CVE-2022-21248 - Vulnerability Details

CVE-2022-21248 - OpenJDK: Incomplete deserialization class filtering in ObjectInputStream (Serialization, 8264934)

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00083.

Exploitation none

Automatable no

Technical Impact partial

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Java SE JDK and JRE

affected

Version	Status	Constraints
`Oracle Java SE:7u321`	affected	—
`Oracle Java SE:8u311`	affected	—
`Oracle Java SE:11.0.13`	affected	—
`Oracle Java SE:17.0.1`	affected	—
`Oracle GraalVM Enterprise Edition:20.3.4`	affected	—
`Oracle GraalVM Enterprise Edition:21.3.0`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:oracle:graalvm:20.3.4::::enterprise:::
	cpe:2.3:a:oracle:graalvm:21.3.0::::enterprise:::
	cpe:2.3:a:oracle:jdk:1.7.0:update321::::::
	cpe:2.3:a:oracle:jdk:1.8.0:update311::::::
	cpe:2.3:a:oracle:jdk:11.0.13:::::::*
	cpe:2.3:a:oracle:jdk:17.0.1:::::::*
	cpe:2.3:a:oracle:jre:1.7.0:update321::::::
	cpe:2.3:a:oracle:jre:1.8.0:update311::::::
	cpe:2.3:a:oracle:jre:11.0.13:::::::*
	cpe:2.3:a:oracle:jre:17.0.1:::::::*

Configuration 2 [-]

OR	cpe:2.3:a:netapp:7-mode_transition_tool:-:::::::*
	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows::
	cpe:2.3:a:netapp:cloud_insights_acquisition_unit:-:::::::*
	cpe:2.3:a:netapp:cloud_secure_agent:-:::::::*
	cpe:2.3:a:netapp:e-series_santricity_os_controller::::::::
	cpe:2.3:a:netapp:e-series_santricity_storage_manager:-:::::::*
	cpe:2.3:a:netapp:e-series_santricity_web_services:-:::::web_services_proxy::
	cpe:2.3:a:netapp:hci_management_node:-:::::::*
	cpe:2.3:a:netapp:oncommand_insight:-:::::::*
	cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*
	cpe:2.3:a:netapp:santricity_storage_plugin:-:::::vcenter::
	cpe:2.3:a:netapp:santricity_unified_manager:-:::::::*
	cpe:2.3:a:netapp:snapmanager:-:::::oracle::
	cpe:2.3:a:netapp:snapmanager:-:::::sap::
	cpe:2.3:a:netapp:solidfire:-:::::::*

Configuration 3 [-]

OR	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

Configuration 4 [-]

OR	cpe:2.3:o:fedoraproject:fedora:34:::::::*
	cpe:2.3:o:fedoraproject:fedora:35:::::::*

Configuration 5 [-]

