CVE-2022-21366 Vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition product that affects versions 11.0.13, 17.01, 20.3.4 and 21.3.0.

by using the ImageIO API to create and/or manipulate images in a way that causes arbitrary code to be run in the context of the user running the application with full privileges. In all cases, a successful attack requires that a user clicks a malicious link or opens a malicious attachment or download. An attacker may attempt to entice a user to click a link that has the ability to run code in the context of the user running the application with full privileges. How can this vulnerability be exploited? In order to exploit this vulnerability, an attacker would have to convince a user to click a malicious link or open a malicious attachment or download. To successfully exploit this vulnerability, an attacker would have to leverage either social engineering or the ability to convince a user to open a malicious attachment or download. What systems are affected by this vulnerability? Oracle Java SE, Oracle GraalVM Enterprise Edition is affected by this vulnerability. What does this update do? This update provides mitigations for the Oracle ImageIO component that helps prevent attempts to exploit this vulnerability. The update also provides the latest version of the Oracle Java SE and Oracle GraalVM Enterprise Edition components. When this security bulletin was issued, had these vulnerabilities been disclosed publicly?

This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2018-3365

Oracle Java SE - CVE-2018-3365 Description:

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Java SE. Authentication is required to exploit this vulnerability.
AFFECTED VERSIONS:
Oracle Java SE 6u161, 7u151 and 8u144
AFFECTED SOFTWARE : Oracle Java SE 6u161, 7u151 and 8u144
PRODUCT : Oracle Java SE 6u161, 7u151 and 8u144
ORACLE JAVA SE - CVE-2018-3365

Oracle Java SE CVE Number Summary

CVE-2018-3365: ImageIO Component CVE Number
This vulnerability is remotely exploitable without authentication. A successful exploit could allow a remote attacker to execute arbitrary code on the target system in the context of the user running the application with full privileges.

Oracle Java SE Security Updates and Improvements

Oracle Java SE has released the following security updates and improvements:
What does the update do? This update includes multiple security fixes. The following table lists the high-priority vulnerabilities that have been addressed.

Oracle Java SE CVE Number List (As of September 2018)

This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2018-3365

Oracle Java SE CVE Numbering Authorities CVE-2018-3365

by using the ImageIO API to create and/or manipulate images in a way that causes arbitrary code to be run in the context of the user running the application with full privileges. In all cases, a successful attack requires that a user clicks a malicious link or opens a malicious attachment or download. An attacker may attempt to entice a user to click a link that has the ability to run code in the context of the user running the application with full privileges. How can this vulnerability be exploited? In order to exploit this vulnerability, an attacker would have to convince a user to click a malicious link or open a malicious attachment or download. To successfully exploit this vulnerability, an attacker would have to leverage either social engineering or the ability to convince a user to open a malicious attachment or download. What systems are affected by this vulnerability? Oracle Java SE, Oracle GraalVM Enterprise Edition is affected by this vulnerability. What does this update do? This update provides mitigations for the Oracle ImageIO component that helps prevent attempts to exploit this vulnerability. The update also provides the latest version of the Oracle Java SE and Oracle GraalVM Enterprise Edition components. When this security bulletin was issued, had these vulnerabilities been disclosed publicly?

This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2018-3365

Timeline

Published on: 01/19/2022 12:15:00 UTC
Last modified on: 05/13/2022 15:14:00 UTC

References

• https://www.oracle.com/security-alerts/cpujan2022.html
• https://security.netapp.com/advisory/ntap-20220121-0007/
• https://www.debian.org/security/2022/dsa-5057
• https://www.debian.org/security/2022/dsa-5058
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21366