Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 3 articles for you...
197
security advisorydenial of servicesoftware updateDebian 10: DLA-3100-1 High: Gson Deserialization Attack Risks
It was discovered that Gson, a Java library that can be used to convert Java Objects into their JSON representations and vice versa, was vulnerable to a de- serialization flaw. An application would de-serialize untrusted data without sufficiently verifying that the resulting data will be valid, letting the . -------------------------------------------------------------------------Debian LTS Advisory DLA-3100-1
Sep 07, 2022
•Important
Debian LTS
87
security advisorymoderateupdateDebian: DSA-5227-1 Moderate: Gson Java Library De-serialization Flaw
It was discovered that Gson, a Java library that can be used to convert Java Objects into their JSON representations and vice versa, was vulnerable to a de- serialization flaw. An application would de-serialize untrusted data without sufficiently verifying that the resulting data will be valid, letting the . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5227-1
Sep 07, 2022
Debian
98
security advisoryRed Hatremote code executionRed Hat JBoss Web Server: RHSA-2022:0527-01 Low Risk Security Update
An update is now available for Red Hat JBoss Web Server 3.1 for Red Hat Enterprise Linux 7 and Microsoft Windows. Red Hat Product Security has rated this release as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Low: Red Hat JBoss Web Server 3.1 Service Pack 14 security update Advisory ID: RHSA-2022:0527-01 Product: Red Hat JBoss Web Server Advisory URL: https://access.redhat.com/errata/RHSA-2022:0527 Issue date: 2022-02-14 CVE Names: CVE-2021-4104 CVE-2022-23302 CVE-2022-23305 CVE-2022-23307 ==================================================================== 1. Summary: An update is now available for Red Hat JBoss Web Server 3.1 for Red Hat Enterprise Linux 7 and Microsoft Windows. Red Hat Product Security has rated this release as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.1 Service Pack 14 serves as a replacement for Red Hat JBoss Web Server 3.1 Service Pack 12. This release includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es): * log4j-eap6: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink [jws-3] (CVE-2022-23302) * log4j-eap6: log4j: SQL injection in Log4j 1.x when applicationis configured to use JDBCAppender [jws-3] (CVE-2022-23305) * log4j-eap6: log4j: Unsafe deserialization flaw in Chainsaw log viewer [jws-3] (CVE-2022-23307) * log4j-eap6: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender [jws-3.1] (CVE-2021-4104) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link for the update. You must be logged in to download the update. 4. Bugs fixed (https://bugzilla.redhat.com/): 2031667 - CVE-2021-4104 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender 2041949 - CVE-2022-23302 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink 2041959 - CVE-2022-23305 log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender 2041967 - CVE-2022-23307 log4j: Unsafe deserialization flaw in Chainsaw log viewer 5. References: https://access.redhat.com/security/cve/CVE-2021-4104 https://access.redhat.com/security/cve/CVE-2022-23302 https://access.redhat.com/security/cve/CVE-2022-23305 https://access.redhat.com/security/cve/CVE-2022-23307 https://access.redhat.com/security/updates/classification#low 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBYgrT1NzjgjWX9erEAQhZrg//WOeG1zWmnAHFE2ddq4VPxZN5wpA/maF8 btqL62GLO62fH+0p95Fbq/YQ9cKrVauGO4ffWh2uOpTCVs35uCoCLxvnZoLMNT4B ohkA2uN/S50rqR1oP2R33zvnC7XipZsTTXvUaomnvfBpzxJvfNV3d8qMF07nsxxd Fu3YiXjgPYLBHyL0nr9GEBe5RbCMfyX4eqD3+vceMzM5Wtcx418Asd0yADCH1orv