CVE-2022-21305 - Unauthorized Data Modification in Oracle Java SE & GraalVM via Hotspot

In late 2021, Oracle disclosed CVE-2022-21305, a security vulnerability affecting several popular versions of Oracle Java SE and Oracle GraalVM Enterprise Edition. The vulnerability targets the Hotspot component and gives attackers a way to change certain data without authorization—simply by delivering malicious network requests. In this post, we’ll break down what CVE-2022-21305 is, why it matters, show how an attacker could exploit it, and help you understand how to prevent it.

Exploit Difficulty: Easy

- Impact: Unauthorized update/insert/delete to app data (integrity violation)

Original Advisory:
https://www.oracle.com/security-alerts/cpujan2022.html#AppendixJAVA
NVD Entry:
https://nvd.nist.gov/vuln/detail/CVE-2022-21305

What’s the Problem?

The flaw is in Hotspot, the Java Virtual Machine (JVM) runtime that powers both Java SE and GraalVM Enterprise. Under certain conditions, if Java runs untrusted code (like Java applets or Web Start apps from the internet) or handles data from an untrusted source via Hotspot APIs, an attacker can craft data that allows them to change records—think of it as someone sneaking in a forged form to edit sensitive information.

Who’s at risk?

Java SE and GraalVM deployments that run _untrusted code_.

- Examples: Corporate apps that allow code plugins, web applications accepting serialized input, or online services using Java applets.

Here’s how an attack might look

1. Attacker crafts data that abuses the Hotspot component's vulnerability, targeting a public Java-powered app.

Delivers the data (via network, web service, or malicious website).

3. Target's Java process processes this data, believing it's safe. The attacker’s payload leverages the Hotspot flaw to tamper with records—altering, adding, or deleting specific data.

Note: The exploitation does not require the user to be authenticated or to even click anything.

Example Code: Simulating the Exploit Path

Let’s simulate a vulnerable scenario: a Java web service that deserializes untrusted data, assuming the JVM’s Hotspot will enforce sandbox rules.

Vulnerable Java code:

import java.io.*;
import java.net.*;

public class VulnerableServer {
    public static void main(String[] args) throws Exception {
        ServerSocket serverSocket = new ServerSocket(8888);
        System.out.println("Server running on port 8888...");
        while (true) {
            Socket client = serverSocket.accept();
            ObjectInputStream in = new ObjectInputStream(client.getInputStream());
            // The following line is unsafe if object comes from an attacker
            Object obj = in.readObject();
            // Suppose this object is used to update records...
            process(obj); // Application-specific logic
        }
    }
    private static void process(Object input) {
        // Example code, this might update a database
        System.out.println("Received: " + input);
    }
}

In this example, if readObject() receives a malicious payload that triggers the Hotspot issue (such as an object that, when deserialized, gives access to code able to call protected JVM APIs), the attacker can modify data even if they shouldn’t be able to.

Exploit Details (How Could This Be Used?)

- Untrusted Code: The vulnerability mostly applies to sandboxed Java code (like applets or Web Start apps) or APIs that process user-supplied data.
- Attack Vector: The attacker sends a crafted payload (network, web service, or direct request if the server listens for inputs).
- Result: Code inside the JVM, which should be sandboxed, ends up able to mutate application data (e.g., updating a user’s profile, inserting rows into a database, or deleting records) from outside sources.

Demonstration: Exploit Payload

While Oracle has not publicly released the exact technical details for risk mitigation, a typical attack would likely involve a serialized Java object or a specially-crafted bytecode segment that gets executed in the victim JVM, bypassing expected sandbox restrictions.

For educational purposes, here’s an example of what an attacker’s payload might look like (non-malicious, for simulation):

Python code to send a Java serialized object

import socket
# Simulate sending a serializable Java exploit (placeholder)
with socket.create_connection(('target-ip', 8888)) as sock:
    sock.sendall(b'\xac\xed\x00\x05sr\x00\x05Haxxx...\x00\x00\x00...')  # Insert real exploit here

*Note: Real payloads are binary, generated by Java exploit frameworks, which might use chains like ysoserial for exploitation.*

If you’re affected

- Patch immediately: Install the Oracle CPU January 2022 updates.
- Avoid deserializing untrusted data: Never deserialize objects from the network unless you trust the source.
- Turn off applet/Web Start code where not needed: Most modern platforms have already disabled these features.

Conclusion

CVE-2022-21305 reminds us that running untrusted code or accepting user-controlled input—even inside a "sandbox"—can open serious data manipulation vulnerabilities if the underlying platform has bugs. Patch your Java runtimes, audit your applications for unsafe practices like unsafe deserialization, and stay updated with security advisories. For more, see:

- Oracle Security Alert CPU Jan 2022
- CVE-2022-21305 (NVD)
- Secure coding guidelines for Java SE

Timeline

Published on: 01/19/2022 12:15:00 UTC
Last modified on: 05/13/2022 14:58:00 UTC