CVE-2022-21618 in Java SEinfo

Summary

by MITRE • 10/19/2022

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JGSS). Supported versions that are affected are Oracle Java SE: 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 05/28/2026

The vulnerability identified as CVE-2022-21618 resides within the Java GSS (Generic Security Services) component of Oracle Java SE and Oracle GraalVM Enterprise Edition, representing a significant security weakness that affects specific versions including Java SE 17.0.4.1 and 19, along with GraalVM Enterprise Edition versions 21.3.3 and 22.2.0. This vulnerability operates at the core of Java's security framework where Kerberos authentication mechanisms are implemented, making it particularly dangerous for systems that rely on these protocols for secure communication. The flaw manifests as an easily exploitable condition that requires no authentication credentials from attackers who can simply access the network, indicating a critical weakness in the security architecture of these Java implementations.

The technical nature of this vulnerability stems from improper validation mechanisms within the JGSS component that processes Kerberos authentication tokens. Attackers can exploit this weakness by crafting malicious Kerberos packets that bypass normal security checks, allowing them to perform unauthorized modifications to data within the Java environment. The CVSS score of 5.3 with integrity impact reflects the specific threat vector where attackers can achieve unauthorized update, insert, or delete operations on data accessible through the vulnerable Java components. This particular vulnerability operates through network-based attacks that exploit the inherent trust model of Java sandboxed applications, particularly affecting deployments where untrusted code execution is permitted.

The operational impact of CVE-2022-21618 extends beyond simple data integrity concerns to potentially compromise entire Java-based systems that utilize Kerberos authentication. Systems running sandboxed Java Web Start applications or applets become particularly vulnerable as these environments rely heavily on the Java sandbox security model that this vulnerability can bypass. The attack surface is further expanded when considering that this vulnerability can be exploited through web services that provide data to APIs within the affected components, creating multiple vectors for exploitation. Organizations deploying these Java versions in production environments face significant risk of data manipulation attacks that could go undetected for extended periods.

Security mitigations for this vulnerability primarily focus on immediate version upgrades to patched releases of Oracle Java SE and GraalVM Enterprise Edition, as recommended by Oracle's security advisories. System administrators should also implement network-level controls such as firewall rules that restrict unnecessary Kerberos traffic and monitor for suspicious authentication patterns. The vulnerability aligns with CWE-284 (Improper Access Control) and can be mapped to ATT&CK technique T1566 (Phishing) when exploited through web service interfaces, as attackers may need to deliver malicious payloads to systems running vulnerable Java components. Organizations should also conduct thorough security assessments of all Java-based applications that utilize Kerberos authentication to identify potential exposure points and implement additional monitoring controls to detect unauthorized data modifications.

Reservation

11/15/2021

Disclosure

10/19/2022

Moderation

accepted

CPE

ready

EPSS

0.02034

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!