TOS CVE Security Fixes

The following links represent the list of CVEs (Common Vulnerabilities and Exposures) that are fixed in each release of TOS.

R25-1

• (PRC1.0.0) CVE-2024-21131

• (PRC1.0.0) CVE-2024-21138

• (PRC1.0.0) CVE-2024-21140

• (PRC1.0.0) CVE-2024-21145

• (PRC1.0.0) CVE-2024-21147

R24-2

• (PGA.0.0) CVE-2024-21131

• (PGA.0.0) CVE-2024-21138

• (PGA.0.0) CVE-2024-21140

• (PGA.0.0) CVE-2024-21145

• (PGA.0.0) CVE-2024-21147

• (PRC1.0.0) CVE-2024-21131

• (PRC1.0.0) CVE-2024-21138

• (PRC1.0.0) CVE-2024-21140

• (PRC1.0.0) CVE-2024-21145

• (PRC1.0.0) CVE-2024-21147

R24-1

• (PHF4.0.0) CVE-2024-21131

• (PHF4.0.0) CVE-2024-21138

• (PHF4.0.0) CVE-2024-21140

• (PHF4.0.0) CVE-2024-21144

• (PHF4.0.0) CVE-2024-21145

• (PHF4.0.0) CVE-2024-21147

• (PHF3.0.0) CVE-2024-21131

• (PHF3.0.0) CVE-2024-21138

• (PHF3.0.0) CVE-2024-21140

• (PHF3.0.0) CVE-2024-21145

• (PHF3.0.0) CVE-2024-21147

• (PHF3.0.0) CVE-2024-21011

• (PHF3.0.0) CVE-2024-21068

• (PHF3.0.0) CVE-2024-21085

• (PHF3.0.0) CVE-2024-21094

R23-2

None at this time.

R23-1

Java

• (PHF2.0.0) CVE-2022-42889 - Apache Commons Text Java Library

• (PRC1.0.0) CVE-2023-21830 - OpenJDK: possible unauthorized update, insert or delete access to accessible data

• (PRC1.0.0) CVE-2023-21843 - OpenJDK: possible unauthorized update, insert or delete access to accessible data

• (PGA.0.0) CVE-2021-44228 - Apache Log4j Vulnerability (Log4Shell)

• (PGA.0.0) CVE-2021-45046 - Apache Log4j Vulnerability

• (PGA.0.0) CVE-2021-45105 - Apache Log4j Vulnerability

• (PGA.0.0) CVE-2021-44832- Apache Log4j Vulnerability

R22-2

Java

• (PHF2.0.0) CVE-2023-21830 - OpenJDK: possible unauthorized update, insert or delete access to accessible data

• (PHF2.0.0) CVE-2023-21843 - OpenJDK: possible unauthorized update, insert or delete access to accessible data

• (PGA.0.0) CVE-2022-21619 - OpenJDK: improper handling of long NTLM client hostnames

• (PGA.0.0) CVE-2022-21624 - OpenJDK: insufficient randomization of JNDI DNS port numbers

• (PGA.0.0) CVE-2022-21626 - OpenJDK: excessive memory allocation in X.509 certificate parsing

• (PGA.0.0) CVE-2022-21628 - OpenJDK: HttpServer no connection count limit

• (PGA.0.0) CVE-2022-21540 - OpenJDK: class compilation issue

• (PGA.0.0) CVE-2022-21541 - OpenJDK: improper restriction of MethodHandle.invokeBasic()

• (PGA.0.0) CVE-2022-34169 - OpenJDK: integer truncation issue in Xalan-J

• (PGA.0.0) CVE-2022-21426 - OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions

• (PGA.0.0) CVE-2022-21434 - OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler

• (PGA.0.0) CVE-2022-21443 - OpenJDK: Missing check for negative ObjectIdentifier

• (PGA.0.0) CVE-2022-21476 - OpenJDK: Defective secure validation in Apache Santuario

• (PGA.0.0) CVE-2022-21496 - OpenJDK: URI parsing inconsistencies

R22-1

Java

• (PHF4.0.0) CVE-2022-21619 - OpenJDK: improper handling of long NTLM client hostnames

