Vulnerability Name:

CVE-2022-21277 (CCN-217572)

Assigned:2021-11-15
Published:2022-01-18
Updated:2022-10-27
Summary:Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition.
Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVSS v3 Severity:5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
5.3 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.6 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-noinfo
CWE-770
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2022-21277

Source: XF
Type: UNKNOWN
oracle-cpujan2022-cve202221277(217572)

Source: GENTOO
Type: Third Party Advisory
GLSA-202209-05

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20220121-0007/

Source: DEBIAN
Type: Third Party Advisory
DSA-5057

Source: DEBIAN
Type: Third Party Advisory
DSA-5058

Source: CCN
Type: IBM Security Bulletin 6560110 (Semeru Runtimes)
Multiple vulnerabilities may affect IBM Semeru Runtime

Source: CCN
Type: IBM Security Bulletin 6583983 (Watson Assistant for Cloud Pak for data)
IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to an unspecified vulnerability in Java SE ( CVE-2022-21277)

Source: CCN
Type: IBM Security Bulletin 6594459 (Netcool Operations Insight)
Netcool Operations Insight v1.6.4 contains fixes for multiple security vulnerabilities.

Source: CCN
Type: Oracle CPUJan2022
Oracle Critical Patch Update Advisory - January 2022

Source: MISC
Type: Vendor Advisory
https://www.oracle.com/security-alerts/cpujan2022.html

Vulnerable Configuration:Configuration 1:
  • cpe:/a:oracle:graalvm:21.3.0:*:*:*:enterprise:*:*:*
  • OR cpe:/a:oracle:jre:17.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:jre:11.0.13:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:graalvm:20.3.4:*:*:*:enterprise:*:*:*
  • OR cpe:/a:oracle:jdk:17.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:jdk:11.0.13:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:11.0:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/a:netapp:snapmanager:-:*:*:*:*:oracle:*:*
  • OR cpe:/a:netapp:snapmanager:-:*:*:*:*:sap:*:*
  • OR cpe:/a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:cloud_insights:-:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:e-series_santricity_storage_manager:-:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:solidfire:-:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:hci_management_node:-:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:santricity_unified_manager:-:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:e-series_santricity_web_services:-:*:*:*:*:web_services_proxy:*:*
  • OR cpe:/a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:* (Version >= 11.0.0 and <= 11.70.1)

    • Configuration 4:
  • cpe:/a:oracle:openjdk:17:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:openjdk:*:*:*:*:*:*:*:* (Version >= 15 and <= 15.0.5)
  • OR cpe:/a:oracle:openjdk:*:*:*:*:*:*:*:* (Version >= 11 and <= 11.0.13)
  • OR cpe:/a:oracle:openjdk:*:*:*:*:*:*:*:* (Version >= 13 and <= 13.0.9)
  • OR cpe:/a:oracle:openjdk:17.0.1:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/a:redhat:enterprise_linux:8::crb:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:*

    • Configuration RedHat 6:
  • cpe:/o:redhat:enterprise_linux:7::computenode:*:*:*:*:*

    • Configuration RedHat 7:
  • cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

