PT-2022-6857 · Oracle+10 · Java Se+12

Published

2022-04-19

·

Updated

2026-05-08

·

CVE-2022-21426

CVSS v3.1

5.3

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Name of the Vulnerable Software and Affected Versions Oracle Java SE versions 7u331, 8u321, 11.0.14, 17.0.2, 18 Oracle GraalVM Enterprise Edition versions 20.3.5, 21.3.1, 22.0.0.2
Description The issue is related to an unauthenticated attacker with network access via multiple protocols being able to compromise Oracle Java SE and Oracle GraalVM Enterprise Edition. This can result in a partial denial of service (partial DOS) of the affected systems. The vulnerability applies to Java deployments that load and run untrusted code and rely on the Java sandbox for security. It can also be exploited through APIs in the specified component, such as through a web service that supplies data to the APIs.
Recommendations For Oracle Java SE versions 7u331, 8u321, 11.0.14, 17.0.2, 18, update to a version that includes the fix for this issue. For Oracle GraalVM Enterprise Edition versions 20.3.5, 21.3.1, 22.0.0.2, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the JAXP component to minimize the risk of exploitation. Avoid using APIs in the specified component until the issue is resolved.

Exploit

Fix

Allocation of Resources Without Limits

RCE

Resource Exhaustion

Weakness Enumeration

CWE-770CWE-20CWE-400

Related Identifiers

ALSA-2022:1442
ALSA-2022:1445
ALSA-2022:1491
ALT-PU-2022-7656
ALT-PU-2022-7657
ALT-PU-2022-7658
ALT-PU-2022-7661
ALT-PU-2022-7662
ALT-PU-2022-7663
BDU:2023-05186
BIT-JAVA-2022-21426
BIT-JAVA-MIN-2022-21426
BIT-JRE-2022-21426
CESA-2022_1440
CESA-2022_1442
CESA-2022_1445
CESA-2022_1487
CESA-2022_1491
CVE-2022-21426
DLA-3006-1
DSA-5128-1
DSA-5131-1
MGASA-2022-0261
OESA-2022-1702
OESA-2022-1815
OESA-2022-2145
OPENSUSE-SU-2022_1513-1
OPENSUSE-SU-2022_2530-1
OPENSUSE-SU-2022_2650-1
OPENSUSE-SU-2022_3092-1
OPENSUSE-SU-2024:12013-1
OPENSUSE-SU-2024:12014-1
OPENSUSE-SU-2024:12015-1
OPENSUSE-SU-2024:12018-1
OPENSUSE-SU-2024:12019-1
OPENSUSE-SU-2024:12163-1
OPENSUSE-SU-2024:12185-1
OPENSUSE-SU-2024:12186-1
OPENSUSE-SU-2025:0066-1
RHSA-2022:1440
RHSA-2022:1441
RHSA-2022:1442
RHSA-2022:1443
RHSA-2022:1444
RHSA-2022:1445
RHSA-2022:1487
RHSA-2022:1488
RHSA-2022:1489
RHSA-2022:1490
RHSA-2022:1491
RHSA-2022:1728
RHSA-2022:1729
RHSA-2022:2137
RHSA-2022_1440
RHSA-2022_1442
RHSA-2022_1445
RHSA-2022_1487
RHSA-2022_1491
RHSA-2022_1728
RHSA-2022_1729
RHSA-2022_2137
RHSA-2023:3136
RHSA-2023_3136
RLSA-2022:1442
RLSA-2022:1445
RLSA-2022:1491
ROSA-SA-2023-2139
SUSE-SU-2022:1474-1
SUSE-SU-2022:1513-1
SUSE-SU-2022:2530-1
SUSE-SU-2022:2531-1
SUSE-SU-2022:2539-1
SUSE-SU-2022:2540-1
SUSE-SU-2022:2650-1
SUSE-SU-2022:3092-1
SUSE-SU-2022_1474-1
SUSE-SU-2022_1513-1
SUSE-SU-2022_2530-1
SUSE-SU-2022_2531-1
SUSE-SU-2023:1823-1
SUSE-SU-2023:1850-1
SUSE-SU-2023_1823-1
SUSE-SU-2023_1850-1
USN-5388-1
USN-5388-2
USN-5546-1
USN-5546-2

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Graalvm Enterprise Edition
Java Platform
Java Se
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu