CVE-2022-39399 in Java SEinfo

Summary

by MITRE • 10/19/2022

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/01/2026

This vulnerability resides within the networking component of Oracle Java SE and GraalVM Enterprise Edition, representing a significant security weakness that affects multiple version streams including Java SE 11.0.16.1, 17.0.4.1, and 19, alongside GraalVM Enterprise Edition versions 20.3.7, 21.3.3, and 22.2.0. The flaw manifests as a difficulty in exploitation scenario that allows unauthenticated remote attackers to compromise systems through HTTP network access, aligning with CWE-284 access control weaknesses that permit unauthorized modifications to system resources. The vulnerability specifically targets deployments where untrusted code execution occurs within sandboxed environments, creating a dangerous attack surface that bypasses normal security boundaries.

The technical implementation of this vulnerability stems from insufficient validation mechanisms within the networking stack that processes HTTP requests in Java applications. Attackers can leverage this weakness to perform unauthorized modifications to data accessible through the affected Java deployments, though the impact remains limited to integrity rather than confidentiality or availability. The CVSS score of 3.7 reflects the moderate severity of the integrity impact, where attackers could potentially execute unauthorized update, insert, or delete operations against data within the Java environment. This vulnerability operates under the principle of privilege escalation through network-based attacks, where the attacker does not require authentication but must have network access to the target system, making it particularly concerning for environments where Java applications are exposed to untrusted networks.

The operational impact of this vulnerability extends beyond simple data integrity concerns, as it undermines the fundamental security model of sandboxed Java applications that rely on the Java sandbox for protection. Systems running sandboxed Java Web Start applications or applets that load code from the internet become particularly vulnerable, as these deployments typically assume that the sandbox will prevent malicious code from accessing system resources. The vulnerability specifically targets client-side deployments rather than server-side environments where administrators typically control code execution, meaning that user-facing applications with untrusted code loading capabilities are at risk. This presents a significant concern for organizations that deploy Java-based applications in environments where users might encounter untrusted content from external sources.

Organizations should implement immediate mitigations including restricting network access to Java applications, disabling unnecessary HTTP services, and ensuring that Java deployments only execute trusted code. The recommended approach involves updating to patched versions of affected Java SE and GraalVM Enterprise Edition releases, as well as implementing network segmentation to limit exposure. Security teams should also consider disabling Java applets and Web Start applications where possible, as these deployment models are particularly vulnerable to this class of attack. The vulnerability demonstrates the importance of maintaining updated Java installations and understanding the security implications of sandboxed environments that may not adequately protect against sophisticated network-based attacks. Compliance with industry standards such as NIST SP 800-53 and ISO 27001 requires organizations to maintain inventory of Java deployments and ensure proper patch management to prevent exploitation of such vulnerabilities.

Responsible

Oracle

Reservation

09/02/2022

Disclosure

10/19/2022

Moderation

accepted

CPE

ready

EPSS

0.01473

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!