• (PHF4.0.0) CVE-2022-21624 - OpenJDK: insufficient randomization of JNDI DNS port numbers

• (PHF4.0.0) CVE-2022-21626 - OpenJDK: excessive memory allocation in X.509 certificate parsing

• (PHF4.0.0) CVE-2022-21628 - OpenJDK: HttpServer no connection count limit

• (PHF4.0.0) CVE-2022-21540 - OpenJDK: class compilation issue

• (PHF4.0.0) CVE-2022-21541 - OpenJDK: improper restriction of MethodHandle.invokeBasic()

• (PHF4.0.0) CVE-2022-34169 - OpenJDK: integer truncation issue in Xalan-J

• (PHF4.0.0) CVE-2022-21426 - OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions

• (PHF4.0.0) CVE-2022-21434 - OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler

• (PHF4.0.0) CVE-2022-21443 - OpenJDK: Missing check for negative ObjectIdentifier

• (PHF4.0.0) CVE-2022-21476 - OpenJDK: Defective secure validation in Apache Santuario

• (PHF4.0.0) CVE-2022-21496 - OpenJDK: URI parsing inconsistencies

• (PRC1.0.0) CVE-2021-35550 - OpenJDK: OpenJDK: Weak ciphers preferred over stronger ones for TLS

• (PRC1.0.0) CVE-2021-35556 - OpenJDK: Excessive memory allocation in RTFParser

• (PRC1.0.0) CVE-2021-35559 - OpenJDK: Excessive memory allocation in RTFReader

• (PRC1.0.0) CVE-2021-35561 - OpenJDK: Excessive memory allocation in HashMap and HashSet

• (PRC1.0.0) CVE-2021-35564 - OpenJDK: Certificates with end dates too far in the future can corrupt keystore

• (PRC1.0.0) CVE-2021-35565 - OpenJDK: Loop in HttpsServer triggered during TLS session close

• (PRC1.0.0) CVE-2021-35567 - OpenJDK: Incorrect principal selection when using Kerberos Constrained Delegation

• (PRC1.0.0) CVE-2021-35578 - OpenJDK: Unexpected exception raised during TLS handshake

• (PRC1.0.0) CVE-2021-35586 - OpenJDK: Excessive memory allocation in BMPImageReader

• (PRC1.0.0) CVE-2021-35588 - OpenJDK: Incomplete validation of inner class references in ClassFileParser

• (PRC1.0.0) CVE-2021-35603 - OpenJDK: Non-constant comparison during TLS handshakes

• (PRC1.0.0) CVE-2022-21248 - OpenJDK: Incomplete deserialization class filtering in ObjectInputStream

• (PRC1.0.0) CVE-2022-21282 - OpenJDK: Insufficient URI checks in the XSLT TransformerImpl

• (PRC1.0.0) CVE-2022-21283 - OpenJDK: Unexpected exception thrown in regex Pattern

• (PRC1.0.0) CVE-2022-21293 - OpenJDK: Incomplete checks of StringBuffer and StringBuilder during deserialization

• (PRC1.0.0) CVE-2022-21294 - OpenJDK: Incorrect IdentityHashMap size checks during deserialization

• (PRC1.0.0) CVE-2022-21296 - OpenJDK: Incorrect access checks in XMLEntityManager

• (PRC1.0.0) CVE-2022-21299 - OpenJDK: Infinite loop related to incorrect handling of newlines in XMLEntityScanner

• (PRC1.0.0) CVE-2022-21305 - OpenJDK: Array indexing issues in LIRGenerator

• (PRC1.0.0) CVE-2022-21340 - OpenJDK: Excessive resource use when reading JAR manifest attributes

• (PRC1.0.0) CVE-2022-21341 - OpenJDK: Insufficient checks when deserializing exceptions in ObjectInputStream

• (PRC1.0.0) CVE-2022-21360 - OpenJDK: Excessive memory allocation in BMPImageReader

• (PRC1.0.0) CVE-2022-21365 - OpenJDK: Integer overflow in BMPImageReader

R21-3

Java

• (PGA.0.0) CVE-2021-35550 - OpenJDK: OpenJDK: Weak ciphers preferred over stronger ones for TLS

