1. Ubuntu Security Notices
  2. USN-5245-1

USN-5245-1: Apache Maven vulnerability

Publication date

18 August 2022

Overview

Apache Maven could be made to crash or run programs if it received specially crafted input.

Releases

Packages

  • maven - Java software project management and comprehension tool

Details

It was discovered that Apache Maven followed repositories that are defined in a
dependency’s Project Object Model (pom) even if the repositories weren’t
encrypted (http protocol). An attacker could use this vulnerability to take
over a repository, execute arbitrary code or cause a denial of service.

It was discovered that Apache Maven followed repositories that are defined in a
dependency’s Project Object Model (pom) even if the repositories weren’t
encrypted (http protocol). An attacker could use this vulnerability to take
over a repository, execute arbitrary code or cause a denial of service.

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
22.04 jammy maven –  3.6.3-5ubuntu0.1~esm1  
libmaven3-core-java –  3.6.3-5ubuntu0.1~esm1  
20.04 focal maven –  3.6.3-1ubuntu0.1~esm1  
libmaven3-core-java –  3.6.3-1ubuntu0.1~esm1  
18.04 bionic maven –  3.6.0-1~18.04.1ubuntu0.1~esm1  
libmaven3-core-java –  3.6.0-1~18.04.1ubuntu0.1~esm1  
16.04 xenial maven –  3.3.9-3ubuntu0.1~esm1  
libmaven3-core-java –  3.3.9-3ubuntu0.1~esm1  

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›