This is the first launch of a series of blog posts on Security Vulnerabilities that we will explore week on week.
This week java is featured as it has been receiving a lot of attention since the beginning of the year
Read the related Blogs:
Appsec
JAVA:
The high-severity flaw in question, CVE-2022-21449 (CVSS score: 7.5), impacts the following version of Java SE and Oracle GraalVM Enterprise Edition –
- Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18
- Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1, 22.0.0.
POC Available – Patched since 19/4/22
Old but not old – still spring framework
emote code execution (RCE) vulnerability racked as CVE-2010-1622,
Atlassian
CVE-2022-0540 and comes with a severity rating of 9.9
More specifically, the following versions are impacted:
- Jira Core Server, Software Server, and Software Data Center before 8.13.18, the 8.14.x, 8.15.x, 8.16.x, 8.17.x, 8.18.x, 8.19.x, 8.20.x before 8.20.6, and 8.21.x.
- Jira Service Management Server and Management Data Center before 4.13.18, the 4.14.x, 4.15.x, 4.16.x, 4.17.x, 4.18.x, 4.19.x, 4.20.x before 4.20.6, 4.21.x.
—
Bonus Infra:
Cisco
Cisco Umbrella Virtual Appliance (VA), allowing unauthenticated attackers to steal admin credentials remotely.
Fraser Hess of Pinnacol Assurance found the flaw (tracked as CVE-2022-20773) in the key-based SSH authentication mechanism of Cisco Umbrella VA.
but Cisco says that the SSH service is not enabled by default on Umbrella on-premise virtual machines, significantly lowering the vulnerability’s overall impact.
—
CVE-2022-20783 (CVSS score: 7.5), affects Cisco TelePresence Collaboration Endpoint (CE)
CVE-2022-20773 (CVSS score: 7.5),
a third high-severity vulnerability is a case of privilege escalation in Cisco Virtualized Infrastructure Manager (CVE-2022-20732, CVSS score: 7.8)
More details: https://tools.cisco.com/security/center/publicationListing.x