by using the JNLP file in web applications that provide a Java fallback mechanism. Critical - CVSS 3.0 Base Score 4.3 Confidentiality Impact Critical Due to the nature of the vulnerability, information is kept confidential. However, an unauthenticated attacker can exploit this vulnerability to gain access to critical information. Note: This information has been provided to CVE and has been assigned the ID CVE-2019-0385. CVSS 2.1 Base Score 6.5 (Confidentiality Impacted) Access Vector Used for Exploitation Remotely Accessed System Impact Access Complexity High Authentication Not required to exploit Vulnerable subsystem Remotely Unauthenticated Very high The flaw exists due to incorrect validation of user input before usage. An attacker can leverage this vulnerability to execute arbitrary code on the system and cause denial of service. Additionally an attacker can leverage this vulnerability to access sensitive information.
Vulnerability Summary
A vulnerability has been identified within the Java Web Start implementation that can be exploited to allow arbitrary code execution on a vulnerable system. This vulnerability is due to improper handling of user input before usage. An attacker can leverage this vulnerability to execute arbitrary code on the system and cause denial of service. Additionally an attacker can utilize this vulnerability to access sensitive information.
JMX Remote Execution of Code
The Java Management Extension (JMX) is a specification that allows components to be managed remotely. The JMX Remote Execution of Code specification defines a security model for the remote execution of code on the system. The Security Model defines how to handle different kinds of assumptions made by applications, such as the assumption that the code is being executed locally or on an untrusted host.
There are two types of assumptions:
- Networked assumptions: These assumptions take place when instances are not running on the same host and are instead running on remote hosts.
- Untrusted host assumptions: These assumptions take place when code is being executed against an untrusted host, typically another application instance.
An attacker can leverage this vulnerability to execute arbitrary code on a user's system and cause denial of service. Additionally an attacker can leverage this vulnerability to access sensitive information.
Vulnerability Scenario##
An attacker can leverage this vulnerability to execute arbitrary code on the system and cause denial of service. Additionally an attacker can leverage this vulnerability to access sensitive information.
Vulnerability Symptoms
An attacker can leverage this vulnerability to execute arbitrary code on the system and cause denial of service. Additionally an attacker can leverage this vulnerability to access sensitive information.
Timeline
Published on: 01/19/2022 12:15:00 UTC
Last modified on: 05/13/2022 15:01:00 UTC
References
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://security.netapp.com/advisory/ntap-20220121-0007/
- https://www.debian.org/security/2022/dsa-5057
- https://www.debian.org/security/2022/dsa-5058
- https://lists.debian.org/debian-lts-announce/2022/02/msg00011.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2DIN3L6L3SVZK75CKW2GPSU4HIGZR7XG/
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21283