pj+jBq1BKOvtOAu+eKBzFMgYl9dOK0H55CGspscyr+VGMo3HILgNsQJAFkUv2GFx fGG/f0+PqTD5WMK1rD7V3V2NXjClcEp3AvxAAUOtznnNWGVNDiQZ7Sq1wdUBm0K/ WlNEiAgSea4dTNnjE35tl01TFMHAxL97lx2Mn+zLMmQBSbR+4DuQe2bzm0dnw6Hx HLKcZTFvkYBWMNUZPeIifyvGaeD9TZ5dVASgtB5F5BMiXaeAluD7o7NhYNX30O3q iP39XrlAAJRssRAO7K/xG7wCqS+jkH/lQjOTNmARDs7Aoldwd1a+XsWpG9Uq+Oep dmv3k1G/ijcjEA6oMLuvVgrtoXM0SxPHzVMmt0UT8++kMO+6Rm15nlE8RdbMWqPW Fh0QAmuwERu/1Hb1ePOujq4OAyM8a+Fhzd4IYnV5neETS9ZoaqKEvMrdccMQ3T+T adFSYa/4Skg=K+yX -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Feb 14, 2022
•Low
Red Hat
98
security advisoryRed Hatremote executionRed Hat Enterprise Linux 7 RHSA-2022-0439-01 Critical: Log4j Remote Exploit
An update for rh-maven36-log4j12 is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: rh-maven36-log4j12 security update Advisory ID: RHSA-2022:0439-01 Product: Red Hat Software Collections Advisory URL: https://access.redhat.com/errata/RHSA-2022:0439 Issue date: 2022-02-03 CVE Names: CVE-2022-23302 CVE-2022-23305 CVE-2022-23307 ==================================================================== 1. Summary: An update for rh-maven36-log4j12 is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch 3. Description: Log4j is a tool to help the programmer output log statements to a variety of output targets. Security Fix(es): * log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305) * log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307) * log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes thechanges described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2041949 - CVE-2022-23302 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink 2041959 - CVE-2022-23305 log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender 2041967 - CVE-2022-23307 log4j: Unsafe deserialization flaw in Chainsaw log viewer 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: rh-maven36-log4j12-1.2.17-23.4.el7.src.rpm noarch: rh-maven36-log4j12-1.2.17-23.4.el7.noarch.rpm rh-maven36-log4j12-javadoc-1.2.17-23.4.el7.noarch.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: rh-maven36-log4j12-1.2.17-23.4.el7.src.rpm noarch: rh-maven36-log4j12-1.2.17-23.4.el7.noarch.rpm rh-maven36-log4j12-javadoc-1.2.17-23.4.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key 7. References: https://access.redhat.com/security/cve/CVE-2022-23302 https://access.redhat.com/security/cve/CVE-2022-23305 https://access.redhat.com/security/cve/CVE-2022-23307 https://access.redhat.com/security/updates/classification#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBYfxjS9zjgjWX9erEAQjUcg//X9ZgnFxuwG1GhiO108l3kye+0b8jatTI 4yG0VwpRfgChD5H13jg8nIf5IIuLUSEbG8/9S5RGoLEkZ4Enj+gQfewu59kgzTiv SPE/tBPTUSaXsnsDkas/N8Dk5yO/fOmh4DI7kthAYNEE9QCOuVHSssmSgoAqC1RU Ok2P7BzA7RxvWJNSHvu6QPOAeP+qss/1/ilyxRf9cd1jSIvQlBcreVquky1aHaDe Dky5gzULy/JeAW7r2+KDYXA7RKI7vsghzRG3MOy/nHO4jJlfRF1DRmR4h/Vm1GZA GxpOlu4lRsP/Mx3foBr3PX/0Lcu+Q68RClG0eGEMe9SUlyM+J0mBKD58qDIYnqpm H2vpqBMRG1dlR714qhScgxy0TABnvX0zZa0XVAZ97Ltb24QAeRLSKzuWPGDjdt38 cYv12LqbIjZzhlRp4W0/GtSywFwTi+Let4wbWBP77hTyjMngdnbTJC7Q98+iVAKI 9sXRKh2O09HFXQ3KFKmOTP/Pj9Sjzf4j2Gpk9DOfp+1KQWuiGvpcxgdjOa3cxVAP +hJxVXdKN1XFhUD4U3h1M1S0qAwnQa29F1oBZzxl+lDFKt+5DurdJxtLRoGTiPHq U7egN8x6oGve8ZxGnWp/+JcJ6UeODqKj7otPY6GI2L1Xo7cF2dMzZ56PC/kCxaDo gUCA3PF1+NA=ls5x -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Feb 03, 2022
•Important
Red Hat
202
security advisorysoftware updateremote code executionopenSUSE 15.4 & 15.3: 2022:0214-1 Important: log4j Security Issues
