CVE-2022-21619 An Oracle Java SE flaw allows attackers to remotely execute arbitrary code.

by using the ForceUpdate method. CVSS 2.0 Base Score 4.7 (mediation data is not currently available). CVSS Vector: (CVSS:2.0/AV:N/AC:H/PROT:H/UI:R/S:U/C:L/I:N/A:N). For details on vulnerability severity rating, CVSS criteria, vulnerabilities related to this component, research, fixes, and workarounds, please refer to vendor advisory. Vulnerable component: Software - Oracle GraalVM Enterprise Edition - Standard Deployment - Security Vulnerable versions: 20.3.7, 21.3.3 and 22.2.0. Fix Information: Update vendor software. Vendor workaracing information: - 20.3.7: https://blogs.oracle.com/s/entry/direct_update_20_3_7_gravvm - 21.3.3: https://blogs.oracle.com/s/entry/direct_update_21_3_3_gravvm - 22.2.0: https://blogs.oracle.com/s/entry/direct_update_22_2_0_gravvm. CVSS 2.0 Base Score 4.7 (mediation data is not currently available). Access Vector Network Access Vulnerability - CVE-2018-3136 - (Critical) - Access Vector Network Access - CVE-

Oracle GraalVM Enterprise Edition - Standard Deployment - Software Security Notes

The following Vulnerabilities were found in Oracle GraalVM Enterprise Edition - Standard Deployment Software
CVE-2022-21619 (ForceUpdate method)
CVSS 2.0 Base Score 4.7 (mediation data is not currently available). CVSS Vector:
(CVSS:2.0/AV:N/AC:H/PROT:H/UI:R/S:U/C:L/I:N/A:N). For details on vulnerability severity rating, CVSS criteria, vulnerabilities related to this component, research, fixes, and workarounds, please refer to vendor advisory.

Oracle Graal Virtual Machine Enterprise Edition - Standard Deployment

- Security
The vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the software. The flaw exists within the application's process management. An attacker can leverage this vulnerability to execute code under the context of the application's binary and gain control over it. This leads to a complete compromise of the system.

Oracle GraalVM Enterprise Edition - Standard Deployment - Vulnerability Scenario

A vulnerability exists when the framework does not properly validate input from a user that executes code. An attacker may be able to read, modify, or delete data on the target system.

Vulnerability Description

An issue was discovered in the Oracle GraalVM Enterprise Edition software that affects the Server component. The vulnerability is caused by a flaw in the ForceUpdate method. By using this method to perform updates, an attacker can change the vulnerable software without triggering any defenses. An attacker can exploit this vulnerability to execute arbitrary code with elevated privileges.

Timeline

Published on: 10/18/2022 21:15:00 UTC
Last modified on: 10/18/2022 21:18:00 UTC

References

• https://www.oracle.com/security-alerts/cpuoct2022.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21619