CVE-2022-21299 in Java SEinfo

Summary

by MITRE • 01/19/2022

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 05/28/2026

This vulnerability resides within the Java XML Processing (JAXP) component of Oracle Java SE and GraalVM Enterprise Edition, representing a critical availability risk that undermines system stability through partial denial of service conditions. The flaw affects specific release versions including Java SE 7u321, 8u311, 11.0.13, and 17.01, alongside GraalVM Enterprise Edition 20.3.4 and 21.3.0, demonstrating the widespread impact across multiple Java runtime environments. The vulnerability's exploitability score of 5.3 on the CVSS 3.1 scale indicates a medium severity threat that requires no authentication and can be triggered through multiple network protocols, making it particularly dangerous for systems exposed to untrusted network traffic.

The technical implementation of this vulnerability stems from insufficient input validation within the JAXP processing framework, which fails to properly handle malformed XML data structures that could be crafted by malicious actors. This weakness creates a pathway for attackers to manipulate XML parsing operations in ways that consume excessive system resources or trigger unexpected processing behaviors. The vulnerability specifically targets the sandboxed execution environments where Java Web Start applications and applets operate, leveraging the trust model that allows these applications to execute within restricted environments while still maintaining access to system resources through the underlying XML processing libraries.

Operational impact of this vulnerability manifests primarily through partial denial of service conditions that can significantly degrade system performance or render specific services unavailable to legitimate users. Attackers can exploit this weakness by delivering malicious XML content through web services or network protocols that utilize the affected JAXP APIs, potentially causing resource exhaustion or process termination within the Java runtime environment. The vulnerability's applicability to both client-side sandboxed applications and server-side web service implementations creates multiple attack vectors that organizations must consider when assessing their security posture, particularly in environments where untrusted XML data processing is a common requirement.

Organizations should implement immediate mitigation strategies including patching affected systems to the latest supported versions of Java SE and GraalVM Enterprise Edition, as well as deploying network-level controls to filter and validate XML traffic before it reaches vulnerable applications. Security monitoring should focus on identifying unusual XML processing patterns or resource consumption spikes that may indicate exploitation attempts. Additionally, organizations should consider implementing application-level restrictions on XML processing capabilities and ensuring that sandboxed applications have minimal privileges to prevent escalation of compromised systems. This vulnerability aligns with CWE-20 (Improper Input Validation) and maps to ATT&CK technique T1210 (Exploitation of Remote Services) through network-based exploitation of XML parsing functionality. The CVSS vector analysis indicates that while no user interaction or privilege escalation is required, the vulnerability's impact on availability makes it particularly concerning for mission-critical systems that depend on consistent service delivery.

Responsible

Oracle

Reservation

11/15/2021

Disclosure

01/19/2022

Moderation

accepted

CPE

ready

EPSS

0.03458

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!