CVE-2022-21624 in Java SEinfo

Summary

by MITRE • 10/19/2022

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 05/28/2026

This vulnerability resides within the Java Naming and Directory Interface component of Oracle Java SE and GraalVM Enterprise Edition, representing a significant security weakness that affects multiple supported versions including Java 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19, and GraalVM versions 20.3.7, 21.3.3, and 22.2.0. The vulnerability manifests as a difficulty in exploitation scenario that allows unauthenticated attackers with network access to compromise the affected systems through various protocols. The security impact is categorized under integrity impacts with a CVSS base score of 3.7, indicating a moderate severity threat that can result in unauthorized modification of data within the affected systems.

The technical flaw specifically involves the JNDI implementation which can be manipulated by attackers to gain unauthorized access to data through update, insert, or delete operations on accessible data within the Java environment. This vulnerability particularly affects deployments where untrusted code is executed within sandboxed environments such as Java Web Start applications or applets that rely on Java sandbox security mechanisms for protection. The attack vector is particularly concerning as it can be exploited through APIs within the specified component, making it possible for attackers to leverage web services that supply data to these APIs as a means of exploitation.

The operational impact of this vulnerability extends beyond simple data integrity concerns, as it creates potential pathways for attackers to manipulate critical system data without authentication. The affected environments typically include client-side deployments where Java applications run in sandboxed contexts, making the exploitation particularly dangerous in scenarios where users execute untrusted code from internet sources. This vulnerability demonstrates the ongoing challenges in securing Java-based applications and highlights the importance of proper input validation and access controls within JNDI implementations.

Organizations should consider implementing network segmentation and access controls to limit exposure of affected Java deployments to untrusted networks. Regular patching and updating of Java installations to the latest supported versions is critical, as Oracle has addressed this vulnerability in subsequent releases. Security monitoring should focus on detecting anomalous network traffic patterns that may indicate exploitation attempts, particularly around JNDI-related API calls and data modification activities. The vulnerability aligns with CWE-20, which addresses improper input validation, and could be mapped to ATT&CK technique T1190 for exploitation through Java-based applications, emphasizing the need for comprehensive security measures across both network and application layers to prevent unauthorized data manipulation.

Responsible

Oracle

Reservation

11/15/2021

Disclosure

10/19/2022

Moderation

accepted

CPE

ready

EPSS

0.01401

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!