Login Sign Up

CVE-2022-21476

7.5 HIGH

📋 TL;DR

This vulnerability in Oracle Java SE and GraalVM Enterprise Edition allows unauthenticated remote attackers to access sensitive data from Java applications. It affects Java deployments running sandboxed Web Start applications or applets that load untrusted code from the internet. The vulnerability can be exploited via network protocols without user interaction.

💻 Affected Systems

Products:
  • Oracle Java SE
  • Oracle GraalVM Enterprise Edition
Versions: Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1, 22.0.0.2
Operating Systems: All platforms running affected Java versions
Default Config Vulnerable: ⚠️ Yes
Notes: Primarily affects deployments running sandboxed Java Web Start applications or applets that load untrusted code from the internet.

📦 What is this software?

Active Iq Unified Manager by Netapp

View all CVEs affecting Active Iq Unified Manager →

Active Iq Unified Manager by Netapp

View all CVEs affecting Active Iq Unified Manager →

Bootstrap Os by Netapp

View all CVEs affecting Bootstrap Os →

Cloud Insights Acquisition Unit by Netapp

View all CVEs affecting Cloud Insights Acquisition Unit →

Cloud Secure Agent by Netapp

View all CVEs affecting Cloud Secure Agent →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

E Series Santricity Os Controller by Netapp

View all CVEs affecting E Series Santricity Os Controller →

E Series Santricity Storage Manager by Netapp

View all CVEs affecting E Series Santricity Storage Manager →

E Series Santricity Web Services by Netapp

View all CVEs affecting E Series Santricity Web Services →

Element Software by Netapp

View all CVEs affecting Element Software →

Graalvm by Oracle

View all CVEs affecting Graalvm →

Graalvm by Oracle

View all CVEs affecting Graalvm →

Graalvm by Oracle

View all CVEs affecting Graalvm →

Hci Management Node by Netapp

View all CVEs affecting Hci Management Node →

Jdk by Oracle

View all CVEs affecting Jdk →

Jdk by Oracle

View all CVEs affecting Jdk →

Jdk by Oracle

View all CVEs affecting Jdk →

Jdk by Oracle

View all CVEs affecting Jdk →

Jdk by Oracle

View all CVEs affecting Jdk →

Oncommand Insight by Netapp

View all CVEs affecting Oncommand Insight →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Santricity Unified Manager by Netapp

View all CVEs affecting Santricity Unified Manager →

Solidfire by Netapp

View all CVEs affecting Solidfire →

Zulu by Azul

View all CVEs affecting Zulu →

Zulu by Azul

View all CVEs affecting Zulu →

Zulu by Azul

View all CVEs affecting Zulu →

Zulu by Azul

View all CVEs affecting Zulu →

Zulu by Azul

View all CVEs affecting Zulu →

Zulu by Azul

View all CVEs affecting Zulu →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all accessible data in vulnerable Java deployments, potentially exposing sensitive information like credentials, personal data, or proprietary information.

🟠

Likely Case

Unauthorized access to application data in internet-facing Java applications, particularly those running untrusted code in sandboxed environments.

🟢

If Mitigated

Limited impact if applications don't load untrusted code or if network access to vulnerable services is restricted.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

CVSS indicates low attack complexity and no authentication required. Multiple protocols can be used for exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Java SE: 7u341, 8u331, 11.0.15, 17.0.3, 18.0.1; GraalVM: 20.3.6, 21.3.2, 22.0.0.3

Vendor Advisory: https://www.oracle.com/security-alerts/cpuapr2022.html

Restart Required: Yes

Instructions:

1. Download latest Java version from Oracle. 2. Uninstall affected Java versions. 3. Install patched version. 4. Restart affected applications/services.

🔧 Temporary Workarounds

Disable Java Web Start/Applets

all

Prevent execution of sandboxed Java applications that load untrusted code

For browsers: Disable Java plugin
System-wide: Remove Java browser integration

Network Segmentation

all

Restrict network access to Java applications

firewall rules to limit inbound connections to Java services

🧯 If You Can't Patch

  • Disable Java Web Start and applet functionality entirely
  • Implement strict network controls to limit access to Java applications

🔍 How to Verify

Check if Vulnerable:

Check Java version with 'java -version' and compare against affected versions

Check Version:

java -version

Verify Fix Applied:

Verify installed Java version is equal to or higher than patched versions listed in fix_official

📡 Detection & Monitoring

Log Indicators:

  • Unusual Java process activity
  • Multiple failed data access attempts in Java applications

Network Indicators:

  • Unexpected network connections to Java services
  • Traffic patterns matching Java RMI or other Java protocols

SIEM Query:

source="java" AND (event_type="security_violation" OR event_type="data_access")

📊 Metadata

CVE ID: CVE-2022-21476
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Published: April 19, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON