CVE-2022-21293 in Java SEinfo

Summary

by MITRE • 01/19/2022

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 05/28/2026

This vulnerability resides within the Java SE libraries component of Oracle's Java platform and affects multiple versions including Java SE 7u321, 8u311, 11.0.13, and 17.01 along with GraalVM Enterprise Edition 20.3.4 and 21.3.0. The flaw represents a security weakness that can be exploited by unauthenticated attackers who have network access through various protocols. The CVSS score of 5.3 indicates a medium severity issue with availability impact, specifically allowing for partial denial of service conditions. This vulnerability operates under the Common Weakness Enumeration framework as CWE-20, which encompasses "Improper Input Validation" and related issues in software components. The attack vector requires network access with low complexity and no privilege requirements, making it particularly dangerous for environments where Java applications are exposed to untrusted networks.

The operational impact of this vulnerability manifests primarily through partial denial of service conditions that can disrupt normal Java application operations. Attackers can exploit this weakness in environments where Java Web Start applications or applets execute untrusted code within sandboxed environments. The vulnerability's exploitation pathway through APIs and web services creates additional attack surface areas, particularly in server-side applications that process data through Java components. This weakness undermines the fundamental security model of Java sandboxes, which are designed to isolate potentially malicious code from system resources. The attack can occur without authentication requirements, making it especially concerning for publicly accessible Java applications or services that rely on Java libraries for processing external data inputs.

The security implications extend beyond simple availability disruption to potentially compromise the integrity of Java-based applications. When attackers exploit this vulnerability, they can manipulate the Java runtime environment to cause service interruptions that may affect business operations. The vulnerability's applicability to both Java SE and GraalVM Enterprise Edition indicates a broad impact across Oracle's Java ecosystem, affecting organizations that use either platform. Organizations running Java applications in client environments where untrusted code execution is permitted face significant risk, as the vulnerability can be leveraged to cause service degradation. The CVSS vector analysis shows that while the attack requires network access, the low complexity and lack of privilege requirements make it accessible to attackers with minimal technical expertise. This vulnerability aligns with ATT&CK technique T1210, which covers "Exploitation of Remote Services," and represents a critical weakness in Java's security architecture that undermines trust in sandboxed execution environments.

Organizations should implement immediate mitigation strategies including applying the latest Oracle security patches and updates for affected Java versions. System administrators should consider disabling unnecessary Java applets and Web Start applications that could expose the system to this vulnerability. Network segmentation and firewall rules should be configured to limit access to Java services where possible, reducing the attack surface. Additionally, organizations should conduct thorough vulnerability assessments to identify all Java applications and services that may be running vulnerable versions of the Java libraries. Monitoring and logging should be enhanced to detect potential exploitation attempts targeting this specific vulnerability. The remediation process should include comprehensive testing of patched environments to ensure that the vulnerability is properly addressed without introducing regressions in application functionality. Security teams should also review their Java application deployment practices to minimize reliance on potentially vulnerable sandboxed execution environments.

Responsible

Oracle

Reservation

11/15/2021

Disclosure

01/19/2022

Moderation

accepted

CPE

ready

EPSS

0.08346

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!