CVE-2022-21426
high
CVSS v3
—
CVSS v4 NEW
—
VIR risk
8.0
Description
RHSA-2022:1491: java-1.8.0-openjdk security update (Important)
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
Source: Red Hat Errata — Red Hat Inc. · View original ↗ · Open-Errata-API
Description OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) CVSS v3: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) Errata / fixed releases ProductPackageAdvisoryReleased Red Hat Build of OpenJDK 11.0.15RHSA-2022:14352022-04-28T00:00:00Z Red Hat Build of OpenJDK 11.0.15RHSA-2022:14392022-04-28T00:00:00Z Red Hat Build of OpenJDK…
Description
OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)
CVSS v3: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Errata / fixed releases
| Product | Package | Advisory | Released |
|---|---|---|---|
| Red Hat Build of OpenJDK 11.0.15 | | RHSA-2022:1435 | 2022-04-28T00:00:00Z |
| Red Hat Build of OpenJDK 11.0.15 | | RHSA-2022:1439 | 2022-04-28T00:00:00Z |
| Red Hat Build of OpenJDK 17.0.3 | | RHSA-2022:1436 | 2022-04-28T00:00:00Z |
| Red Hat Build of OpenJDK 17.0.3 | | RHSA-2022:1437 | 2022-04-28T00:00:00Z |
| Red Hat Build of OpenJDK 8u332 | | RHSA-2022:1438 | 2022-04-28T00:00:00Z |
| Red Hat Build of OpenJDK 8u332 | | RHSA-2022:1492 | 2022-04-28T00:00:00Z |
| Red Hat Enterprise Linux 7 | java-11-openjdk-1:11.0.15.0.9-2.el7_9 | RHSA-2022:1440 | 2022-04-20T00:00:00Z |
| Red Hat Enterprise Linux 7 | java-1.8.0-openjdk-1:1.8.0.332.b09-1.el7_9 | RHSA-2022:1487 | 2022-04-25T00:00:00Z |
| Red Hat Enterprise Linux 7 Supplementary | java-1.8.0-ibm-1:1.8.0.8.0-1jpp.1.el7 | RHSA-2023:3136 | 2023-05-16T00:00:00Z |
| Red Hat Enterprise Linux 8 | java-11-openjdk-1:11.0.15.0.9-2.el8_5 | RHSA-2022:1442 | 2022-04-20T00:00:00Z |
| Red Hat Enterprise Linux 8 | java-17-openjdk-1:17.0.3.0.6-2.el8_5 | RHSA-2022:1445 | 2022-04-20T00:00:00Z |
| Red Hat Enterprise Linux 8 | java-1.8.0-openjdk-1:1.8.0.332.b09-1.el8_5 | RHSA-2022:1491 | 2022-04-25T00:00:00Z |
| Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions | java-11-openjdk-1:11.0.15.0.9-2.el8_1 | RHSA-2022:1444 | 2022-04-20T00:00:00Z |
| Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions | java-1.8.0-openjdk-1:1.8.0.332.b09-1.el8_1 | RHSA-2022:1488 | 2022-04-25T00:00:00Z |
| Red Hat Enterprise Linux 8.2 Extended Update Support | java-11-openjdk-1:11.0.15.0.9-2.el8_2 | RHSA-2022:1443 | 2022-04-20T00:00:00Z |
| Red Hat Enterprise Linux 8.2 Extended Update Support | java-1.8.0-openjdk-1:1.8.0.332.b09-1.el8_2 | RHSA-2022:1489 | 2022-04-25T00:00:00Z |
| Red Hat Enterprise Linux 8.4 Extended Update Support | java-11-openjdk-1:11.0.15.0.9-2.el8_4 | RHSA-2022:1441 | 2022-04-20T00:00:00Z |
| Red Hat Enterprise Linux 8.4 Extended Update Support | java-1.8.0-openjdk-1:1.8.0.332.b09-1.el8_4 | RHSA-2022:1490 | 2022-04-25T00:00:00Z |
| Red Hat Enterprise Linux 9 | java-11-openjdk-1:11.0.15.0.10-1.el9_0 | RHSA-2022:1728 | 2022-05-17T00:00:00Z |
| Red Hat Enterprise Linux 9 | java-17-openjdk-1:17.0.3.0.7-1.el9_0 | RHSA-2022:1729 | 2022-05-17T00:00:00Z |
| Red Hat Enterprise Linux 9 | java-1.8.0-openjdk-1:1.8.0.332.b09-1.el9_0 | RHSA-2022:2137 | 2022-05-17T00:00:00Z |
Package state
| Product | Package | State |
|---|---|---|
| Red Hat build of OpenJDK 11 | Linux | Affected |
| Red Hat build of OpenJDK 11 | Windows | Affected |
| Red Hat build of OpenJDK 17 | Linux | Affected |
| Red Hat build of OpenJDK 17 | Windows | Affected |
| Red Hat build of OpenJDK 1.8 | Linux | Affected |
| Red Hat build of OpenJDK 1.8 | Windows | Affected |
| Red Hat Enterprise Linux 6 | java-1.6.0-openjdk | Out of support scope |
| Red Hat Enterprise Linux 6 | java-1.7.0-openjdk | Out of support scope |
| Red Hat Enterprise Linux 6 | java-1.8.0-openjdk | Out of support scope |
| Red Hat Enterprise Linux 7 | java-1.6.0-openjdk | Out of support scope |
| Red Hat Enterprise Linux 7 | java-1.7.0-openjdk | Out of support scope |
| Red Hat Enterprise Linux 7 | java-1.7.1-ibm | Out of support scope |
| Red Hat Enterprise Linux 8 | java-1.8.0-ibm | Affected |
Apply commands
Apply RHSA-2022:1440 for Red Hat Enterprise Linux 7
yum update -y java
# or:
dnf upgrade -y javaAffected
| Vendor | Product | Version |
|---|---|---|
| redhat | Red Hat build of OpenJDK 11 | Affected |
| redhat | Red Hat build of OpenJDK 11 | Affected |
| redhat | Red Hat build of OpenJDK 17 | Affected |
| redhat | Red Hat build of OpenJDK 17 | Affected |
| redhat | Red Hat build of OpenJDK 1.8 | Affected |
| redhat | Red Hat build of OpenJDK 1.8 | Affected |
| redhat | Red Hat Enterprise Linux 8 | Affected |
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| rhel | 9 | fixed | |
| arch | fixed | 8.323-1 | |
| sles | affected | | |
| rocky | 8 | fixed | |
| debian | bullseye | fixed | 11.0.15+10-1~deb11u1 |
| debian | sid | fixed | 11.0.15+10-1 |
| debian | bookworm | fixed | 17.0.3+7-1 |
| rhel | 8 | fixed | |
References
- https://access.redhat.com/errata/RHSA-2022:1728
- https://access.redhat.com/errata/RHSA-2022:1729
- https://access.redhat.com/errata/RHSA-2022:2137
- https://www.suse.com/security/cve/CVE-2022-21426.html
- https://errata.rockylinux.org/RLSA-2022:1491
- https://errata.rockylinux.org/RLSA-2022:1442
- https://errata.rockylinux.org/RLSA-2022:1445
- https://security-tracker.debian.org/tracker/CVE-2022-21426
- https://errata.almalinux.org/8/ALSA-2022-1442.html
- https://errata.almalinux.org/8/ALSA-2022-1445.html
- https://errata.almalinux.org/8/ALSA-2022-1491.html
- https://access.redhat.com/errata/RHSA-2022:1442
- https://access.redhat.com/errata/RHSA-2022:1445
- https://access.redhat.com/errata/RHSA-2022:1491
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.