In early 2022, Oracle disclosed CVE-2022-21291, a dangerous flaw in the Hotspot component of Oracle Java SE and Oracle GraalVM Enterprise Edition. This vulnerability, easily exploitable over the network, allows an attacker to change, insert, or delete data without authentication — a concerning scenario for systems running untrusted Java code. In this article, we’ll break down how the bug works, provide code snippets and exploit insights, and link to original resources for further reading.
21.3.
Any systems running these versions and executing untrusted Java (e.g., Java Web Start applications or applets from the internet) are at risk. The flaw is in the Hotspot component, which is responsible for running Java bytecode.
Attack Scenarios
1. Malicious Java Applet: A user visits a website serving a rogue Java applet, which then exploits the bug.
2. Abusing APIs: A web service taking user data and running it through the affected Java APIs can be manipulated.
3. Java Web Start: Downloaded JNLP (Java Network Launch Protocol) applications loading untrusted code.
Why is this so bad?
The flaw allows any attacker on the network to compromise integrity (modify data) in the Java process. Since no credentials or interaction are needed, automation and mass targeting are possible.
How Does the Exploit Work?
The specifics of the vulnerability revolve around how Hotspot manages sandboxed Java code. In affected versions, a bug in the sandbox enforcement allows a maliciously crafted Java class to escape its restrictions and use API calls normally protected by the Java security manager.
For example, an attacker could use a method that’s meant to be inaccessible, such as writing or deleting files, by confusing the Java sandbox.
The attacker creates a malicious .jar containing crafted bytecode.
2. Victim runs the Java applet/JNLP/application (or server-side Java parses attacker input).
Proof-of-Concept (PoC) Snippet
Below is a simplified example showing how malicious code could exploit the flaw to, say, overwrite a file that should be protected by the sandbox:
import java.io.FileWriter;
import java.security.AccessController;
import java.security.PrivilegedAction;
public class ExploitCVE202221291 {
public static void main(String[] args) {
// Attempt to write to a protected file
AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
try (FileWriter fw = new FileWriter("important_data.txt", false)) {
fw.write("THIS FILE IS MODIFIED BY ATTACKER");
System.out.println("Exploit successful: File Overwritten!");
} catch (Exception e) {
System.err.println("Exploit failed: " + e);
}
return null;
});
}
}
Normally, AccessController prevents untrusted code from doing this.
- With CVE-2022-21291, this restriction can be bypassed under specific conditions, depending on the exploit vector and environment.
Real-World Impact
- Web Services: If an API endpoint deserializes attacker-supplied Java objects, data can be silently altered.
- Client-Side Sandboxed Apps: Users running untrusted apps are vulnerable to credential theft, malicious inserts/updates/deletes in local databases or files.
References & Further Reading
- NVD Entry
- Oracle Java SE Critical Patch Advisory (Jan 2022)
- SecurityLab: Java Sandbox *(Russian, but offers deep insight)*
- Understanding Java SecurityManager’s Role
Remediation
Upgrade Immediately:
Patch your JDK/JRE or GraalVM to the latest version.
- Oracle Java SE Downloads
- GraalVM Community Downloads
Conclusion
CVE-2022-21291 is a stark reminder that even trusted runtimes like Java can have critical flaws, especially in complicated areas like the sandbox. Any system running untrusted code on affected versions is at risk of unauthorized data modification. Patch now, review your code exposure, and retire obsolete deployment technologies.
Timeline
Published on: 01/19/2022 12:15:00 UTC
Last modified on: 05/13/2022 14:51:00 UTC