Oracle e phatlalalitse tokollo e reriloeng ea lintlafatso ho lihlahisoa tsa eona (Critical Patch Update), e reretsoeng ho felisa mathata a bohlokoa le bofokoli. Nchafatso ea Mmesa e lokiselitse bofokoli ba 520 kaofela.
Mathata a mang:
- 6 Mathata a Tšireletso ho Java SE. Bofokoli bohle bo ka sebelisoa hampe ntle le netefatso le ho ama libaka tse lumellang ho etsoa ha khoutu e sa tšepahaleng. Litaba tse peli li abetsoe boemo bo boima ba 7.5. Bofokoli bo rarollotsoe ho Java SE 18.0.1, 11.0.15, le lintlafatso tsa 8u331.
E 'ngoe ea mathata (CVE-2022-21449) e u lumella ho hlahisa signature e iqapetsoeng ea ECDSA u sebelisa li-parameter tsa zero curve ha u e hlahisa (haeba li-parameter li le zero, joale lekhalo le ea ho infinity, kahoo litekanyetso tsa zero li thibetsoe ka ho hlaka ho tlhaloso). Lilaebrari tsa Java ha lia ka tsa hlahloba boleng ba li-parameter tsa ECDSA, kahoo ha li sebetsana le li-signature tse nang le li-parameter tse se nang thuso, Java li ne li nka hore li nepahetse maemong 'ohle).
Har'a lintho tse ling, ho ba kotsing ho ka sebelisoa ho hlahisa litifikeiti tsa TLS tse iqapetsoeng tse tla amoheloa ho Java e le tse nepahetseng, hammoho le ho qoba ho netefatsa ka WebAuthn le ho hlahisa li-signature tsa JWT tse iqapetsoeng le li-tokens tsa OIDC. Ka mantsoe a mang, bofokoli bo u lumella ho hlahisa litifikeiti le mesaeno ea batho bohle e tla amoheloa le ho nkoa e nepahetse ho li-java tse sebelisang litlelase tsa java.security.* bakeng sa netefatso. Bothata bo hlaha makaleng a Java 15, 16, 17 le 18. Mohlala oa ho hlahisa mangolo a fake oa fumaneha. jshell> import java.security.* jshell> var keys = KeyPairGenerator.getInstance("EC").generateKeyPair() linotlolo ==> java.security.KeyPair@626b2d4a jshell> var blankSignature = new byte[64] => blankSign byte[64] {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, … , 0, 0, 0, 0, 0, 0, 0, 0} jshell > var sig = Signature.getInstance("SHA256WithECDSAInP1363Format") sig ==> Ntho ya tshaeno: SHA256WithECDSAInP1363Format jshell> sig.initVerify(keys.getPublic()) jshell> sig.update("Hello, World".getBytes()) jshell> sig.verify(blankSignature) $8 ==> nnete
- 26 ho seva sa MySQL, tse peli tsa tsona li ka sebelisoa hampe. Mathata a tebileng ka ho fetisisa a amanang le ts'ebeliso ea OpenSSL le protobuf a abeloa boemo bo boima ba 7.5. Bofokoli bo fokolang bo matla bo ama optimizer, InnoDB, replication, PAM plugin, DDL, DML, FTS le ho rema lifate. Litaba li ile tsa rarolloa ho MySQL Community Server 8.0.29 le 5.7.38 e lokolloa.
- 5 bofokoli ho VirtualBox. Litaba li abeloa boemo bo boima ho tloha ho 7.5 ho isa ho 3.8 (bofokoli bo kotsi ka ho fetisisa bo hlaha feela sethaleng sa Windows). Bofokoli bo tsitsitse ho ntlafatso ea VirtualBox 6.1.34.
- 6 bofokoli ho Solaris. Mathata a ama kernel le lisebelisoa. Bothata bo boholo ka ho fetisisa lits'ebetsong bo abetsoe boemo ba kotsi ba 8.2. Bofokoli bo rarollotsoe ntlafatsong ea Solaris 11.4 SRU44.
Source: opennet.ru