• (PGA.0.0) CVE-2021-35556 - OpenJDK: Excessive memory allocation in RTFParser

• (PGA.0.0) CVE-2021-35559 - OpenJDK: Excessive memory allocation in RTFReader

• (PGA.0.0) CVE-2021-35561 - OpenJDK: Excessive memory allocation in HashMap and HashSet

• (PGA.0.0) CVE-2021-35564 - OpenJDK: Certificates with end dates too far in the future can corrupt keystore

• (PGA.0.0) CVE-2021-35565 - OpenJDK: Loop in HttpsServer triggered during TLS session close

• (PGA.0.0) CVE-2021-35567 - OpenJDK: Incorrect principal selection when using Kerberos Constrained Delegation

• (PGA.0.0) CVE-2021-35578 - OpenJDK: Unexpected exception raised during TLS handshake

• (PGA.0.0) CVE-2021-35586 - OpenJDK: Excessive memory allocation in BMPImageReader

• (PGA.0.0) CVE-2021-35588 - OpenJDK: Incomplete validation of inner class references in ClassFileParser

• (PGA.0.0) CVE-2021-35603 - OpenJDK: Non-constant comparison during TLS handshakes

• (PGA.0.0) CVE-2021-2388 - OpenJDK: Incorrect comparison during range check elimination

• (PRC1.0.0)CVE-2021-2369 - OpenJDK: Incorrect verification of JAR files with multiple MANIFEST.MF files

• (PRC1.0.0)CVE-2021-2341 - OpenJDK: FTP PASV command response can cause FtpClient to connect to arbitrary host

• (PRC1.0.0)CVE-2021-2163 - OpenJDK: Incomplete enforcement of JAR signing disabled algorithms

• (PHF2.0.0) CVE-2022-21248 - OpenJDK: Incomplete deserialization class filtering in ObjectInputStream

• (PHF2.0.0) CVE-2022-21282 - OpenJDK: Insufficient URI checks in the XSLT TransformerImpl

• (PHF2.0.0) CVE-2022-21283 - OpenJDK: Unexpected exception thrown in regex Pattern

• (PHF2.0.0) CVE-2022-21293 - OpenJDK: Incomplete checks of StringBuffer and StringBuilder during deserialization

• (PHF2.0.0) CVE-2022-21294 - OpenJDK: Incorrect IdentityHashMap size checks during deserialization

• (PHF2.0.0) CVE-2022-21296 - OpenJDK: Incorrect access checks in XMLEntityManager

• (PHF2.0.0) CVE-2022-21299 - OpenJDK: Infinite loop related to incorrect handling of newlines in XMLEntityScanner

• (PHF2.0.0) CVE-2022-21305 - OpenJDK: Array indexing issues in LIRGenerator

• (PHF2.0.0) CVE-2022-21340 - OpenJDK: Excessive resource use when reading JAR manifest attributes

• (PHF2.0.0) CVE-2022-21341 - OpenJDK: Insufficient checks when deserializing exceptions in ObjectInputStream

• (PHF2.0.0) CVE-2022-21360 - OpenJDK: Excessive memory allocation in BMPImageReader

• (PHF2.0.0) CVE-2022-21365 - OpenJDK: Integer overflow in BMPImageReader

R21-2

Java

• (PHF2)CVE-2021-35550 - OpenJDK: OpenJDK: Weak ciphers preferred over stronger ones for TLS

• (PHF2)CVE-2021-35556 - OpenJDK: Excessive memory allocation in RTFParser

• (PHF2)CVE-2021-35559 - OpenJDK: Excessive memory allocation in RTFReader

• (PHF2)CVE-2021-35561 - OpenJDK: Excessive memory allocation in HashMap and HashSet

• (PHF2)CVE-2021-35564 - OpenJDK: Certificates with end dates too far in the future can corrupt keystore

• (PHF2)CVE-2021-35565 - OpenJDK: Loop in HttpsServer triggered during TLS session close

• (PHF2)CVE-2021-35567 - OpenJDK: Incorrect principal selection when using Kerberos Constrained Delegation

• (PHF2)CVE-2021-35578 - OpenJDK: Unexpected exception raised during TLS handshake

