CVE-2022-21294 - Vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition Libraries Allows for Partial Denial of Service Attacks

A security vulnerability has been identified in the Oracle Java SE and Oracle GraalVM Enterprise Edition products, specifically within the Libraries component of these software systems. This vulnerability has been assigned the identifier CVE-2022-21294 and affects the following supported versions: Oracle Java SE 7u321, 8u311, 11..13, and 17.01; Oracle GraalVM Enterprise Edition 20.3.4 and 21.3.. Successful exploitation of this vulnerability can lead to a partial denial of service (DOS) attack, impacting the availability of the affected software.

Exploit Details

CVE-2022-21294 is classified as a network attack, meaning that an unauthenticated attacker with network access can exploit this vulnerability using multiple protocols. The ease of exploitation is considered low, and the impact of a successful attack results in unauthorized ability to cause a partial denial of service.

This vulnerability is particularly applicable to Java deployments where clients are running sandboxed Java Web Start applications or sandboxed Java applets, which load and run untrusted code. For example, this might include code from the internet that relies on the Java sandbox for security. The vulnerability can also be exploited by using APIs in the specified component, such as through a web service that supplies data to the APIs.

The CVSS 3.1 Base Score for this vulnerability is 5.3, indicating a medium level of severity with a focus on availability impacts. The full CVSS Vector is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), which outlines the various aspects of the vulnerability such as the attack vector, complexity, required privileges, user interaction, and scope.

Code Snippet

While specific exploit code has not been provided, the vulnerability exists within the Libraries component of Oracle Java SE and Oracle GraalVM Enterprise Edition. Any Java code that interacts with these libraries, especially when handling untrusted code or data, is at risk. Developers and administrators should ensure they are using the latest patched versions of the affected software to mitigate the risk.

For more detailed information on this vulnerability, please consult the following resources

1. Oracle Critical Patch Update Advisory - January 2022: https://www.oracle.com/security-alerts/cpujan2022.html
2. CVE-2022-21294 - NVD CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2022-21294
3. CVSS v3.1: Specification Document: https://www.first.org/cvss/specification-document

Conclusion

It is highly recommended that any administrators or developers using the affected Oracle Java SE or Oracle GraalVM Enterprise Edition versions immediately patch their systems to reduce the risk of exploitation. Be sure to follow Oracle's guidelines and best practices to maximize security in Java deployments, particularly when processing potentially untrusted code or data. The risk of a partial denial of service attack, while not considered critical, can still have a significant impact on your software system's availability and overall stability.

Timeline

Published on: 01/19/2022 12:15:00 UTC
Last modified on: 05/13/2022 15:12:00 UTC