by using the APIs in the Component to cause a denial of service (DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. The Oracle Java SE, Oracle GraalVM Enterprise Edition component releases as well as other versions may be affected if running on servers. Unpatched versions of Oracle Java SE, Oracle GraalVM Enterprise Edition are vulnerable. However, due to backward compatibility issues, it is likely that only older versions of the Oracle Java SE, Oracle GraalVM Enterprise Edition are affected. Mitigation  Oracle recommends applying the update for vulnerable versions of the Component as soon as possible. If possible, download and apply the update for vulnerable versions of the Component as soon as possible. If an enterprise does not have access to the internet, it is recommended to apply the update for vulnerable versions of the Component via an enterprise management solution. For more information about how to apply this update in an enterprise environment, please refer to: In an enterprise deployment, the application codebase must be redeployed to update the application. If the application is a Web Application, the application must be redeployed to update the server-side components, such as the Servlet API and the Java EE 6 API. If the application is a Self-Contained Application, the application must be redeployed to update the server-side components, such as the Servlet API and the Java EE 6 API.

Oracle Java SE, JDK and JVM

Security Update
The Oracle Java SE, JDK and JVM Security Update addresses a vulnerability in the Oracle Java SE, JDK and JVM that could allow an unauthenticated attacker to cause a denial of service (DOS) of Oracle Java SE, JDK and JVM. The Oracle Java SE, JDK and JVM Security Update has been assigned CVE-2022-21341. Mitigation  Oracle recommends applying the update for vulnerable versions of the Component as soon as possible. If possible, download and apply the update for vulnerable versions of the Component as soon as possible. If an enterprise does not have access to the internet, it is recommended to apply the update for vulnerable versions of the Component via an enterprise management solution. For more information about how to apply this update in an enterprise environment, please refer to: In an enterprise deployment, the application codebase must be redeployed to update the application. If the application is a Web Application, the application must be redeployed to update the server-side components, such as the Servlet API and the Java EE 6 API. If the application is a Self-Contained Application, the application must be redeployed to update the server-side components, such as Servlet API and Java EE 6 API

References:

- Oracle "CVE-2022-21341
- Oracle "CVE-2022-21443"
- Oracle "CVE-2022-21911"

What is Oracle Java SE, Oracle GraalVM Enterprise Edition and the Component?

Oracle Java SE, Oracle GraalVM Enterprise Edition is a software development kit (SDK) that provides tools to create and run applications with the Java programming language. Oracle Java SE, Oracle GraalVM Enterprise Edition includes the Java Development Kit (JDK) and one or more server-side components.
The Component is an implementation of the java.lang.reflect package on top of JDK 9, which allows for accessing class metadata in runtime. The Component releases as well as other versions may be affected if running on servers. Unpatched versions of Oracle Java SE, Oracle GraalVM Enterprise Edition are vulnerable. However, due to backward compatibility issues, it is likely that only older versions of the Oracle Java SE, Oracle GraalVM Enterprise Edition are affected.

Timeline

Published on: 01/19/2022 12:15:00 UTC
Last modified on: 05/13/2022 14:46:00 UTC

References