A new vulnerability, identified as CVE-2022-21305, has been discovered in the Oracle Java SE and Oracle GraalVM Enterprise Edition products. The affected components include the Hotspot in the Oracle Java SE and the Oracle GraalVM Enterprise Edition software. The supported versions that are impacted by this vulnerability are Oracle Java SE: 7u321, 8u311, 11..13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.. This easily exploitable vulnerability enables unauthenticated attackers with network access via multiple protocols to compromise the mentioned Oracle products. Successful exploitation of this vulnerability can lead to unauthorized update, insert, or delete access to some of Oracle Java SE and Oracle GraalVM Enterprise Edition accessible data.

Vulnerability Details

This vulnerability affects Java deployments typically running sandboxed Java Web Start applications or sandboxed Java applets. These deployments load and run untrusted code (e.g., code from the internet) and rely on the Java sandbox for security. Furthermore, this vulnerability can also be exploited by using APIs in the specified component through a web service that provides data to the APIs.

The base CVSS 3.1 score for this vulnerability is 5.3 with integrity impacts. The CVSS vector is as follows: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N.

Consider the following example code snippet for understanding the impact of this vulnerability

public class VulnerableComponent {
    public static void main(String[] args) {
        // Loading untrusted code
        UntrustedCode untrustedCode = new UntrustedCode();
        untrustedCode.loadData();
        untrustedCode.execute();

        // Using vulnerable API
        VulnerableAPI vulnerableAPI = new VulnerableAPI();
        Object result = vulnerableAPI.processData(untrustedCode.getData());
    }
}

In this example, the UntrustedCode class loads and executes untrusted code, and the data obtained from it is later processed by the VulnerableAPI class. An attacker can exploit the vulnerability in the specified components by injecting malicious code into the UntrustedCode class, compromising the data processed by the VulnerableAPI class.

Mitigation

To address this vulnerability, Oracle has released patches for the affected versions of Oracle Java SE and Oracle GraalVM Enterprise Edition. It is strongly recommended that users of affected versions update their software to the latest version available, which includes fixes for this vulnerability. Additionally, users should ensure that untrusted code is properly sandboxed and only allowed to run in a restricted environment.

Conclusion

CVE-2022-21305 is a significant vulnerability affecting Oracle Java SE and Oracle GraalVM Enterprise Edition and can result in unauthorized data access by allowing attackers to update, insert, or delete data. Users should promptly apply the available patches to their systems and ensure that untrusted code is restricted to sandboxed environments.

Timeline

Published on: 01/19/2022 12:15:00 UTC
Last modified on: 05/13/2022 14:58:00 UTC