CVE-2022-21496 An issue in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE causes JNDI to be vulnerable.

by using APIs in the specified Component, e.g. through a web service call, or by using an application with network access via multiple protocols, to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. The vulnerability can be exploited remotely via network with no password required. The attack can also be launched from the trusted host without the need for user interaction. The security risk of the vulnerability is high, depending on how an attacker uses it.

Successful exploitation of this vulnerability could result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. The update, insert or delete access could also be to some of data that is not accessible to a client running untrusted code. REFERENCES The vendor has released information regarding this vulnerability on an agreed timeline. Workarounds There are no workarounds at this time

Vulnerability Details

The vulnerability allows for the unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. The update, insert or delete access could also be to some of data that is not accessible to a client running untrusted code.
The security risk of the vulnerability is high, depending on how an attacker uses it.

Vulnerability details

CVE-2022-21496 is a vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition. The vulnerability allows an attacker to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. The attack can be launched from the trusted host without the need for user interaction. The security risk of this vulnerability is high, depending on how an attacker exploits it.

Successful exploitation of this vulnerability could result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. The update, insert or delete access could also be to some of data that is not accessible to a client running untrusted code.

Oracle has released updates for CVE-2022-21496

Oracle has released security updates for Java that address CVE-2022-21496.
The first update is available via the Java SE Critical Patch Update Advisory of October 2, 2018.

Vulnerability Details

The vulnerability is caused by using APIs in the specified Component to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.
There are multiple ways an attacker can exploit this vulnerability, but it depends on what type of privileges they have access to and where they are located. In order to exploit this vulnerability, an attacker needs to

- execute untrusted code on a trusted host without user interaction
- cause the affected Oracle Java SE, Oracle GraalVM Enterprise Edition or its components that rely on the vulnerable APIs to make network connections via multiple protocols
- use APIs in the specified Component

Timeline

Published on: 04/19/2022 21:15:00 UTC
Last modified on: 05/14/2022 12:15:00 UTC

References

• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://security.netapp.com/advisory/ntap-20220429-0006/
• https://www.debian.org/security/2022/dsa-5128
• https://www.debian.org/security/2022/dsa-5131
• https://lists.debian.org/debian-lts-announce/2022/05/msg00017.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21496