CVE-2022-21340

medium

Published 2022-01-19 · Modified 2022-03-21

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

5.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v4 NEW

—

not yet in upstream

VIR risk

5.3

Description

RHSA-2022:0970: java-1.8.0-ibm security update (Moderate)

Predictions

Exploit likelihood

63%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Red Hat Errata — Red Hat Inc. · View original ↗ · Open-Errata-API

Description OpenJDK: Excessive resource use when reading JAR manifest attributes (Libraries, 8272026) CVSS v3: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) Errata / fixed releases ProductPackageAdvisoryReleased Red Hat Build of OpenJDK 11.0.14RHSA-2022:02282022-01-24T00:00:00Z Red Hat Build of OpenJDK 11.0.14RHSA-2022:02292022-01-24T00:00:00Z Red Hat Build of OpenJDK…

Description

OpenJDK: Excessive resource use when reading JAR manifest attributes (Libraries, 8272026)

CVSS v3: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Errata / fixed releases

Product	Package	Advisory	Released
Red Hat Build of OpenJDK 11.0.14		RHSA-2022:0228	2022-01-24T00:00:00Z
Red Hat Build of OpenJDK 11.0.14		RHSA-2022:0229	2022-01-24T00:00:00Z
Red Hat Build of OpenJDK 17.0.2		RHSA-2022:0166	2022-01-24T00:00:00Z
Red Hat Build of OpenJDK 17.0.2	`Windows`	RHSA-2022:0165	2022-01-24T00:00:00Z
Red Hat Build of OpenJDK 8u322		RHSA-2022:0317	2022-01-27T00:00:00Z
Red Hat Build of OpenJDK 8u322		RHSA-2022:0321	2022-01-27T00:00:00Z
Red Hat Enterprise Linux 7	`java-11-openjdk-1:11.0.14.0.9-1.el7_9`	RHSA-2022:0204	2022-01-24T00:00:00Z
Red Hat Enterprise Linux 7	`java-1.8.0-openjdk-1:1.8.0.322.b06-1.el7_9`	RHSA-2022:0306	2022-01-27T00:00:00Z
Red Hat Enterprise Linux 7 Supplementary	`java-1.8.0-ibm-1:1.8.0.7.5-1jpp.1.el7`	RHSA-2022:0968	2022-03-21T00:00:00Z
Red Hat Enterprise Linux 7 Supplementary	`java-1.7.1-ibm-1:1.7.1.5.5-1jpp.1.el7`	RHSA-2022:0969	2022-03-21T00:00:00Z
Red Hat Enterprise Linux 8	`java-17-openjdk-1:17.0.2.0.8-4.el8_5`	RHSA-2022:0161	2022-01-19T00:00:00Z
Red Hat Enterprise Linux 8	`java-11-openjdk-1:11.0.14.0.9-2.el8_5`	RHSA-2022:0185	2022-01-24T00:00:00Z
Red Hat Enterprise Linux 8	`java-1.8.0-openjdk-1:1.8.0.322.b06-2.el8_5`	RHSA-2022:0307	2022-01-27T00:00:00Z
Red Hat Enterprise Linux 8	`java-1.8.0-ibm-1:1.8.0.7.5-1.el8_5`	RHSA-2022:0970	2022-03-21T00:00:00Z
Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions	`java-11-openjdk-1:11.0.14.0.9-1.el8_1`	RHSA-2022:0233	2022-01-24T00:00:00Z
Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions	`java-1.8.0-openjdk-1:1.8.0.322.b06-1.el8_1`	RHSA-2022:0304	2022-01-27T00:00:00Z
Red Hat Enterprise Linux 8.2 Extended Update Support	`java-11-openjdk-1:11.0.14.0.9-1.el8_2`	RHSA-2022:0209	2022-01-24T00:00:00Z
Red Hat Enterprise Linux 8.2 Extended Update Support	`java-1.8.0-openjdk-1:1.8.0.322.b06-1.el8_2`	RHSA-2022:0305	2022-01-27T00:00:00Z
Red Hat Enterprise Linux 8.4 Extended Update Support	`java-11-openjdk-1:11.0.14.0.9-2.el8_4`	RHSA-2022:0211	2022-01-24T00:00:00Z
Red Hat Enterprise Linux 8.4 Extended Update Support	`java-1.8.0-openjdk-1:1.8.0.322.b06-2.el8_4`	RHSA-2022:0312	2022-01-27T00:00:00Z