OR	cpe:2.3:a:oracle:openjdk::::::::
	cpe:2.3:a:oracle:openjdk::::::::
	cpe:2.3:a:oracle:openjdk::::::::
	cpe:2.3:a:oracle:openjdk:7:-::::::
	cpe:2.3:a:oracle:openjdk:7:update1::::::
	cpe:2.3:a:oracle:openjdk:7:update10::::::
	cpe:2.3:a:oracle:openjdk:7:update101::::::
	cpe:2.3:a:oracle:openjdk:7:update11::::::
	cpe:2.3:a:oracle:openjdk:7:update111::::::
	cpe:2.3:a:oracle:openjdk:7:update121::::::
	cpe:2.3:a:oracle:openjdk:7:update13::::::
	cpe:2.3:a:oracle:openjdk:7:update131::::::
	cpe:2.3:a:oracle:openjdk:7:update141::::::
	cpe:2.3:a:oracle:openjdk:7:update15::::::
	cpe:2.3:a:oracle:openjdk:7:update151::::::
	cpe:2.3:a:oracle:openjdk:7:update161::::::
	cpe:2.3:a:oracle:openjdk:7:update17::::::
	cpe:2.3:a:oracle:openjdk:7:update171::::::
	cpe:2.3:a:oracle:openjdk:7:update181::::::
	cpe:2.3:a:oracle:openjdk:7:update191::::::
	cpe:2.3:a:oracle:openjdk:7:update2::::::
	cpe:2.3:a:oracle:openjdk:7:update201::::::
	cpe:2.3:a:oracle:openjdk:7:update21::::::
	cpe:2.3:a:oracle:openjdk:7:update211::::::
	cpe:2.3:a:oracle:openjdk:7:update221::::::
	cpe:2.3:a:oracle:openjdk:7:update231::::::
	cpe:2.3:a:oracle:openjdk:7:update241::::::
	cpe:2.3:a:oracle:openjdk:7:update25::::::
	cpe:2.3:a:oracle:openjdk:7:update251::::::
	cpe:2.3:a:oracle:openjdk:7:update261::::::
	cpe:2.3:a:oracle:openjdk:7:update271::::::
	cpe:2.3:a:oracle:openjdk:7:update281::::::
	cpe:2.3:a:oracle:openjdk:7:update291::::::
	cpe:2.3:a:oracle:openjdk:7:update3::::::
	cpe:2.3:a:oracle:openjdk:7:update301::::::
	cpe:2.3:a:oracle:openjdk:7:update311::::::
	cpe:2.3:a:oracle:openjdk:7:update321::::::
	cpe:2.3:a:oracle:openjdk:7:update4::::::
	cpe:2.3:a:oracle:openjdk:7:update40::::::
	cpe:2.3:a:oracle:openjdk:7:update45::::::
	cpe:2.3:a:oracle:openjdk:7:update5::::::
	cpe:2.3:a:oracle:openjdk:7:update51::::::
	cpe:2.3:a:oracle:openjdk:7:update55::::::
	cpe:2.3:a:oracle:openjdk:7:update6::::::
	cpe:2.3:a:oracle:openjdk:7:update60::::::
	cpe:2.3:a:oracle:openjdk:7:update65::::::
	cpe:2.3:a:oracle:openjdk:7:update67::::::
	cpe:2.3:a:oracle:openjdk:7:update7::::::
	cpe:2.3:a:oracle:openjdk:7:update72::::::
	cpe:2.3:a:oracle:openjdk:7:update76::::::
	cpe:2.3:a:oracle:openjdk:7:update80::::::
	cpe:2.3:a:oracle:openjdk:7:update85::::::
	cpe:2.3:a:oracle:openjdk:7:update9::::::
	cpe:2.3:a:oracle:openjdk:7:update91::::::
	cpe:2.3:a:oracle:openjdk:7:update95::::::
	cpe:2.3:a:oracle:openjdk:7:update97::::::
	cpe:2.3:a:oracle:openjdk:7:update99::::::
	cpe:2.3:a:oracle:openjdk:8:-::::::
	cpe:2.3:a:oracle:openjdk:8:milestone1::::::
	cpe:2.3:a:oracle:openjdk:8:milestone2::::::
	cpe:2.3:a:oracle:openjdk:8:milestone3::::::
	cpe:2.3:a:oracle:openjdk:8:milestone4::::::
	cpe:2.3:a:oracle:openjdk:8:milestone5::::::
	cpe:2.3:a:oracle:openjdk:8:milestone6::::::
cpe:2.3:a:oracle:openjdk:8:milestone7::::::
cpe:2.3:a:oracle:openjdk:8:milestone8::::::
cpe:2.3:a:oracle:openjdk:8:milestone9::::::
cpe:2.3:a:oracle:openjdk:8:update101::::::
cpe:2.3:a:oracle:openjdk:8:update102::::::
cpe:2.3:a:oracle:openjdk:8:update11::::::
cpe:2.3:a:oracle:openjdk:8:update111::::::
cpe:2.3:a:oracle:openjdk:8:update112::::::
cpe:2.3:a:oracle:openjdk:8:update121::::::
cpe:2.3:a:oracle:openjdk:8:update131::::::
cpe:2.3:a:oracle:openjdk:8:update141::::::
cpe:2.3:a:oracle:openjdk:8:update151::::::
cpe:2.3:a:oracle:openjdk:8:update152::::::
cpe:2.3:a:oracle:openjdk:8:update161::::::
cpe:2.3:a:oracle:openjdk:8:update162::::::
cpe:2.3:a:oracle:openjdk:8:update171::::::
cpe:2.3:a:oracle:openjdk:8:update172::::::
cpe:2.3:a:oracle:openjdk:8:update181::::::
cpe:2.3:a:oracle:openjdk:8:update191::::::
cpe:2.3:a:oracle:openjdk:8:update192::::::
cpe:2.3:a:oracle:openjdk:8:update20::::::
cpe:2.3:a:oracle:openjdk:8:update201::::::
cpe:2.3:a:oracle:openjdk:8:update202::::::
cpe:2.3:a:oracle:openjdk:8:update211::::::
cpe:2.3:a:oracle:openjdk:8:update212::::::
cpe:2.3:a:oracle:openjdk:8:update221::::::
cpe:2.3:a:oracle:openjdk:8:update222::::::
cpe:2.3:a:oracle:openjdk:8:update231::::::
cpe:2.3:a:oracle:openjdk:8:update232::::::
cpe:2.3:a:oracle:openjdk:8:update241::::::
cpe:2.3:a:oracle:openjdk:8:update242::::::
cpe:2.3:a:oracle:openjdk:8:update25::::::
cpe:2.3:a:oracle:openjdk:8:update252::::::
cpe:2.3:a:oracle:openjdk:8:update262::::::
cpe:2.3:a:oracle:openjdk:8:update271::::::
cpe:2.3:a:oracle:openjdk:8:update281::::::
cpe:2.3:a:oracle:openjdk:8:update282::::::
cpe:2.3:a:oracle:openjdk:8:update291::::::
cpe:2.3:a:oracle:openjdk:8:update301::::::
cpe:2.3:a:oracle:openjdk:8:update302::::::
cpe:2.3:a:oracle:openjdk:8:update31::::::
cpe:2.3:a:oracle:openjdk:8:update312::::::
cpe:2.3:a:oracle:openjdk:8:update40::::::
cpe:2.3:a:oracle:openjdk:8:update45::::::
cpe:2.3:a:oracle:openjdk:8:update5::::::
cpe:2.3:a:oracle:openjdk:8:update51::::::
cpe:2.3:a:oracle:openjdk:8:update60::::::
cpe:2.3:a:oracle:openjdk:8:update65::::::
cpe:2.3:a:oracle:openjdk:8:update66::::::
cpe:2.3:a:oracle:openjdk:8:update71::::::
cpe:2.3:a:oracle:openjdk:8:update72::::::
cpe:2.3:a:oracle:openjdk:8:update73::::::
cpe:2.3:a:oracle:openjdk:8:update74::::::
cpe:2.3:a:oracle:openjdk:8:update77::::::
cpe:2.3:a:oracle:openjdk:8:update91::::::
cpe:2.3:a:oracle:openjdk:8:update92::::::
cpe:2.3:a:oracle:openjdk:17:::::::*
cpe:2.3:a:oracle:openjdk:17.0.1:::::::*

