Oracle tau tshaj tawm qhov teem sijhawm tso tawm tshiab rau nws cov khoom (Critical Patch Update), txhawm rau tshem tawm cov teeb meem tseem ceeb thiab qhov tsis zoo. Lub Plaub Hlis hloov tshiab tshem tawm tag nrho ntawm 520 qhov tsis zoo.
Qee qhov teeb meem:
- 6 Teeb meem kev ruaj ntseg hauv Java SE. Txhua qhov tsis muaj peev xwm tuaj yeem raug siv los ntawm kev deb yam tsis muaj kev lees paub thiab cuam tshuam rau ib puag ncig uas tso cai rau kev ua tiav cov cai tsis tsim nyog. Ob qhov teeb meem tau muab qhov hnyav ntawm 7.5. Qhov tsis zoo tau raug daws hauv Java SE 18.0.1, 11.0.15, thiab 8u331 tso tawm.
Ib qho ntawm cov teeb meem (CVE-2022-21449) tso cai rau koj los tsim cov ntawv cuav ECDSA digital kos npe siv xoom nkhaus tsis tau thaum tsim nws (yog tias qhov ntsuas tsis yog xoom, ces qhov nkhaus mus rau infinity, yog li xoom qhov tseem ceeb yog txwv tsis pub tshaj tawm hauv specification). Cov tsev qiv ntawv Java tsis tau txheeb xyuas qhov tsis muaj nuj nqis ntawm ECDSA tsis, yog li thaum ua cov ntawv kos npe nrog cov tsis muaj nuj nqis, Java suav tias lawv siv tau rau txhua kis).
Ntawm lwm yam, qhov tsis zoo tuaj yeem siv los tsim cov ntawv pov thawj TLS uas yuav raug lees txais hauv Java raws li qhov raug, nrog rau kev hla kev lees paub ntawm WebAuthn thiab tsim cov ntawv tsis tseeb JWT kos npe thiab OIDC tokens. Hauv lwm lo lus, qhov tsis muaj peev xwm tso cai rau koj los tsim cov ntawv pov thawj thoob ntiaj teb thiab kos npe uas yuav raug lees txais thiab pom tias muaj tseeb hauv Java cov neeg tuav haujlwm uas siv cov qauv java.security.* cov chav kawm rau kev txheeb xyuas. Qhov teeb meem tshwm sim hauv Java ceg 15, 16, 17 thiab 18. Ib qho piv txwv ntawm kev tsim cov ntawv pov thawj cuav muaj. jshell> import java.security.* jshell> var keys = KeyPairGenerator.getInstance("EC").generateKeyPair() keys ==> java.security.KeyPair@626b2d4a jshell> var blankSignature = new byte[64] blankSignature ==> byte[64] {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ... , 0, 0, 0, 0, 0, 0, 256, 1363 } jshell > var sig = Signature.getInstance("SHA256WithECDSAInP1363Format") sig ==> Kos npe khoom: SHA8WithECDSAInPXNUMXFormat jshell> sig.initVerify(keys.getPublic()) jshell> sig.update("Hello, World".getBytes()) jshell> sig.verify(blankSignature) $XNUMX ==> tseeb
- 26 qhov tsis zoo hauv MySQL server, ob qho uas tuaj yeem siv tau nyob deb. Cov teeb meem loj tshaj plaws uas cuam tshuam nrog kev siv OpenSSL thiab protobuf tau muab qhov hnyav ntawm 7.5. Tsawg qhov tsis zoo cuam tshuam rau qhov optimizer, InnoDB, replication, PAM plugin, DDL, DML, FTS thiab nkag. Cov teeb meem tau daws hauv MySQL Community Server 8.0.29 thiab 5.7.38 tso tawm.
- 5 vulnerabilities hauv VirtualBox. Cov teeb meem raug muab rau qib hnyav ntawm 7.5 txog 3.8 (qhov muaj kev phom sij txaus ntshai tshaj plaws tshwm sim tsuas yog ntawm Windows platform). Cov vulnerabilities raug kho nyob rau hauv VirtualBox 6.1.34 hloov tshiab.
- 6 qhov tsis zoo hauv Solaris. Cov teeb meem cuam tshuam rau cov ntsiav thiab cov khoom siv hluav taws xob. Qhov teeb meem loj tshaj plaws hauv cov khoom siv hluav taws xob tau muab rau qib txaus ntshai ntawm 8.2. Qhov tsis zoo tau raug daws hauv Solaris 11.4 SRU44 hloov tshiab.
Tau qhov twg los: opennet.ru