CVE-2022-21283 in Java SE
Summary
by MITRE • 01/19/2022
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/28/2026
This vulnerability resides within the Oracle Java SE and Oracle GraalVM Enterprise Edition software components, specifically targeting the Libraries functionality. The flaw affects critical versions including Java SE 11.0.13 and 17.01, alongside GraalVM Enterprise Edition versions 20.3.4 and 21.3.0. The vulnerability classification as easily exploitable indicates that attackers require minimal prerequisites to leverage this weakness, needing only network access through multiple protocols without requiring authentication. This characteristic places the vulnerability within the scope of network-based attacks that can be executed by adversaries with no prior access credentials.
The technical nature of this vulnerability manifests as a partial denial of service condition that impacts the availability aspect of the system's security posture. The CVSS 3.1 scoring system assigns a base score of 5.3, reflecting the medium severity impact with availability being the primary concern. The attack vector is classified as network-based (AV:N) requiring low attack complexity (AC:L) and no privileges (PR:N) with no user interaction needed (UI:N). This configuration suggests that attackers can exploit the vulnerability remotely without requiring specialized tools or extensive knowledge of the target system's internal workings.
The operational impact of this vulnerability extends beyond simple service disruption to encompass broader security implications for Java deployments. The vulnerability specifically affects environments where sandboxed Java Web Start applications or applets operate, creating potential attack surfaces when these applications load untrusted code from external sources. This threat model aligns with CWE-242, which addresses the weakness of using dangerous functions that can lead to security vulnerabilities. The exploitation pathway through APIs within the affected component further complicates the threat landscape, as web services supplying data to these APIs could become attack vectors.
The security implications of this vulnerability are particularly concerning in enterprise environments where Java applications serve as critical infrastructure components. The partial denial of service impact means that while complete system compromise may not occur, the availability of services can be significantly degraded, potentially affecting business operations and user access. This vulnerability represents a gap in the Java sandbox security model, as it demonstrates that even sandboxed environments can be compromised through carefully crafted attacks. The attack surface expands when considering that both Java SE and GraalVM Enterprise Edition are widely deployed across various enterprise applications, making the potential impact of this vulnerability widespread.
Mitigation strategies for this vulnerability should focus on immediate patching of affected systems, as Oracle would have released security updates addressing this specific weakness. Organizations should also implement network segmentation and access controls to limit exposure of vulnerable Java applications to untrusted networks. Monitoring for anomalous network traffic patterns and unusual application behavior can help detect exploitation attempts. The implementation of additional security layers such as application firewalls and runtime application self-protection mechanisms can provide defense-in-depth approaches. Organizations should also consider disabling unnecessary Java applet and Web Start functionality where possible, as this reduces the attack surface for exploitation. This vulnerability demonstrates the importance of maintaining current security patches and the inherent risks associated with legacy Java applications that continue to operate in production environments without proper security controls. The ATT&CK framework would categorize this vulnerability under initial access and privilege escalation techniques, as it provides a pathway for attackers to compromise system availability and potentially establish persistent access through the exploitation of sandbox weaknesses.