Oracle has published a planned release of updates to its products (Critical Patch Update), aimed at eliminating critical problems and vulnerabilities. The April update fixed a total of 390 vulnerabilities.
Some problems:
- 2 security issues in Java SE. All vulnerabilities can be exploited remotely without authentication. The problems are rated 5.9 and 5.3, are present in libraries, and appear only in environments that allow untrusted code to run. The vulnerabilities are fixed in Java SE 16.0.1, 11.0.11 and 8u292 releases. Additionally, the TLSv1.0 and TLSv1.1 protocols are disabled by default in OpenJDK.
- 43 vulnerabilities in the MySQL server, of which 4 can be exploited remotely (these vulnerabilities are assigned a severity level of 7.5). Remotely exploitable vulnerabilities appear when building with OpenSSL or MIT Kerberos. 39 locally exploited vulnerabilities are caused by bugs in the parser, InnoDB, DML, optimizer, replication system, organization of stored procedures execution and audit plugin. The issues are fixed in MySQL Community Server 8.0.24 and 5.7.34 releases.
- 20 vulnerabilities in VirtualBox. The three most dangerous problems have a severity level of 8.1, 8.2 and 8.4. One of these problems allows a remote attack through manipulation of the RDP protocol. The vulnerabilities were fixed in the VirtualBox 6.1.20 update.
- 2 vulnerabilities in Solaris. Maximum Severity 7.8 is a locally exploited vulnerability in CDE (Common Desktop Environment). The second problem has a severity level of 6.1 and manifests itself in the kernel. The issues are fixed in the Solaris 11.4 SRU32 update.
Source: opennet.ru