CVE-2022-21366 in Java SEinfo

Summary

by MITRE • 01/19/2022

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 05/28/2026

The vulnerability identified as CVE-2022-21366 resides within the Oracle Java SE and Oracle GraalVM Enterprise Edition image processing components, specifically the ImageIO functionality that handles various image file formats. This flaw affects critical versions including Java SE 11.0.13 and 17.0.1, alongside GraalVM Enterprise Edition versions 20.3.4 and 21.3.0, representing a significant security concern for organizations deploying these runtime environments. The vulnerability's classification as easily exploitable indicates that attackers can leverage it without requiring specialized skills or privileged access, making it particularly dangerous in production environments where Java applications process untrusted input data from external sources.

The technical nature of this vulnerability stems from insufficient input validation within the ImageIO component's image parsing mechanisms, creating a potential for malformed image data to trigger unexpected behavior in the Java runtime environment. This flaw operates through multiple network protocols and can be exploited by attackers who gain network access to systems running affected Java versions. The vulnerability's impact manifests as a partial denial of service condition, where the targeted Java processes may become unresponsive or consume excessive resources, effectively disrupting service availability for legitimate users. According to the CVSS 3.1 scoring system with a base score of 5.3, the vulnerability exhibits low attack complexity and requires no authentication, making it accessible to a broad range of potential threat actors.

The operational implications of CVE-2022-21366 extend beyond simple service disruption, as it specifically targets environments where Java applications process untrusted content through sandboxed execution contexts such as Java Web Start applications or applets. This vulnerability particularly affects systems that rely on the Java sandbox security model to protect against malicious code execution, creating a dangerous scenario where attackers can bypass security boundaries through carefully crafted image files. The vulnerability's applicability to web services that utilize the affected APIs further amplifies its potential impact, as it can be exploited through data processing workflows that accept image uploads or transformations from external sources. Organizations deploying Java applications in cloud environments or multi-tenant systems face heightened risk due to the shared nature of resources and potential for lateral movement through compromised Java processes.

Security professionals should consider this vulnerability in the context of the ATT&CK framework, particularly under the 'Execution' and 'Resource Hijacking' tactics where attackers may leverage such flaws to consume system resources or execute unauthorized processes. The CWE (Common Weakness Enumeration) classification for this vulnerability aligns with CWE-20, which addresses "Improper Input Validation," and potentially CWE-400, "Uncontrolled Resource Consumption," given the partial denial of service impact. Mitigation strategies should include immediate deployment of Oracle's security patches for the affected Java SE and GraalVM versions, implementation of network segmentation to limit exposure of vulnerable Java applications, and application of input validation controls to prevent processing of untrusted image files. Organizations should also consider disabling unnecessary image processing capabilities in Java applications and implementing monitoring solutions to detect anomalous resource consumption patterns that may indicate exploitation attempts. The vulnerability's impact on sandboxed environments underscores the importance of maintaining current security practices and avoiding reliance on deprecated security models that may be insufficient against modern attack vectors.

Responsible

Oracle

Reservation

11/15/2021

Disclosure

01/19/2022

Moderation

accepted

CPE

ready

EPSS

0.03216

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!