This week, we’ll cover newly-discovered OpenJDK vulnerabilities, a heap overflow vulnerability in Redis, and an arbitrary PHP code execution in Drupal core.
OpenJDK released a security advisory last week containing four vulnerabilities.
CVE-2022-21541 is a difficult to exploit vulnerability in hotspot/runtime component that allows unauthenticated attackers with network access via multiple protocols to compromise Java, which could lead to unauthorized creation, deletion, or modification access to critical data or all openjdk accessible data.
CVE-2022-21540 exists in hotspot/compiler component and is an easily exploitable flaw that allows unauthenticated attackers with network access via multiple protocols resulting in unauthorized read access to a subset of openjdk accessible data. This cve only has a low impact on confidentiality of data.
CVE-2022-21549 in core-libs/java.util component can result in unauthorized update, insert, or delete access to some of openjdk accessible data.
Note: All three vulnerabilities apply to Java deployments—typically in clients running sandboxed Java Web Start applications or sandboxed Java applets—that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. These vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
CVE-2022-34169 is an Integer truncation issue in Apache Xalan Java XSLT library. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode.
Heap Overflow in Redis
Redis is often referred to as a data structures server. What this means is that Redis provides access to mutable data structures via a set of commands, which are sent using a server-client model with TCP sockets and a simple protocol. So different processes can query and modify the same data structures in a shared way.
There is a heap overflow condition that can be triggered by an out-of-bounds write through a specially crafted XAUTOCLAIM command on a stream key in a specific state and potentially lead to remote code execution. CVE-2022-31144 affects Redis versions 7.0.0 or newer. The problem is fixed in Redis version 7.0.4.
Drupal Core – Arbitrary PHP Code Execution Vulnerability
Drupal has released four advisories that describe four types of vulnerabilities. One of them has been rated “critical” and the other three “moderately critical.” The “critical” vulnerability, tracked as CVE-2022-25277, affects Drupal 9.3 and 9.4. The issue impacts the Drupal core and it can lead to arbitrary PHP code execution on Apache web servers by uploading specially crafted files.
The remaining three are moderately critical according to Drupal.
CVE-2022-25276 could lead to cross-site scripting, leaked cookies, or other vulnerabilities because the Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain.
Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. CVE-2022-25278 might lead to a user being able to alter data they should not have access to.
CVE-2022-25275 arises in some situations when the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system.
Upgrade to Drupal 9.4.3 or 9.3.19 to apply patches for these vulnerabilities. Note: All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage and Drupal 8 has reached its end of life. Drupal 7 core is not affected.