CVE-2022-21282 Vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition product.

through an application that sends requests to these APIs. The attacker needs to be able to control or manipulate the application in some way in order to exploit this vulnerability. If the attacker is able to control or manipulate an application that allows access to Oracle Java SE, Oracle GraalVM Enterprise Edition, then they may be able to exploit this vulnerability. NOTE: This component can be blocked by firewall settings. If you have access to the Internet, then you may need to change these settings to allow the traffic to Oracle Java SE, Oracle GraalVM Enterprise Edition. If you cannot change the settings then it is likely that the only way for you to exploit this vulnerability is by using a malicious application or by using the Internet. An attacker may try to host a malicious web site or server that exploits this vulnerability. Alternatively, an attacker may try to exploit this vulnerability by causing a target application to send requests to an untrusted web site or server. However, due to the nature of the Java sandbox, which does not allow applications to access resources outside of the host operating system, unless a target application has been compromised, or unless an application has been manually configured by an administrator, or unless an application has been deployed on a machine where the attacker has partial control of the DNS settings, it is unlikely that an attacker can direct a target application to a malicious web site or server

Vulnerability Details

The vulnerability exists because the application uses the Java APIs that are vulnerable to this vulnerability. In order to exploit this vulnerability, an attacker would first need to control or manipulate the application in some way. If they are able to control or manipulate an application that allows access to Oracle Java SE, Oracle GraalVM Enterprise Edition, then they may be able to exploit this vulnerability.
If you have access to the Internet, then you may need to change these settings to allow traffic for Oracle Java SE, Oracle GraalVM Enterprise Edition. If you cannot change your settings then it is likely that the only way for you to exploit this vulnerability is by using a malicious application or by using the Internet.

Vulnerability Scoring

Using the CVSS scoring system, Oracle Java SE receives a base score of 8.3 (CVSS Base Score). This score is calculated from the output of the following CVSS v3 calculations:
-Risk Assessment (4.7)
-Exploitability (4.6)
-Access Vector (4.2)
-Authentication Strength (4.4)
-Confidentiality Impact (4.8)
-Integrity Impact (N/A)

Timeline

Published on: 01/19/2022 12:15:00 UTC
Last modified on: 05/13/2022 14:51:00 UTC

References

• https://www.oracle.com/security-alerts/cpujan2022.html
• https://security.netapp.com/advisory/ntap-20220121-0007/
• https://www.debian.org/security/2022/dsa-5057
• https://www.debian.org/security/2022/dsa-5058
• https://lists.debian.org/debian-lts-announce/2022/02/msg00011.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21282