ID

VAR-202204-0593


CVE

CVE-2022-21426


TITLE

Ubuntu Security Notice USN-5546-1

Trust: 0.1

sources: PACKETSTORM: 167980

DESCRIPTION

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). ========================================================================= Ubuntu Security Notice USN-5546-1 August 04, 2022 openjdk-8, openjdk-lts, openjdk-17, openjdk-18 vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Several security issues were fixed in OpenJDK. Software Description: - openjdk-17: Open Source Java implementation - openjdk-18: Open Source Java implementation - openjdk-8: Open Source Java implementation - openjdk-lts: Open Source Java implementation Details: Neil Madden discovered that OpenJDK did not properly verify ECDSA signatures. A remote attacker could possibly use this issue to insert, edit or obtain sensitive information. This issue only affected OpenJDK 17 and OpenJDK 18. (CVE-2022-21449) It was discovered that OpenJDK incorrectly limited memory when compiling a specially crafted XPath expression. An attacker could possibly use this issue to cause a denial of service. This issue was fixed in OpenJDK 8 and OpenJDK 18. USN-5388-1 and USN-5388-2 addressed this issue in OpenJDK 11 and OpenJDK 17. (CVE-2022-21426) It was discovered that OpenJDK incorrectly handled converting certain object arguments into their textual representations. An attacker could possibly use this issue to cause a denial of service. This issue was fixed in OpenJDK 8 and OpenJDK 18. USN-5388-1 and USN-5388-2 addressed this issue in OpenJDK 11 and OpenJDK 17. (CVE-2022-21434) It was discovered that OpenJDK incorrectly validated the encoded length of certain object identifiers. An attacker could possibly use this issue to cause a denial of service. This issue was fixed in OpenJDK 8 and OpenJDK 18. USN-5388-1 and USN-5388-2 addressed this issue in OpenJDK 11 and OpenJDK 17. (CVE-2022-21443) It was discovered that OpenJDK incorrectly validated certain paths. An attacker could possibly use this issue to bypass the secure validation feature and expose sensitive information in XML files. This issue was fixed in OpenJDK 8 and OpenJDK 18. USN-5388-1 and USN-5388-2 addressed this issue in OpenJDK 11 and OpenJDK 17. (CVE-2022-21476) It was discovered that OpenJDK incorrectly parsed certain URI strings. An attacker could possibly use this issue to make applications accept invalid of malformed URI strings. This issue was fixed in OpenJDK 8 and OpenJDK 18. USN-5388-1 and USN-5388-2 addressed this issue in OpenJDK 11 and OpenJDK 17. (CVE-2022-21496) It was discovered that OpenJDK incorrectly generated class code in the Hotspot component. An attacker could possibly use this issue to obtain sensitive information. (CVE-2022-21540) It was dicovered that OpenJDK incorrectly restricted access to the invokeBasic() method in the Hotspot component. An attacker could possibly use this issue to insert, edit or obtain sensitive information. (CVE-2022-21541) It was discovered that OpenJDK incorrectly computed exponentials. An attacker could possibly use this issue to insert, edit or obtain sensitive information. This issue only affected OpenJDK 17. (CVE-2022-21549) It was discovered that OpenJDK includes a copy of Xalan that incorrectly handled integer truncation. An attacker could possibly use this issue to execute arbitrary code. (CVE-2022-34169) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS: openjdk-11-jdk 11.0.16+8-0ubuntu1~22.04 openjdk-11-jre 11.0.16+8-0ubuntu1~22.04 openjdk-11-jre-headless 11.0.16+8-0ubuntu1~22.04 openjdk-11-jre-zero 11.0.16+8-0ubuntu1~22.04 openjdk-17-jdk 17.0.4+8-1~22.04 openjdk-17-jre 17.0.4+8-1~22.04 openjdk-17-jre-headless 17.0.4+8-1~22.04 openjdk-17-jre-zero 17.0.4+8-1~22.04 openjdk-18-jdk 18.0.2+9-2~22.04 openjdk-18-jre 18.0.2+9-2~22.04 openjdk-18-jre-headless 18.0.2+9-2~22.04 openjdk-18-jre-zero 18.0.2+9-2~22.04 openjdk-8-jdk 8u342-b07-0ubuntu1~22.04 openjdk-8-jre 8u342-b07-0ubuntu1~22.04 openjdk-8-jre-headless 8u342-b07-0ubuntu1~22.04 openjdk-8-jre-zero 8u342-b07-0ubuntu1~22.04 Ubuntu 20.04 LTS: openjdk-11-jdk 11.0.16+8-0ubuntu1~20.04 openjdk-11-jre 11.0.16+8-0ubuntu1~20.04 openjdk-11-jre-headless 11.0.16+8-0ubuntu1~20.04 openjdk-11-jre-zero 11.0.16+8-0ubuntu1~20.04 openjdk-17-jdk 17.0.4+8-1~20.04 openjdk-17-jre 17.0.4+8-1~20.04 openjdk-17-jre-headless 17.0.4+8-1~20.04 