USN-5245-1: Apache Maven vulnerability
18 August 2022
Apache Maven could be made to crash or run programs if it received specially crafted input.
Releases
Packages
- maven - Java software project management and comprehension tool
Details
It was discovered that Apache Maven followed repositories that are defined in a
dependency's Project Object Model (pom) even if the repositories weren't
encrypted (http protocol). An attacker could use this vulnerability to take
over a repository, execute arbitrary code or cause a denial of service.
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 22.04
-
maven
-
3.6.3-5ubuntu0.1~esm1
Available with Ubuntu Pro
-
libmaven3-core-java
-
3.6.3-5ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 20.04
-
maven
-
3.6.3-1ubuntu0.1~esm1
Available with Ubuntu Pro
-
libmaven3-core-java
-
3.6.3-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 18.04
-
maven
-
3.6.0-1~18.04.1ubuntu0.1~esm1
Available with Ubuntu Pro
-
libmaven3-core-java
-
3.6.0-1~18.04.1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 16.04
-
maven
-
3.3.9-3ubuntu0.1~esm1
Available with Ubuntu Pro
-
libmaven3-core-java
-
3.3.9-3ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.