Package state

Product	Package	State
Red Hat build of OpenJDK 11	`Linux`	Affected
Red Hat build of OpenJDK 11	`Windows`	Affected
Red Hat build of OpenJDK 17	`Linux`	Affected
Red Hat build of OpenJDK 1.8	`Linux`	Affected
Red Hat build of OpenJDK 1.8	`Windows`	Affected
Red Hat Enterprise Linux 6	`java-1.6.0-openjdk`	Out of support scope
Red Hat Enterprise Linux 6	`java-1.7.0-openjdk`	Out of support scope
Red Hat Enterprise Linux 6	`java-1.8.0-openjdk`	Out of support scope
Red Hat Enterprise Linux 7	`java-1.6.0-openjdk`	Out of support scope
Red Hat Enterprise Linux 7	`java-1.7.0-openjdk`	Out of support scope

Apply commands

bash fix

Apply RHSA-2022:0165 for Red Hat Build of OpenJDK 17.0.2

yum update -y Windows
# or:
dnf upgrade -y Windows

Affected

Vendor	Product	Version
redhat	Red Hat build of OpenJDK 11	`Affected`
redhat	Red Hat build of OpenJDK 11	`Affected`
redhat	Red Hat build of OpenJDK 17	`Affected`
redhat	Red Hat build of OpenJDK 1.8	`Affected`
redhat	Red Hat build of OpenJDK 1.8	`Affected`

OS impact

OS	Version	Status	Fixed in
sles		affected
rocky	8	fixed
debian	9.0	affected
debian	10.0	affected
debian	11.0	affected
debian	bullseye	fixed	`11.0.14+9-1~deb11u1`
debian	sid	fixed	`11.0.14+9-1`
debian	bookworm	fixed	`17.0.2+8-1`
rhel	8	fixed

Application impact

Vendor	Product	Versions
oracle	graalvm	`20.3.4`
oracle	graalvm	`21.3.0`
oracle	jdk	`1.7.0`
oracle	jdk	`1.8.0`
oracle	jdk	`11.0.13`
oracle	jdk	`17.0.1`
oracle	jre	`1.7.0`
oracle	jre	`1.8.0`
oracle	jre	`11.0.13`
oracle	jre	`17.0.1`
netapp	7-mode_transition_tool	`-`
netapp	active_iq_unified_manager	`-`
netapp	cloud_insights_acquisition_unit	`-`
netapp	cloud_secure_agent	`-`
netapp	e-series_santricity_os_controller	`{"startIncluding":"11.0.0","endIncluding":"11.70.1"}`
netapp	e-series_santricity_storage_manager	`-`
netapp	e-series_santricity_web_services	`-`
netapp	hci_management_node	`-`
netapp	oncommand_insight	`-`
netapp	oncommand_workflow_automation	`-`
netapp	santricity_storage_plugin	`-`
netapp	santricity_unified_manager	`-`
netapp	snapmanager	`-`
netapp	solidfire	`-`
oracle	openjdk	`{"startIncluding":"11","endIncluding":"11.0.13"}`
oracle	openjdk	`7`
oracle	openjdk	`8`
oracle	openjdk	`17`
oracle	openjdk	`17.0.1`
oracle	graalvm	`20.3.4`
oracle	graalvm	`21.3.0`
oracle	jdk	`1.7.0`
oracle	jdk	`1.8.0`
oracle	jdk	`11.0.13`
oracle	jdk	`17.0.1`
oracle	jre	`1.7.0`
oracle	jre	`1.8.0`
oracle	jre	`11.0.13`
oracle	jre	`17.0.1`
netapp	7-mode_transition_tool	`-`
netapp	active_iq_unified_manager	`-`
netapp	cloud_insights_acquisition_unit	`-`
netapp	cloud_secure_agent	`-`
netapp	e-series_santricity_os_controller	`{"startIncluding":"11.0.0","endIncluding":"11.70.1"}`
netapp	e-series_santricity_storage_manager	`-`
netapp	e-series_santricity_web_services	`-`
netapp	hci_management_node	`-`
netapp	oncommand_insight	`-`
netapp	oncommand_workflow_automation	`-`
netapp	santricity_storage_plugin	`-`
netapp	santricity_unified_manager	`-`
netapp	snapmanager	`-`
netapp	solidfire	`-`
oracle	openjdk	`{"startIncluding":"11","endIncluding":"11.0.13"}`
oracle	openjdk	`7`
oracle	openjdk	`8`
oracle	openjdk	`17`
oracle	openjdk	`17.0.1`

References

CWEs

CWE-400

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.