CVE-2022-21540 in Java SE
Summary
by MITRE • 07/20/2022
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/28/2026
This vulnerability resides within the Hotspot component of Oracle Java SE and Oracle GraalVM Enterprise Edition, representing a critical security weakness that affects multiple supported versions including Java SE 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1, and GraalVM Enterprise Edition versions 20.3.6, 21.3.2, and 22.1.0. The vulnerability falls under the Common Weakness Enumeration category CWE-250, which specifically addresses execution of unauthorized code or commands, and aligns with ATT&CK technique T1059.007 for command and scripting interpreter. The flaw manifests as an easily exploitable vulnerability that requires no authentication and can be leveraged by attackers with network access through multiple protocols. The CVSS 3.1 scoring system rates this vulnerability at 5.3, indicating a medium severity level with confidentiality impacts, where the attack vector is network-based, attack complexity is low, no privileges are required, and no user interaction is necessary. This vulnerability specifically targets Java deployments that operate in sandboxed environments, particularly those running sandboxed Java Web Start applications or applets that execute untrusted code from untrusted sources. The attack scenario typically involves loading and executing untrusted code that relies on the Java sandbox for protection, making this a significant concern for environments where code isolation is paramount.
The operational impact of CVE-2022-21540 is substantial as successful exploitation can result in unauthorized read access to sensitive data within the affected Java SE and GraalVM Enterprise Edition deployments. This data exposure occurs through a subset of accessible information that could include system files, configuration data, or other sensitive resources that the vulnerable Java runtime environment has access to. The vulnerability's applicability extends beyond traditional desktop applications to include web services that utilize APIs within the affected component, creating additional attack vectors through API-based exploitation. Organizations running Java-based applications in client environments, particularly those that rely on Java applets or Web Start applications, face increased risk from this vulnerability. The attack surface is broadened by the fact that this vulnerability can be exploited through multiple protocols, making it particularly dangerous for environments with diverse network services and applications. The sandboxed nature of the targeted applications means that while the Java runtime environment provides security boundaries, this vulnerability allows attackers to bypass those protections and access data that should remain isolated.
Mitigation strategies for CVE-2022-21540 should prioritize immediate patching of affected systems with the latest Oracle security updates, which address the underlying vulnerability in the Hotspot component. Organizations should implement network segmentation to limit access to Java-based applications and reduce the attack surface available to potential adversaries. The principle of least privilege should be enforced by restricting Java application permissions and ensuring that sandboxed environments maintain strict isolation boundaries. Security monitoring should be enhanced to detect unusual network activity or data access patterns that might indicate exploitation attempts. Additional protective measures include disabling Java applets and Web Start applications where possible, implementing application whitelisting policies, and conducting regular security assessments of Java-based deployments. The mitigation approach should align with defense-in-depth strategies that include network-based controls, endpoint protection, and continuous monitoring. Organizations should also consider transitioning away from legacy Java versions that are no longer receiving security updates, particularly given that Java SE 7 and 8 are end-of-life and no longer supported by Oracle. Security teams should implement regular vulnerability scanning and penetration testing to identify and remediate similar vulnerabilities within their Java-based infrastructure. The remediation process must include comprehensive testing to ensure that patching does not introduce regressions in application functionality while maintaining the security posture of the environment.