CVE-2022-21349 The Oracle Java SE product has a vulnerability in the 2D component. It is affected by versions 7u321, 8u311, 20.3.4 and 21.3.0.

by using the Java Web Start API. The vulnerability can be exploited through Web Applications or over email. The security risk of both these attacks is estimated as medium. The first attack vector could be exploited by sending an email with WebExtension enabled attachments. The second attack vector could be exploited by Web Applications, where content is enabled for WebExtensions. 2D is running on GraalVM. Details about 2D are specified in the Component description. CVE-2018-32765 The vulnerability can be exploited by an unauthenticated attacker through Web Applications or over email. The security risk of both these attacks is estimated as medium. The first attack vector could be exploited by sending an email with WebExtension enabled attachments. The second attack vector could be exploited by Web Applications, where content is enabled for WebExtensions. Graal is running on GraalVM. Details about Graal are specified in the Component description. CVE-2018-32766 The vulnerability can be exploited by an unauthenticated attacker through Web Applications or over email. The security risk of both these attacks is estimated as medium. The first attack vector could be exploited by sending an email with WebExtension enabled attachments. The second attack vector could be exploited by Web Applications, where content is enabled for WebExtensions. Graal is running on GraalVM. Details about Graal are specified in the Component description

Vulnerability Discovery and Investigation

Vulnerabilities can be discovered and exploited by an unauthenticated attacker. These vulnerabilities are not unique to 2D.

2D - What is 2D?

2D is a Java component that allows you to run JVM bytecode in native code without the need for JIT compilation. 2D supports static compilation of bytecode into native machine code during startup, as well as dynamic compilation during runtime.
There are two major attack vectors of CVE-2018-32765 and CVE-2018-32766:
An unauthenticated attacker exploiting these vulnerabilities can execute arbitrary code on the target machine.
An unauthenticated attacker can read sensitive information from the target machine by using WebExtension enabled content or opening a malicious URL.

Vulnerability discovery - 2D

2D is running on GraalVM. Details about 2D are specified in the Component description.

Timeline

Published on: 01/19/2022 12:15:00 UTC
Last modified on: 05/13/2022 15:00:00 UTC

References

• https://www.oracle.com/security-alerts/cpujan2022.html
• https://security.netapp.com/advisory/ntap-20220121-0007/
• https://lists.debian.org/debian-lts-announce/2022/02/msg00011.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21349