[USN-6730-1] Apache Maven Shared Utils vulnerability
Chris Kim
chris.kim at canonical.com
Thu Apr 11 23:27:32 UTC 2024
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
==========================================================================
Ubuntu Security Notice USN-6730-1
April 11, 2024
maven-shared-utils vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- - Ubuntu 22.04 LTS
- - Ubuntu 20.04 LTS
- - Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- - Ubuntu 16.04 LTS (Available with Ubuntu Pro)
- - Ubuntu 14.04 LTS (Available with Ubuntu Pro)
Summary:
maven-shared-utils could be made to run programs if it received
specially crafted input.
Software Description:
- - maven-shared-utils: A collection of Maven utility classes.
Details:
It was discovered that Apache Maven Shared Utils did not handle double-quoted
strings properly, allowing shell injection attacks. This could allow an
attacker to run arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
libmaven-shared-utils-java 3.3.0-1ubuntu0.22.04.1
Ubuntu 20.04 LTS:
libmaven-shared-utils-java 3.3.0-1ubuntu0.20.04.1
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
libmaven-shared-utils-java 3.3.0-1ubuntu0.18.04.1~esm1
Ubuntu 16.04 LTS (Available with Ubuntu Pro):
libmaven-shared-utils-java 0.9-1ubuntu0.1~esm1
Ubuntu 14.04 LTS (Available with Ubuntu Pro):
libmaven-shared-utils-java 0.4-1ubuntu0.1~esm1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6730-1
CVE-2022-29599
Package Information:
https://launchpad.net/ubuntu/+source/maven-shared-utils/3.3.0-1ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/maven-shared-utils/3.3.0-1ubuntu0.20.04.1
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEETB/nIDy9nvCSgAUj3gXQmO/Tr3wFAmYYcLwACgkQ3gXQmO/T
r3yYcRAAgdreHC0o+VtyTJL/jorqqs7vKGZv4qC0XhaP69STRNtlSR4rG4I9wRqm
BOhmBVLJylEtxfAxiWrnag5N04CBR12nr/Shk+JCm06e/5ROnu9LYiCoMowORZzy
Nnlu82qRmCwvnL9iSWzI4wnArDehMVniOCMmWNCfpa6/UXoh1gVCjikRAWRlBOAv
uA0KrR0cNwJ90G5wuB59zqxoUPZBf+AVCkjXYSv5WbWTvLrZbz8zhmKvc8kqu1OL
0D05mwH5kxXuhapZ8kBqapytjP+GmuRjHFI7kk+3yhPul2J0JDcNGO99lOZ2lUfz
IXk1S/XQTt2aEhdoanrpI6lVXcVHA0yr5I03bFEDg8D1BwZRm29KBrH2wsHdpN6J
XWIHfaHR7kYfDVsm9kpc72b7jv/aDD66vPsI/W3A/2QttpwpjwXgZSc2Mtx/WE+T
O5/b0jtpNrwHHYLigE2PYMPaRPjxtxhQ7qnd6FccNQl9+fOrKw9NHBAu0r5s4jlI
cU9d47W/mdEcM3y5OuSe8lN6rtHsvnjaQxuuO5lCLKIOpohi7YyyaU5aHGXns34P
FnImexzC8YxRvbR5ku/4ZgOAcPv9kC0wMDiC7rggqLGlhsohoca1wXG2TRIsinx5
fRFjffvqcF6bbfyjWIKKZaM4y1QmhX3+Eth77QEqLb0InJAWDp4=
=P4zw
-----END PGP SIGNATURE-----
More information about the ubuntu-security-announce
mailing list