Package	CPE	Advisory	Released Date
Red Hat Build of OpenJDK 11.0.14
Linux	cpe:/a:redhat:openjdk:11	RHSA-2022:0228	2022-01-24T00:00:00Z
Windows	cpe:/a:redhat:openjdk:11::windows	RHSA-2022:0229	2022-01-24T00:00:00Z
Red Hat Build of OpenJDK 17.0.2
Linux	cpe:/a:redhat:openjdk:17	RHSA-2022:0166	2022-01-24T00:00:00Z
Windows	cpe:/a:redhat:openjdk:17::windows	RHSA-2022:0165	2022-01-24T00:00:00Z
Red Hat Build of OpenJDK 8u322
Linux	cpe:/a:redhat:openjdk:1.8	RHSA-2022:0317	2022-01-27T00:00:00Z
Windows	cpe:/a:redhat:openjdk:1.8::windows	RHSA-2022:0321	2022-01-27T00:00:00Z
Red Hat Enterprise Linux 7
java-11-openjdk-1:11.0.14.0.9-1.el7_9	cpe:/o:redhat:enterprise_linux:7	RHSA-2022:0204	2022-01-24T00:00:00Z
java-1.8.0-openjdk-1:1.8.0.322.b06-1.el7_9	cpe:/o:redhat:enterprise_linux:7	RHSA-2022:0306	2022-01-27T00:00:00Z
Red Hat Enterprise Linux 7 Supplementary
java-1.8.0-ibm-1:1.8.0.7.5-1jpp.1.el7	cpe:/a:redhat:rhel_extras:7	RHSA-2022:0968	2022-03-21T00:00:00Z
java-1.7.1-ibm-1:1.7.1.5.5-1jpp.1.el7	cpe:/a:redhat:rhel_extras:7	RHSA-2022:0969	2022-03-21T00:00:00Z
Red Hat Enterprise Linux 8
java-17-openjdk-1:17.0.2.0.8-4.el8_5	cpe:/a:redhat:enterprise_linux:8	RHSA-2022:0161	2022-01-19T00:00:00Z
java-11-openjdk-1:11.0.14.0.9-2.el8_5	cpe:/a:redhat:enterprise_linux:8	RHSA-2022:0185	2022-01-24T00:00:00Z
java-1.8.0-openjdk-1:1.8.0.322.b06-2.el8_5	cpe:/a:redhat:enterprise_linux:8	RHSA-2022:0307	2022-01-27T00:00:00Z
java-1.8.0-ibm-1:1.8.0.7.5-1.el8_5	cpe:/a:redhat:enterprise_linux:8::supplementary	RHSA-2022:0970	2022-03-21T00:00:00Z
Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions
java-11-openjdk-1:11.0.14.0.9-1.el8_1	cpe:/a:redhat:rhel_e4s:8.1	RHSA-2022:0233	2022-01-24T00:00:00Z
java-1.8.0-openjdk-1:1.8.0.322.b06-1.el8_1	cpe:/a:redhat:rhel_e4s:8.1	RHSA-2022:0304	2022-01-27T00:00:00Z
Red Hat Enterprise Linux 8.2 Extended Update Support
java-11-openjdk-1:11.0.14.0.9-1.el8_2	cpe:/a:redhat:rhel_eus:8.2	RHSA-2022:0209	2022-01-24T00:00:00Z
java-1.8.0-openjdk-1:1.8.0.322.b06-1.el8_2	cpe:/a:redhat:rhel_eus:8.2	RHSA-2022:0305	2022-01-27T00:00:00Z
Red Hat Enterprise Linux 8.4 Extended Update Support
java-11-openjdk-1:11.0.14.0.9-2.el8_4	cpe:/a:redhat:rhel_eus:8.4	RHSA-2022:0211	2022-01-24T00:00:00Z
java-1.8.0-openjdk-1:1.8.0.322.b06-2.el8_4	cpe:/a:redhat:rhel_eus:8.4	RHSA-2022:0312	2022-01-27T00:00:00Z

