CVE-2022-21282 in Java SEinfo

Summary

by MITRE • 01/19/2022

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 05/28/2026

The vulnerability identified as CVE-2022-21282 represents a significant security flaw within the Java XML Processing (JAXP) component of Oracle Java SE and GraalVM Enterprise Edition. This weakness resides in the XML parsing functionality that is fundamental to how Java applications process structured data, particularly when handling untrusted input from network sources. The vulnerability affects multiple major Java versions including 7u321, 8u311, 11.0.13, and 17.01, alongside GraalVM Enterprise Edition versions 20.3.4 and 21.3.0, indicating a broad impact across the Java ecosystem. The flaw stems from inadequate input validation mechanisms within the JAXP implementation, specifically when processing XML documents that contain maliciously crafted content.

The technical exploitation of this vulnerability occurs through network-based attacks that do not require authentication, making it particularly dangerous in environments where Java applications are exposed to untrusted data sources. Attackers can leverage this weakness by sending specially crafted XML payloads that trigger the vulnerable parsing logic, potentially leading to unauthorized data access within the Java runtime environment. The vulnerability's classification as easily exploitable reflects the minimal prerequisites needed for successful attack execution, requiring only network connectivity and the ability to inject malicious XML content into the targeted system. The CVSS score of 5.3 indicates a moderate severity level with confidentiality impacts, suggesting that while the attack vector is relatively straightforward, the potential for data exposure remains significant.

The operational impact of CVE-2022-21282 extends beyond simple data theft, as it specifically targets the Java sandbox mechanisms that are designed to isolate untrusted code execution. This vulnerability undermines the fundamental security model of Java Web Start applications and applets that rely on sandboxed execution environments to prevent unauthorized access to system resources. The attack surface includes web services that utilize JAXP APIs for processing incoming data, making it possible for remote attackers to compromise the underlying Java runtime through data injection attacks. Organizations running affected Java versions must consider the broader implications for their security posture, particularly in environments where Java applications process data from external sources without proper validation mechanisms.

Security mitigations for this vulnerability should focus on immediate patching of affected Java versions, implementing network segmentation to limit exposure, and deploying additional input validation layers before XML processing occurs. Organizations should also consider disabling unnecessary JAXP functionality in applications that do not require XML processing capabilities. The vulnerability aligns with CWE-20, which addresses improper input validation, and maps to ATT&CK technique T1059.007 for XML external entity processing. Regular monitoring of Java application logs for suspicious XML processing activities and implementing network-based intrusion detection systems can help identify potential exploitation attempts. Given the vulnerability's impact on sandboxed environments, security teams should also review application deployment configurations to ensure that untrusted code execution is properly restricted and that appropriate security policies are enforced.

Responsible

Oracle

Reservation

11/15/2021

Disclosure

01/19/2022

Moderation

accepted

CPE

ready

EPSS

0.02877

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!