CVE-2022-21365 - Denial of Service in Oracle Java SE & GraalVM (ImageIO) – A Deep Dive

In October 2021, Oracle disclosed a vulnerability that directly impacts Java SE and Oracle GraalVM Enterprise Edition via their ImageIO component. The vulnerability—CVE-2022-21365—can be triggered remotely, is easy to exploit, and could result in partial denial of service (DoS), disrupting any service or app using affected versions of these products.

This post will break down CVE-2022-21365 in plain, simple language, show code-level insights, sample triggers, and more. Everything here is written for developers, security engineers, and anyone who wants a better understanding of how one faulty class in Java can ripple into enterprise-scale issues.

Score: 5.3 (CVSS 3.1)

Oracle’s advisory page explains the severity.

How Does It Work? (Technical Dive)

The Java ImageIO API is widely used to read and write images (JPEG, PNG, GIF, etc.). It is not uncommon for untrusted input (e.g., images from the web) to be passed to it.

In this vulnerability, malformed or specially crafted image files can crash the JVM (Java Virtual Machine) or cause it to hang. An attacker can trigger this by sending malicious image data to a service that uses ImageIO.read().

Any Java application exposing ImageIO.read() to user input

The issue applies especially when you trust Java’s sandbox for security, but attackers can break your service even without escaping the sandbox.

Consider this simple “image upload” Java web service endpoint (for clarity)

import javax.imageio.ImageIO;
import java.awt.image.BufferedImage;
import java.io.InputStream;

// Inside your image upload endpoint
public void processImage(InputStream input) throws Exception {
    // Vulnerable call
    BufferedImage img = ImageIO.read(input); // ← Risky if 'input' is attacker-supplied
    if (img == null) {
        throw new RuntimeException("Could not read image.");
    }
    // ...work with image further
}

If an attacker uploads a malicious image file, ImageIO.read() could cause your app to hang or crash.

What Does a Malicious Image Look Like?

Security researchers have found ways to create “zip bombs” or malformed images that attack ImageIO by:

Example: PNG Image Bomb

You could weaponize a PNG that advertises a tiny size, but decompresses to massive data, exhausting the JVM’s memory or causing ImageIO to throw internal exceptions and halt processing.

Step-by-step Exploit Scenario

1. Find a public Java service that accepts image uploads (profile picture service, document scanner, etc.).

Upload the malicious file to the endpoint.

4. Observe partial DoS: the Java service thread processing the image hangs, uses up the heap, or crashes—other users experience slow service, timeouts, or even total system unavailability.

This does not give attackers code execution or info disclosure, but it’s disruptive—especially in multi-user or production contexts.

Real-World Reference & Patch Status

- NIST NVD Record for CVE-2022-21365
- Oracle CPU January 2022 Advisory

Fixed:

Defense & Mitigation

1. Apply patches/upgrades to Java and GraalVM versions immediately.

Set JVM memory limits and timeouts on image processing.

4. If you must support untrusted images, use libraries with proven DoS-resistance (e.g., TwelveMonkeys), or limit image size/check file magic.

TL;DR

- CVE-2022-21365 allows easy network-based partial DoS against Java services using the ImageIO API, if they touch untrusted images.
- Java 7u321, 8u311, 11..13, 17.01, GraalVM 20.3.4/21.3. are vulnerable.

Further Reading

- Oracle advisory
- CVE details & NVD
- Java Secure Coding Guidelines – Input validation

Timeline

Published on: 01/19/2022 12:15:00 UTC
Last modified on: 05/13/2022 14:50:00 UTC