    • Configuration RedHat 8:
  • cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:oracle:java_se:11.0.13:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:java_se:17.01:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:graalvm:20.3.4:*:*:*:enterprise:*:*:*
  • OR cpe:/a:oracle:graalvm:21.3.0:*:*:*:enterprise:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:7535
    P
    		java-11-openjdk-11.0.19.0-150000.3.96.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:7536
    P
    		java-17-openjdk-17.0.7.0-150400.3.18.2 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:8079
    P
    		java-1_8_0-ibm-1.8.0_sr8.0-150000.3.71.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:3437
    P
    		audiofile-0.3.6-11.3.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:95067
    P
    		java-1_8_0-ibm-1.8.0_sr7.5-150000.3.56.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:94586
    P
    		java-11-openjdk-11.0.15.0-150000.3.80.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:2956
    P
    		java-11-openjdk-11.0.15.0-150000.3.80.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:94587
    P
    		java-17-openjdk-17.0.3.0-150400.1.8 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:2957
    P
    		java-17-openjdk-17.0.3.0-150400.1.8 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:101888
    P
    		Security update for java-1_8_0-ibm (Important)
    2022-03-29
    oval:org.opensuse.security:def:126846
    P
    		Security update for java-1_7_1-ibm (Important)
    2022-03-29
    oval:org.opensuse.security:def:5995
    P
    		Security update for java-1_8_0-ibm (Important)
    2022-03-29
    oval:org.opensuse.security:def:119536
    P
    		Security update for java-1_8_0-ibm (Important)
    2022-03-29
    oval:org.opensuse.security:def:5205
    P
    		Security update for java-1_7_1-ibm (Important)
    2022-03-29
    oval:org.opensuse.security:def:126847
    P
    		Security update for java-1_8_0-ibm (Important)
    2022-03-29
    oval:org.opensuse.security:def:125680
    P
    		Security update for java-1_7_1-ibm (Important)
    2022-03-29
    oval:org.opensuse.security:def:5206
    P
    		Security update for java-1_8_0-ibm (Important)
    2022-03-29
    oval:org.opensuse.security:def:127243
    P
    		Security update for java-1_7_1-ibm (Important)
    2022-03-29
    oval:org.opensuse.security:def:125681
    P
    		Security update for java-1_8_0-ibm (Important)
    2022-03-29
    oval:org.opensuse.security:def:5994
    P
    		Security update for java-1_7_1-ibm (Important)
    2022-03-29
    oval:org.opensuse.security:def:1228
    P
    		Security update for java-1_8_0-ibm (Important)
    2022-03-29
    oval:org.opensuse.security:def:127244
    P
    		Security update for java-1_8_0-ibm (Important)
    2022-03-29
    oval:org.opensuse.security:def:119351
    P
    		Security update for java-1_8_0-ibm (Important)
    2022-03-29
    oval:org.opensuse.security:def:94483
    P
    		 (Moderate)
    2022-03-14
    oval:org.opensuse.security:def:1538
    P
    		Security update for java-11-openjdk (Moderate)
    2022-03-14
    oval:org.opensuse.security:def:100433
    P
    		 (Moderate)
    2022-03-14
    oval:org.opensuse.security:def:93850
    P
    		 (Moderate)
    2022-03-14
    oval:org.opensuse.security:def:102102
    P
    		Security update for java-11-openjdk (Moderate)
    2022-03-14
    oval:org.opensuse.security:def:100767
    P
    		 (Moderate)
    2022-03-14
    oval:org.opensuse.security:def:94062
    P
    		 (Moderate)
    2022-03-14
    oval:org.opensuse.security:def:970
    P
    		Security update for java-11-openjdk (Moderate)
    2022-03-14
    oval:org.opensuse.security:def:119145
    P
    		Security update for java-11-openjdk (Moderate)
    2022-03-14
    oval:org.opensuse.security:def:101662
    P
    		Security update for java-11-openjdk (Moderate)
    2022-03-14
    oval:org.opensuse.security:def:94276
    P
    		 (Moderate)
    2022-03-14
    oval:org.opensuse.security:def:100095
    P
    		 (Moderate)
    2022-03-14
    oval:org.opensuse.security:def:6181
    P
    		Security update for java-11-openjdk (Moderate)
    2022-03-04
    oval:com.redhat.rhsa:def:20220185
    P
    		RHSA-2022:0185: java-11-openjdk security update (Moderate)
    2022-01-24
    oval:com.redhat.rhsa:def:20220204
    P
    		RHSA-2022:0204: java-11-openjdk security update (Moderate)
    2022-01-24
    oval:com.redhat.rhsa:def:20220161
    P
    		RHSA-2022:0161: java-17-openjdk security update (Moderate)
    2022-01-19
    BACK
    oracle graalvm 21.3.0
    oracle jre 17.0.1
    oracle jre 11.0.13
    oracle graalvm 20.3.4
    oracle jdk 17.0.1
    oracle jdk 11.0.13
    debian debian linux 10.0
    debian debian linux 11.0
    netapp snapmanager -
    netapp snapmanager -
    netapp oncommand workflow automation -
    netapp oncommand insight -
    netapp cloud insights -
    netapp e-series santricity storage manager -
    netapp solidfire -
    netapp hci management node -
    netapp santricity unified manager -
    netapp e-series santricity web services -
    netapp e-series santricity os controller *
    oracle openjdk 17
    oracle openjdk *
    oracle openjdk *
    oracle openjdk *
    oracle openjdk 17.0.1
    oracle java se 11.0.13
    oracle java se 17.01
    oracle graalvm 20.3.4
    oracle graalvm 21.3.0