• (PHF2)CVE-2021-35586 - OpenJDK: Excessive memory allocation in BMPImageReader

• (PHF2)CVE-2021-35588 - OpenJDK: Incomplete validation of inner class references in ClassFileParser

• (PHF2)CVE-2021-35603 - OpenJDK: Non-constant comparison during TLS handshakes

• (PHF1)CVE-2021-2388 - OpenJDK: Incorrect comparison during range check elimination

• (PHF1)CVE-2021-2369 - OpenJDK: Incorrect verification of JAR files with multiple MANIFEST.MF files

• (PHF1)CVE-2021-2341 - OpenJDK: FTP PASV command response can cause FtpClient to connect to arbitrary host

• (PGA)CVE-2021-2163 - OpenJDK: Incomplete enforcement of JAR signing disabled algorithms

jQuery

• (PGA) CVE-2020-11023 - In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

• (PGA) CVE-2020-11022In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

• (PGA) CVE-2019-11358jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

R21-1

Java

• (PRC1)CVE-2020-14556 - OpenJDK: Incorrect handling of access control context in ForkJoinPool

• (PRC1)CVE-2020-14577 - OpenJDK: HostnameChecker does not ensure X.509 certificate names are in normalized form

• (PRC1)CVE-2020-14578 - OpenJDK: Unexpected exception raised by DerInputStream

• (PRC1)CVE-2020-14579 - OpenJDK: Unexpected exception raised by DerValue.equals()

• (PRC1)CVE-2020-14583 - OpenJDK: Bypass of boundary checks in nio.Buffer via concurrent access

• (PRC1)CVE-2020-14593 - OpenJDK: Incomplete bounds checks in Affine Transformations

• (PRC1)CVE-2020-14621 - OpenJDK: XML validation manipulation due to incomplete application of the use-grammar-pool-only feature

R20-2

Tufin SecureTrack

• (GA) CVE-2020-13407 - Cross-Site Scripting (stored + reflected) in Tufin SecureTrack

  This CVE received a 5.9 score from the NVD CVSS calculator (medium severity)

  https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L&version=3.1

• (GA) CVE-2020-13408 - Cross-Site Scripting (stored + reflected) in Tufin SecureTrack

  This CVE received a 5.9 score from the NVD CVSS calculator (medium severity)

  https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L&version=3.1

• (GA) CVE-2020-13409 - Cross-Site Scripting (stored + reflected) in Tufin SecureTrack

  This CVE received a 5.9 score from the NVD CVSS calculator (medium severity)

  https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L&version=3.1

• (GA) CVE-2020-13460 - Cross-Site Request Forgery (CSRF) in Tufin SecureTrack

  As of release R19-2GA, Tufin has implemented the SameSite cookie attribute, using the industry best practices for protection against CSRF vulnerability. A small number of pages did not adhere to the “do not change a state of a product via the HTTP GET method” SameSite best practices, these pages have been fixed in release R20-2 and therefore CSRF vulnerability has been resolved in R20-2 GA and later releases.

  If an application is not protected with the SameSite cookie attribute it can be attacked using an AJAX request.

  An application that is protected with the SameSite cookie attribute is protected against an AJAX request. The only way to attack the application is via a top-level URL HTTP GET request and therefore the vulnerability is medium severity.

  Therefore this CVE received a 6.3 score from the NVD CVSS calculator (medium severity)

  https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L&version=3.1

Tufin SecureChange

• (GA) CVE-2020-13462 - Insecure Direct Object Reference (IDOR) in Tufin SecureChange

  This CVE received a 5.7 score from the NVD CVSS calculator (medium severity)

  https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N&version=3.1

Java

• (GA) CVE-2020-14556 - OpenJDK: Incorrect handling of access control context in ForkJoinPool

• (GA)CVE-2020-14577 - OpenJDK: HostnameChecker does not ensure X.509 certificate names are in normalized form

• (GA) CVE-2020-14578 - OpenJDK: Unexpected exception raised by DerInputStream

• (GA) CVE-2020-14579 - OpenJDK: Unexpected exception raised by DerValue.equals()

