CVE-2022-21449
📋 TL;DR
This vulnerability in Oracle Java SE and GraalVM Enterprise Edition allows unauthenticated attackers with network access to modify critical data without authorization. It affects Java deployments running sandboxed applications that load untrusted code from the internet. The vulnerability can be exploited through multiple protocols and has a CVSS score of 7.5.
💻 Affected Systems
- Oracle Java SE
- Oracle GraalVM Enterprise Edition
📦 What is this software?
E Series Santricity Os Controller by Netapp
E Series Santricity Storage Manager by Netapp
View all CVEs affecting E Series Santricity Storage Manager →
E Series Santricity Web Services by Netapp
Graalvm by Oracle
Graalvm by Oracle
Jdk by Oracle
Jdk by Oracle
Solidfire \& Hci Management Node by Netapp
Solidfire\, Enterprise Sds \& Hci Storage Node by Netapp
View all CVEs affecting Solidfire\, Enterprise Sds \& Hci Storage Node →
Zulu by Azul
Zulu by Azul
Zulu by Azul
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Java application integrity allowing unauthorized creation, deletion, or modification of all accessible data in affected Java deployments.
Likely Case
Data tampering in Java applications that load untrusted code from the internet, particularly affecting sandboxed Java Web Start applications and applets.
If Mitigated
Limited impact if applications don't load untrusted code or if proper network segmentation and access controls are implemented.
🎯 Exploit Status
Easily exploitable via multiple protocols. Public discussions and technical details available in referenced security lists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Oracle Java SE: 17.0.3, 18.0.1; Oracle GraalVM Enterprise Edition: 21.3.2, 22.0.0.3
Vendor Advisory: https://www.oracle.com/security-alerts/cpuapr2022.html
Restart Required: Yes
Instructions:
1. Download latest Java updates from Oracle. 2. Uninstall affected versions. 3. Install patched versions. 4. Restart affected applications/services.
🔧 Temporary Workarounds
Disable Java Web Start and Applets
allPrevent loading of untrusted code by disabling Java Web Start and applet execution
For browsers: Disable Java plugin
System-wide: Configure Java Control Panel to disable applets
Network Segmentation
allRestrict network access to Java applications to trusted sources only
firewall-cmd --add-rich-rule='rule family="ipv4" source address="TRUSTED_IP" port protocol="tcp" port="PORT_RANGE" accept'
netsh advfirewall firewall add rule name="JavaRestrict" dir=in action=allow remoteip=TRUSTED_IP localport=PORT protocol=TCP
🧯 If You Can't Patch
- Implement strict network access controls to limit exposure
- Disable Java Web Start and applet functionality in all deployments
🔍 How to Verify
Check if Vulnerable:
Check Java version with 'java -version' and verify if it matches affected versions: 17.0.2, 18, or GraalVM 21.3.1, 22.0.0.2Check Version:
java -versionVerify Fix Applied:
After patching, run 'java -version' to confirm version is 17.0.3+, 18.0.1+, or GraalVM 21.3.2+, 22.0.0.3+📡 Detection & Monitoring
Log Indicators:
- Unexpected Java process restarts
- Unauthorized file modifications in Java application directories
- Security manager exceptions related to sandbox violations
Network Indicators:
- Unusual network traffic to Java applications from untrusted sources
- Multiple protocol attempts to Java services
SIEM Query:
source="java.log" AND (event_type="security_exception" OR process="javaw.exe" OR process="java.exe") AND (version="17.0.2" OR version="18" OR version="21.3.1" OR version="22.0.0.2")🔗 References
- http://www.openwall.com/lists/oss-security/2022/04/28/2
- http://www.openwall.com/lists/oss-security/2022/04/28/3
- http://www.openwall.com/lists/oss-security/2022/04/28/4
- http://www.openwall.com/lists/oss-security/2022/04/28/5
- http://www.openwall.com/lists/oss-security/2022/04/28/6
- http://www.openwall.com/lists/oss-security/2022/04/28/7
- http://www.openwall.com/lists/oss-security/2022/04/29/1
- http://www.openwall.com/lists/oss-security/2022/04/30/1
- http://www.openwall.com/lists/oss-security/2022/04/30/2
- http://www.openwall.com/lists/oss-security/2022/04/30/3
- http://www.openwall.com/lists/oss-security/2022/04/30/4
- http://www.openwall.com/lists/oss-security/2022/05/01/1
- http://www.openwall.com/lists/oss-security/2022/05/01/2
- http://www.openwall.com/lists/oss-security/2022/05/02/1
- https://security.netapp.com/advisory/ntap-20220429-0006/
- https://www.debian.org/security/2022/dsa-5128
- https://www.debian.org/security/2022/dsa-5131
- https://www.oracle.com/security-alerts/cpuapr2022.html
- http://www.openwall.com/lists/oss-security/2022/04/28/2
- http://www.openwall.com/lists/oss-security/2022/04/28/3
- http://www.openwall.com/lists/oss-security/2022/04/28/4
- http://www.openwall.com/lists/oss-security/2022/04/28/5
- http://www.openwall.com/lists/oss-security/2022/04/28/6
- http://www.openwall.com/lists/oss-security/2022/04/28/7
- http://www.openwall.com/lists/oss-security/2022/04/29/1
- http://www.openwall.com/lists/oss-security/2022/04/30/1
- http://www.openwall.com/lists/oss-security/2022/04/30/2
- http://www.openwall.com/lists/oss-security/2022/04/30/3
- http://www.openwall.com/lists/oss-security/2022/04/30/4
- http://www.openwall.com/lists/oss-security/2022/05/01/1
- http://www.openwall.com/lists/oss-security/2022/05/01/2
- http://www.openwall.com/lists/oss-security/2022/05/02/1
- https://security.netapp.com/advisory/ntap-20220429-0006/
- https://www.debian.org/security/2022/dsa-5128
- https://www.debian.org/security/2022/dsa-5131
- https://www.oracle.com/security-alerts/cpuapr2022.html