An update that fixes three vulnerabilities is now available. . openSUSE Security Update: Security update for log4j ______________________________________________________________________________ Announcement ID: openSUSE-SU-2022:0214-1 Rating: important References: #1194842 #1194843 #1194844 Cross-References: CVE-2022-23302 CVE-2022-23305 CVE-2022-23307 CVSS scores: CVE-2022-23302 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-23302 (SUSE): 6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2022-23305 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2022-23305 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2022-23307 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: openSUSE Leap 15.4 openSUSE Leap 15.3 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for log4j fixes the following issues: - CVE-2022-23307: Fixed deserialization flaw in the chainsaw component of log4j leading to malicious code execution. (bsc#1194844) - CVE-2022-23305: Fixed SQL injection when application is configured to use JDBCAppender. (bsc#1194843) - CVE-2022-23302: Fixed remote code execution when application is configured to use JMSSink. (bsc#1194842) Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.4: zypper in -t patch openSUSE-SLE-15.4-2022-214=1 - openSUSE Leap 15.3: zypper in -t patch openSUSE-SLE-15.3-2022-214=1 Package List: - openSUSE Leap 15.4 (noarch): log4j-manual-1.2.17-5.9.1 - openSUSELeap 15.3 (noarch): log4j-manual-1.2.17-5.9.1 References: https://www.suse.com/security/cve/CVE-2022-23302.html https://www.suse.com/security/cve/CVE-2022-23305.html https://www.suse.com/security/cve/CVE-2022-23307.html https://bugzilla.suse.com/1194842 https://bugzilla.suse.com/1194843 https://bugzilla.suse.com/1194844 . Urgent Fedora patch addresses log4j flaws, mitigating risks of remote code execution and SQL injection attacks.. openSUSE Update, log4j Security Fixes, Remote Code Execution, SQL Injection, Deserialization Flaw. . Severity: Important. LinuxSecurity.com Team
Jan 27, 2022
•Important
OpenSUSE
98
security advisoryRed Hatimportant updateRed Hat: RHSA-2020-3017-01 Important: Spring Boot 2.1.15 Security Fix
An update is now available for Red Hat support for Spring Boot. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat support for Spring Boot 2.1.15 security and bug fix update Advisory ID: RHSA-2020:3017-01 Product: Red Hat OpenShift Application Runtimes Advisory URL: https://access.redhat.com/errata/RHSA-2020:3017 Issue date: 2020-07-27 CVE Names: CVE-2020-1714 CVE-2020-9484 ==================================================================== 1. Summary: An update is now available for Red Hat support for Spring Boot. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat support for Spring Boot provides an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform. This release of Red Hat support for Spring Boot 2.1.15 serves as a replacement for Red Hat support for Spring Boot 2.1.13, and includes security and bug fixes and enhancements. For further information, refer to the release notes linked to in the References section. Security Fix(es): * keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution (CVE-2020-1714) * tomcat: deserialization flaw in session persistence storage leading to RCE (CVE-2020-9484) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, referto the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1705975 - CVE-2020-1714 keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution 1838332 - CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE 5. References: https://access.redhat.com/security/cve/CVE-2020-1714 https://access.redhat.com/security/cve/CVE-2020-9484 https://access.redhat.com/security/updates/classification#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=catRhoar.spring.boot&version=2.1.15 https://docs.redhat.com/en/documentation/red_hat_support_for_spring_boot/2.1/html-single/release_notes_for_spring_boot_2.1/index 