the Sound component until a patch is available. As a temporary workaround, restrict access to the Sound component to minimize the risk of exploitation. Avoid using the affected Oracle Java SE and Oracle GraalVM Enterprise Edition versions in clients that load and run untrusted code. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Java SE versions 7u331, 8u321, 11.0.14, 17.0.2, 18 Oracle GraalVM Enterprise Edition versions 20.3.5, 21.3.1, 22.0.0.2 **Description** The issue is related to an unauthenticated attacker with network access via multiple protocols being able to compromise Oracle Java SE and Oracle GraalVM Enterprise Edition, resulting in a partial denial of service. This vulnerability applies to Java deployments that load and run untrusted code and rely on the Java sandbox for security. It can also be exploited by using APIs in the specified component, for example, through a web service that supplies data to the APIs. **Recommendations** For Oracle Java SE versions 7u331, 8u321, 11.0.14, 17.0.2, 18, update to a version that contains the fix for this issue. For Oracle GraalVM Enterprise Edition versions 20.3.5, 21.3.1, 22.0.0.2, update to a version that contains the fix for this issue. As a temporary workaround, consider restricting access to the vulnerable Libraries component until a patch is available. Avoid using APIs in the specified component, e.g., through a web service, until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Oracle Java SE versions 7u321, 8u311, 11.0.13, 17.0.1 Oracle GraalVM Enterprise Edition versions 20.3.4, 21.3.0 **Description** The issue is related to insufficient input validation in the Libraries component of Oracle Java SE and Oracle GraalVM Enterprise Edition. This allows an unauthenticated attacker with network access via multiple protocols to compromise the system, resulting in a partial denial of service. The vulnerability applies to Java deployments that load and run untrusted code and rely on the Java sandbox for security. It can also be exploited through APIs in the specified component. **Recommendations** For Oracle Java SE versions 7u321, 8u311, 11.0.13, 17.0.1, update to a version that includes the fix for this issue. For Oracle GraalVM Enterprise Edition versions 20.3.4, 21.3.0, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the vulnerable Libraries component until a patch is available. Avoid using APIs in the specified component that supply data to untrusted sources until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Oracle Java SE versions 7u321, 8u311, 11.0.13, 17.0.1 Oracle GraalVM Enterprise Edition versions 20.3.4 and 21.3.0 **Description** The issue is related to an easily exploitable vulnerability in the Libraries component of Oracle Java SE and Oracle GraalVM Enterprise Edition, allowing an unauthenticated attacker with network access via multiple protocols to compromise the system. This can result in a partial denial of service. The vulnerability applies to Java deployments that load and run untrusted code and rely on the Java sandbox for security. It can also be exploited through APIs in the specified component. **Recommendations** For Oracle Java SE versions 7u321, 8u311, 11.0.13, 17.0.1, update to a version that includes the fix for this issue. For Oracle GraalVM Enterprise Edition versions 20.3.4 and 21.3.0, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the Libraries component until a patch is available. Avoid using APIs in the specified component until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Java SE versions 7u311, 8u301, 11.0.12, 17 Oracle GraalVM Enterprise Edition versions 20.3.3 and 21.2.0 **Description** The issue is related to an unspecified vulnerability in the Utility component of Java SE and Oracle GraalVM Enterprise Edition. This vulnerability can be exploited by an unauthenticated attacker with network access via multiple protocols, allowing them to compromise Java SE and Oracle GraalVM Enterprise Edition. Successful attacks can result in a partial denial of service. The vulnerability applies to Java deployments that load and run untrusted code and rely on the Java sandbox for security. It can also be exploited through APIs in the specified component. **Recommendations** For Java SE versions 7u311, 8u301, 11.0.12, 17, update to a version that includes the fix for this issue. For Oracle GraalVM Enterprise Edition versions 20.3.3 and 21.2.0, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the Utility component until a patch is available. Avoid using APIs in the specified component until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** MySQL Server versions 8.0.25 and prior **Description** The issue is related to errors in resource release in the MySQL Server product, specifically in the Server: DML component. It allows a high-privileged attacker with network access via multiple protocols to compromise the MySQL Server. Successful attacks can result in the unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of the MySQL Server. **Recommendations** For versions 8.0.25 and prior, update to a version later than 8.0.25 to resolve the issue. At the moment, there is no information about other specific mitigation measures for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Java SE versions 7u291, 8u281, 11.0.10, 16 Java SE Embedded version 8u281 Oracle GraalVM Enterprise Edition versions 19.3.5, 20.3.1.2, 21.0.0.2 **Description** The issue allows an unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacks can result in unauthorized creation, deletion, or modification access to critical data or all accessible data. This issue applies to Java deployments that load and run untrusted code and rely on the Java sandbox for security. It can also be exploited by supplying untrusted data to APIs in the specified component. **Recommendations** For Java SE versions 7u291, 8u281, 11.0.10, 16, update to a version that includes the fix for this issue. For Java SE Embedded version 8u281, update to a version that includes the fix for this issue. For Oracle GraalVM Enterprise Edition versions 19.3.5, 20.3.1.2, 21.0.0.2, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to APIs in the specified component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Java SE versions 7u271, 8u261, 11.0.8, and 15 Java SE Embedded version 8u261 **Description** The issue is related to insufficient input validation in the Libraries component of Java SE and Java SE Embedded. It allows an unauthenticated attacker with network access via multiple protocols to compromise Java SE and Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and can result in unauthorized update, insert, or delete access to some of the accessible data. This issue applies to Java deployments in clients running sandboxed Java Web Start applications or sandboxed Java applets that load and run untrusted code and rely on the Java sandbox for security. **Recommendations** For Java SE versions 7u271, 8u261, 11.0.8, and 15, update to a version that includes the fix for this issue. For Java SE Embedded version 8u261, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the Libraries component until a patch is available. Avoid using the vulnerable component in the affected API endpoints until the issue is resolved. Restrict access to the vulnerable module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Java SE versions 7u271, 8u261, 11.0.8, and 15 Java SE Embedded version 8u261 **Description** A difficult to exploit vulnerability allows an unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code and rely on the Java sandbox for security. Successful attacks can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. **Recommendations** For Java SE versions 7u271, 8u261, 11.0.8, and 15, update to a version that contains a fix for this vulnerability. For Java SE Embedded version 8u261, update to a version that contains a fix for this vulnerability. As a temporary workaround, consider restricting the use of the Java sandbox in clients running sandboxed Java Web Start applications or sandboxed Java applets until a patch is available. Restrict access to untrusted code, such as code that comes from the internet, to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Java SE versions 7u271, 8u261, 11.0.8, and 15 Java SE Embedded version 8u261 **Description** The issue is related to insufficient input validation in the Libraries component of Java SE and Java SE Embedded, allowing an unauthenticated attacker with network access via multiple protocols to compromise the system. Successful attacks can result in unauthorized update, insert, or delete access to some accessible data. This can be exploited through sandboxed Java Web Start applications, sandboxed Java applets, or by supplying data to APIs in the specified component. **Recommendations** For Java SE versions 7u271, 8u261, 11.0.8, and 15, consider disabling the use of the Libraries component until a patch is available. For Java SE Embedded version 8u261, restrict access to the Libraries component to minimize the risk of exploitation. As a temporary workaround, avoid using APIs in the specified component without proper input validation until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Java SE versions 7u261, 8u251, 11.0.7, and 14.0.1 Java SE Embedded version 8u251 **Description** The issue is related to insufficient input validation in the Libraries component of Oracle Java SE and Java SE Embedded. This can be exploited by an unauthenticated attacker with network access via multiple protocols to compromise Java SE and Java SE Embedded, potentially leading to a takeover. The vulnerability affects Java deployments that load and run untrusted code, such as sandboxed Java Web Start applications or sandboxed Java applets, and rely on the Java sandbox for security. It does not apply to Java deployments that load and run only trusted code, typically in servers. **Recommendations** For Java SE versions 7u261, 8u251, 11.0.7, and 14.0.1, update to a version that contains a fix for this issue. For Java SE Embedded version 8u251, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting the use of the Libraries component until a patch is available. Avoid running untrusted code in Java deployments that rely on the Java sandbox for security.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 4.17.10 Description: The issue is related to an invalid pointer dereference in the `io ctl map page()` function when mounting and operating a crafted btrfs image. This is due to a lack of block group item validation in `check leaf item` in `fs/btrfs/tree-checker.c`. Exploitation of this issue may allow an attacker to cause a denial of service. Recommendations: For Linux kernel versions prior to 4.17.10, update to a version 4.17.10 or later to resolve the issue. As a temporary workaround, consider restricting the use of crafted btrfs images to minimize the risk of exploitation.