ALAS2022-2022-153

Amazon Linux 2022 Security Advisory: ALAS-2022-153
Advisory Release Date: 2022-10-17 23:30 Pacific
Advisory Updated Date: 2022-11-01 21:25 Pacific

Severity: Medium

References: CVE-2022-21540 CVE-2022-21541 CVE-2022-21618 CVE-2022-21619 CVE-2022-21624 CVE-2022-21626 CVE-2022-21628 CVE-2022-34169 CVE-2022-39399
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Title: Wider MultiByte conversions
Buffer overflow is possible due to incorrect byte count (should be character
count). (CVE-2022-21618)

Title: Improve NTLM support
writeSecurityBuffer() writes a serialized security buffer to be used for NTLM
auth. One of the fields that are serialized is a hostname provided by the
name resolver. If this hostname is very long, integer truncation occurs,
which would allow a malicious hostname to be partially re-interpreted as
something else following a hostname, once the security buffer is deserialized
on the other size. (CVE-2022-21619)

Title: Improve JNDI lookups
JNDI DNS port numbers can be easily guessed and should be more random. (CVE-2022-21624)

Title: Key X509 usages
Decoding of X509 keys may use excessive amount of heap memory. (CVE-2022-21626)

Title: Better HttpServer service
HttpServer eagerly accepts connections which may exceed the limit. (CVE-2022-21628)

Title: Improve HTTP/1.1 client usage
The HTTP/2 connection cache caches connection based on the IP address but not
the SNI which can allow spoofing for servers on the same IP. (CVE-2022-39399)

Affected Packages:

java-11-amazon-corretto

Issue Correction:
Run dnf update java-11-amazon-corretto --releasever=2022.0.20221019 to update your system.

New Packages:

aarch64:
    java-11-amazon-corretto-11.0.17+8-1.amzn2022.aarch64
    java-11-amazon-corretto-devel-11.0.17+8-1.amzn2022.aarch64
    java-11-amazon-corretto-headless-11.0.17+8-1.amzn2022.aarch64
    java-11-amazon-corretto-javadoc-11.0.17+8-1.amzn2022.aarch64
    java-11-amazon-corretto-jmods-11.0.17+8-1.amzn2022.aarch64

src:
    java-11-amazon-corretto-11.0.17+8-1.amzn2022.src

x86_64:
    java-11-amazon-corretto-devel-11.0.17+8-1.amzn2022.x86_64
    java-11-amazon-corretto-headless-11.0.17+8-1.amzn2022.x86_64
    java-11-amazon-corretto-javadoc-11.0.17+8-1.amzn2022.x86_64
    java-11-amazon-corretto-jmods-11.0.17+8-1.amzn2022.x86_64
    java-11-amazon-corretto-11.0.17+8-1.amzn2022.x86_64

Additional References

Red Hat: CVE-2022-21540, CVE-2022-21541, CVE-2022-21618, CVE-2022-21619, CVE-2022-21624, CVE-2022-21626, CVE-2022-21628, CVE-2022-34169, CVE-2022-39399

Mitre: CVE-2022-21540, CVE-2022-21541, CVE-2022-21618, CVE-2022-21619, CVE-2022-21624, CVE-2022-21626, CVE-2022-21628, CVE-2022-34169, CVE-2022-39399