No data.

Project Subscriptions

Vendors	Products
Debian Subscribe	Debian Linux Subscribe
Fedoraproject Subscribe	Fedora Subscribe
Netapp Subscribe	7-mode Transition Tool Subscribe Active Iq Unified Manager Subscribe Cloud Insights Acquisition Unit Subscribe Cloud Secure Agent Subscribe E-series Santricity Os Controller Subscribe E-series Santricity Storage Manager Subscribe E-series Santricity Web Services Subscribe Hci Management Node Subscribe Oncommand Insight Subscribe Oncommand Workflow Automation Subscribe Santricity Storage Plugin Subscribe Santricity Unified Manager Subscribe Snapmanager Subscribe Solidfire Subscribe
Oracle Subscribe	Graalvm Subscribe Jdk Subscribe Jre Subscribe Openjdk Subscribe
Redhat Subscribe	Enterprise Linux Subscribe Openjdk Subscribe Rhel E4s Subscribe Rhel Eus Subscribe Rhel Extras Subscribe

Advisories

Source	ID	Title
Debian DLA	DLA-2917-1	openjdk-8 security update
Debian DSA	DSA-5057-1	openjdk-11 security update
Debian DSA	DSA-5058-1	openjdk-17 security update
EUVD	EUVD-2022-26473	Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
Ubuntu USN	USN-5313-1	OpenJDK vulnerabilities

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://lists.debian.org/debian-lts-announce/2022/02/msg00011.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DIN3L6L3SVZK75CKW2GPSU4HIGZR7XG/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4J2N4FNXW6JKJBWUZH6SNI2UHCZXQXCY/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KPIWQ6DL5IPOT54UBWTISG5T24FQJ7MN/
https://nvd.nist.gov/vuln/detail/CVE-2022-21248
https://security.gentoo.org/glsa/202209-05
https://security.netapp.com/advisory/ntap-20220121-0007/
https://www.cve.org/CVERecord?id=CVE-2022-21248
https://www.debian.org/security/2022/dsa-5057
https://www.debian.org/security/2022/dsa-5058
https://www.oracle.com/security-alerts/cpujan2022.html

History

Tue, 24 Sep 2024 21:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2022-01-19T11:22:01

Updated: 2024-09-24T20:32:08.693Z

Reserved: 2021-11-15T00:00:00

Link: CVE-2022-21248

Vulnrichment

Updated: 2024-08-03T02:31:59.380Z

NVD

Status : Modified

Published: 2022-01-19T12:15:10.287

Modified: 2024-11-21T06:44:11.810

Link: CVE-2022-21248

Redhat

Severity : Moderate

Publid Date: 2022-01-18T00:00:00Z

Links: CVE-2022-21248 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation none

Automatable no

Technical Impact partial

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object