• (GA) CVE-2020-14583 - OpenJDK: Bypass of boundary checks in nio.Buffer via concurrent access

• (GA) CVE-2020-14593 - OpenJDK: Incomplete bounds checks in Affine Transformations

• (GA) CVE-2020-14621 - OpenJDK: XML validation manipulation due to incomplete application of the use-grammar-pool-only feature

• (RC1) CVE-2020-2754 - OpenJDK: Misplaced regular expression syntax error check in RegExpScanne

• (RC1) CVE-2020-2755 - OpenJDK: Incorrect handling of empty string nodes in regular expression Parser

• (RC1) CVE-2020-2756 - OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization

• (RC1) CVE-2020-2757 - OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass

• (RC1) CVE-2020-2773 - OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and DOMXMLSignatureFactory

• (RC1) CVE-2020-2781 - OpenJDK: Re-use of single TLS session for new connections

• (RC1) CVE-2020-2800 - OpenJDK: CRLF injection into HTTP headers in HttpServer

• (RC1) CVE-2020-2803 - OpenJDK: Incorrect bounds checks in NIO Buffers

• (RC1) CVE-2020-2805 - OpenJDK: Incorrect type checks in MethodType.readObject()

• (RC1) CVE-2020-2830 - OpenJDK: Regular expression DoS in Scanner

R20-1

Tufin SecureTrack

• (HF3) CVE-2020-13133 - Low Severity Cross-Site Scripting (XSS) Vulnerabilities in SecureChange

• (HF3) CVE-2020-13134 - Low Severity Cross-Site Scripting (XSS) Vulnerabilities in SecureChange

Java

• (HF3) CVE-2020-14577 - OpenJDK: HostnameChecker does not ensure X.509 certificate names are in normalized form

• (HF3) CVE-2020-14578 - OpenJDK: Unexpected exception raised by DerInputStream

• (HF3) CVE-2020-14579 - OpenJDK: Unexpected exception raised by DerValue.equals()

• (HF3) CVE-2020-14583 - OpenJDK: Bypass of boundary checks in nio.Buffer via concurrent access

• (HF3) CVE-2020-14593 - OpenJDK: Incomplete bounds checks in Affine Transformations

• (HF3) CVE-2020-14621 - OpenJDK: XML validation manipulation due to incomplete application of the use-grammar-pool-only feature

• (HF1) CVE-2020-2754 - OpenJDK: Misplaced regular expression syntax error check in RegExpScanne

• (HF1) CVE-2020-2755 - OpenJDK: Incorrect handling of empty string nodes in regular expression Parser

• (HF1) CVE-2020-2756 - OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization

• (HF1) CVE-2020-2757 - OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass

• (HF1) CVE-2020-2773 - OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and DOMXMLSignatureFactory

• (HF1) CVE-2020-2781 - OpenJDK: Re-use of single TLS session for new connections

• (HF1) CVE-2020-2800 - OpenJDK: CRLF injection into HTTP headers in HttpServer

• (HF1) CVE-2020-2803 - OpenJDK: Incorrect bounds checks in NIO Buffers

• (HF1) CVE-2020-2805 - OpenJDK: Incorrect type checks in MethodType.readObject()

• (HF1) CVE-2020-2830 - OpenJDK: Regular expression DoS in Scanner

• (RC1) CVE-2020-2583 - OpenJDK: Incorrect exception processing during deserialization in BeanContextSupport

• (RC1) CVE-2020-2590 - OpenJDK: Improper checks of SASL message properties in GssKrb5Base

• (RC1) CVE-2020-2593 - OpenJDK: Incorrect isBuiltinStreamHandler check causing URL normalization issues

• (RC1) CVE-2020-2601- OpenJDK: Use of unsafe RSA-MD5 checksum in Kerberos TGS

• (RC1) CVE-2020-2604- OpenJDK: Serialization filter changes via jdk.serialFilter property modification

• (RC1) CVE-2020-2654- OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing

• (RC1) CVE-2020-2659- OpenJDK: Incomplete enforcement of maxDatagramSockets limit in DatagramChannelImpl

• (HF3) CVE-2020-14556 - OpenJDK: Incorrect handling of access control context in ForkJoinPool