CVE-2022-21293 – OpenJDK: Incomplete checks of StringBuffer and StringBuilder during deserialization (Libraries, 8270392)
https://notcve.org/view.php?id=CVE-2022-21293
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. • https://lists.debian.org/debian-lts-announce/2022/02/msg00011.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DIN3L6L3SVZK75CKW2GPSU4HIGZR7XG https://security.gentoo.org/glsa/202209-05 https://security.netapp.com/advisory/ntap-20220121-0007 https://www.debian.org/security/2022/dsa-5057 https://www.debian.org/security/2022/dsa-5058 https://www.oracle.com/security-alerts/cpujan2022.html https://access.redhat.com/security/cve/CVE-2022-21293 https:& • CWE-502: Deserialization of Untrusted Data •
CVE-2022-21283 – OpenJDK: Unexpected exception thrown in regex Pattern (Libraries, 8268813)
https://notcve.org/view.php?id=CVE-2022-21283
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. • https://lists.debian.org/debian-lts-announce/2022/02/msg00011.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DIN3L6L3SVZK75CKW2GPSU4HIGZR7XG https://security.gentoo.org/glsa/202209-05 https://security.netapp.com/advisory/ntap-20220121-0007 https://www.debian.org/security/2022/dsa-5057 https://www.debian.org/security/2022/dsa-5058 https://www.oracle.com/security-alerts/cpujan2022.html https://access.redhat.com/security/cve/CVE-2022-21283 https:& • CWE-248: Uncaught Exception •
CVE-2022-21282 – OpenJDK: Insufficient URI checks in the XSLT TransformerImpl (JAXP, 8270492)
https://notcve.org/view.php?id=CVE-2022-21282
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. • https://lists.debian.org/debian-lts-announce/2022/02/msg00011.html https://security.gentoo.org/glsa/202209-05 https://security.netapp.com/advisory/ntap-20220121-0007 https://www.debian.org/security/2022/dsa-5057 https://www.debian.org/security/2022/dsa-5058 https://www.oracle.com/security-alerts/cpujan2022.html https://access.redhat.com/security/cve/CVE-2022-21282 https://bugzilla.redhat.com/show_bug.cgi?id=2041435 • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •
CVE-2022-21248 – OpenJDK: Incomplete deserialization class filtering in ObjectInputStream (Serialization, 8264934)
https://notcve.org/view.php?id=CVE-2022-21248
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. • https://lists.debian.org/debian-lts-announce/2022/02/msg00011.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DIN3L6L3SVZK75CKW2GPSU4HIGZR7XG https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4J2N4FNXW6JKJBWUZH6SNI2UHCZXQXCY https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KPIWQ6DL5IPOT54UBWTISG5T24FQJ7MN https://security.gentoo.org/glsa/202209-05 https://security.netapp.com/advisory/ntap-20220121-0007 h • CWE-502: Deserialization of Untrusted Data •
CVE-2021-35603 – OpenJDK: Non-constant comparison during TLS handshakes (JSSE, 8269618)
https://notcve.org/view.php?id=CVE-2021-35603
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. • https://lists.debian.org/debian-lts-announce/2021/11/msg00008.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6EUURAQOIJYFZHQ7DFZCO6IKDPIAWTNK https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GTYZWIXDFUV2H57YQZJWPOD3BC3I3EIQ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXTUWAWXVU37GRNIG4TPMA47THO6VAE6 https://security.gentoo.org/glsa/202209-05 https://security.netapp.com/advisory/ntap-20211022-0004 h • CWE-203: Observable Discrepancy •