Oracle Posted Planned output of updates of your products (Critical Patch Update), aimed To eliminate critical problems and vulnerabilities. In April update in the amount eliminated 520 vulnerabilities .
Some problems:
- 6 security problems in java se. All vulnerabilities can be operated remotely without authentication and affect environments that make not a trustworthy code. Two problems were assigned a hazard level of 7.5. Vulnerabilities are eliminated in the releases of Java SE 18.0.1, 11.0.15 and 8U331 .
One of the problems (CVE-2022-21449) allows to generate a fictitious digital signature ECDSA Using when generating, the zero parameters of the curve (if the parameters are zero, then Java considered the signature of ECDSA valid). Including the problem can be used to generate fictitious TLS certificates that will be accepted in Java as correct, as well as to bypass authentication through WebAuthn and the formation of fictitious JWT signatures and OIDC tokens. In other words, vulnerability allows you to generate universal certificates and signatures that will be accepted and perceived as correct in Java handlers using regular Java.Security classes for verification. *.
- 26 vulnerabilities in MySQL server, of which two can be operated remotely. The most serious problems that are associated with the use of OpenSSL and Protobuf are assigned a danger levels of 7.5. Less dangerous vulnerabilities affect
Optimizer, InnoDB, replication, PAM plugin, DDL, DML, FTS and logging. Problems eliminated in the releases MySQL Community Server 8.0.29 and 5.7.38 . - 5 vulnerabilities in VirtualBox. Problems assigned a hazard level of 7.5 to 3.8 (the most dangerous vulnerability is manifested only on the Windows platform). Vulnerabilities are eliminated in updating VirtualBox 6.1.34.
- 6 vulnerabilities in Solaris. Problems affect the kernel and utilities. The most serious problem in utilities was assigned a hazard level 8.2. Vulnerabilities are eliminated in updating Solaris 11.4 SRU44 .