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXx7SOtzjgjWX9erEAQiOwA//Vtzf+JAv0FdMxKoIMcCpxrxSSISo27iq TAOg1fDD0i5A2agpAH78/HjTwy8AucXdaBHAVKLKPI6hK3WeGAmAIzBDxOZ6bJlR XGSCiKIHLvX+sXLZHjBoLgNVrefxqBlCFRUDEr/anBOWUAcSwJIutmH381TbTJb5 x7Z8gRDoP2VMl5fDE6Nq6ERwptH8td8CgR5AlCvMoNiZyX7MwREU2OIWp/0NZ7Rk QafCrxOZABCQYGmadM8bJhV/Qd7cpDvLnD0igWR5E/p35oMwXwOwEmWldYmFLV6D RyniwZYKofHeUhMdb1secJCNw7KSKBVRZkGsHCaK7zKH5+wRG85/zpMgVuSChuJx Hsmt4NRkq8EsU/1Vy5IDO/+FEEIjrfXZiisv3HlZd4rcXNW6pUc/vgZ/RniQeBrt YBlbB+mW5FJnDtgHtl3gjdBOUwPrlE4OhBAgIvKV5eT6yCY3wYgIkXHWvc0cMpFS XFwZWibWEp7rpJBHviniI+gwDMCVKp6DSpVSA+Q/RldF2UAzIB5+7FEMhPHMC05B 3BE3bd1xHlcKLiC9OHPRveZd0ML83xrdOVSFa4q+2Dks0OBqZ+YHs38GvNOiPqVs jX6XOCe6Aa6ExPw5ver7tqrjeTvpmscbxNeaKSWAaryX4sPpDEfNPkio0cRTVD5z c8iSC8VQeWU=0UBP -----END PGP SIGNATURE----- -- RHSA-announce mailinglist
Jul 27, 2020
•Important
Red Hat
200
security advisorytomcatRCESciLinux: SLSA-2020-2530-1 Important: Tomcat RCE Deserialization Flaw
tomcat: deserialization flaw in session persistence storage leading to RCE (CVE-2020-9484) SL7 noarch tomcat-servlet-3.0-api-7.0.76-12.el7_8.noarch.rpm tomcat-7.0.76-12.el7_8.noarch.rpm tomcat-admin-webapps-7.0.76-12.el7_8.noarch.rpm tomcat-docs-webapp-7.0.76-12.el7_8.noarch.rpm tomcat-el-2.2-api-7.0.76-12.el7_8.noarch.rpm tomcat-javadoc-7.0.76-12.el7_8.noarch.rpm [More...]. Synopsis: Important: tomcat security update Advisory ID: SLSA-2020:2530-1 Issue Date: 2020-06-11 CVE Numbers: None -- Security Fix(es): * tomcat: deserialization flaw in session persistence storage leading to RCE (CVE-2020-9484) -- SL7 noarch tomcat-servlet-3.0-api-7.0.76-12.el7_8.noarch.rpm tomcat-7.0.76-12.el7_8.noarch.rpm tomcat-admin-webapps-7.0.76-12.el7_8.noarch.rpm tomcat-docs-webapp-7.0.76-12.el7_8.noarch.rpm tomcat-el-2.2-api-7.0.76-12.el7_8.noarch.rpm tomcat-javadoc-7.0.76-12.el7_8.noarch.rpm tomcat-jsp-2.2-api-7.0.76-12.el7_8.noarch.rpm tomcat-jsvc-7.0.76-12.el7_8.noarch.rpm tomcat-lib-7.0.76-12.el7_8.noarch.rpm tomcat-webapps-7.0.76-12.el7_8.noarch.rpm - Scientific Linux Development Team . Crucial Apache Tomcat security patch released for SL7 correcting a severe session management vulnerability that poses remote code execution risks.. tomcat update, RCE threat, session persistence issue, security advisory. . Severity: Important. LinuxSecurity.com Team
Jun 11, 2020
•Important
Scientific Linux
197
security advisorysecurity updateremote code executionDebian LTS: DLA-2030-1 Critical: jackson-databind Code Execution Risk
More deserialization flaws were discovered in jackson-databind which could allow an unauthenticated user to perform remote code execution. The issue was resolved by extending the blacklist and blocking more classes from polymorphic deserialization. . Package : jackson-databind Version : 2.4.2-2+deb8u10 CVE ID : CVE-2019-17267 CVE-2019-17531 More deserialization flaws were discovered in jackson-databind which could allow an unauthenticated user to perform remote code execution. The issue was resolved by extending the blacklist and blocking more classes from polymorphic deserialization. For Debian 8 "Jessie", these problems have been fixed in version 2.4.2-2+deb8u10. We recommend that you upgrade your jackson-databind packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS . Recent research highlights significant security flaws in Jackson Databind on Debian that could allow deserialization attacks and remote code execution. Immediate upgrades are recommended!. jackson-databind, remote Code Execution, Debian Security, Deserialization Flaw. . Severity: Critical. LinuxSecurity.com Team
Dec 10, 2019
•Critical
Debian LTS
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!