openjdk-17-jre-zero 17.0.4+8-1~20.04 openjdk-8-jdk 8u342-b07-0ubuntu1~20.04 openjdk-8-jre 8u342-b07-0ubuntu1~20.04 openjdk-8-jre-headless 8u342-b07-0ubuntu1~20.04 openjdk-8-jre-zero 8u342-b07-0ubuntu1~20.04 Ubuntu 18.04 LTS: openjdk-11-jdk 11.0.16+8-0ubuntu1~18.04 openjdk-11-jre 11.0.16+8-0ubuntu1~18.04 openjdk-11-jre-headless 11.0.16+8-0ubuntu1~18.04 openjdk-11-jre-zero 11.0.16+8-0ubuntu1~18.04 openjdk-17-jdk 17.0.4+8-1~18.04 openjdk-17-jre 17.0.4+8-1~18.04 openjdk-17-jre-headless 17.0.4+8-1~18.04 openjdk-17-jre-zero 17.0.4+8-1~18.04 openjdk-8-jdk 8u342-b07-0ubuntu1~18.04 openjdk-8-jre 8u342-b07-0ubuntu1~18.04 openjdk-8-jre-headless 8u342-b07-0ubuntu1~18.04 openjdk-8-jre-zero 8u342-b07-0ubuntu1~18.04 This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart any Java applications or applets to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5546-1 CVE-2022-21426, CVE-2022-21434, CVE-2022-21443, CVE-2022-21449, CVE-2022-21476, CVE-2022-21496, CVE-2022-21540, CVE-2022-21541, CVE-2022-21549, CVE-2022-34169 Package Information: https://launchpad.net/ubuntu/+source/openjdk-17/17.0.4+8-1~22.04 https://launchpad.net/ubuntu/+source/openjdk-18/18.0.2+9-2~22.04 https://launchpad.net/ubuntu/+source/openjdk-8/8u342-b07-0ubuntu1~22.04 https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.16+8-0ubuntu1~22.04 https://launchpad.net/ubuntu/+source/openjdk-17/17.0.4+8-1~20.04 https://launchpad.net/ubuntu/+source/openjdk-8/8u342-b07-0ubuntu1~20.04 https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.16+8-0ubuntu1~20.04 https://launchpad.net/ubuntu/+source/openjdk-17/17.0.4+8-1~18.04 https://launchpad.net/ubuntu/+source/openjdk-8/8u342-b07-0ubuntu1~18.04 https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.16+8-0ubuntu1~18.04 . Description: Version 1.22.0 of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform versions 4.6, 4.7, 4.8, 4.9, and 4.10. Bugs fixed (https://bugzilla.redhat.com/): 2020725 - CVE-2021-41771 golang: debug/macho: invalid dynamic symbol table command can cause panic 2020736 - CVE-2021-41772 golang: archive/zip: Reader.Open panics on empty string 5. References: https://access.redhat.com/security/cve/CVE-2018-25032 https://access.redhat.com/security/cve/CVE-2021-3999 https://access.redhat.com/security/cve/CVE-2021-23177 https://access.redhat.com/security/cve/CVE-2021-31566 https://access.redhat.com/security/cve/CVE-2021-41771 https://access.redhat.com/security/cve/CVE-2021-41772 https://access.redhat.com/security/cve/CVE-2021-45960 https://access.redhat.com/security/cve/CVE-2021-46143 https://access.redhat.com/security/cve/CVE-2022-0778 https://access.redhat.com/security/cve/CVE-2022-21426 https://access.redhat.com/security/cve/CVE-2022-21434 https://access.redhat.com/security/cve/CVE-2022-21443 https://access.redhat.com/security/cve/CVE-2022-21449 https://access.redhat.com/security/cve/CVE-2022-21476 https://access.redhat.com/security/cve/CVE-2022-21496 https://access.redhat.com/security/cve/CVE-2022-22822 https://access.redhat.com/security/cve/CVE-2022-22823 https://access.redhat.com/security/cve/CVE-2022-22824 https://access.redhat.com/security/cve/CVE-2022-22825 https://access.redhat.com/security/cve/CVE-2022-22826 https://access.redhat.com/security/cve/CVE-2022-22827 https://access.redhat.com/security/cve/CVE-2022-23218 https://access.redhat.com/security/cve/CVE-2022-23219 https://access.redhat.com/security/cve/CVE-2022-23308 https://access.redhat.com/security/cve/CVE-2022-23852 https://access.redhat.com/security/cve/CVE-2022-25235 https://access.redhat.com/security/cve/CVE-2022-25236 https://access.redhat.com/security/cve/CVE-2022-25315 For details about the security issues see these CVE pages: * https://access.redhat.com/security/updates/classification/#low * https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless/index * https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/serverless/index * https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/serverless/index * https://access.redhat.com/documentation/en-us/openshift_container_platform/4.9/html/serverless/index * https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index 6. For the oldstable distribution (buster), this problem has been fixed in version 11.0.15+10-1~deb10u1. For the stable distribution (bullseye), this problem has been fixed in version 11.0.15+10-1~deb11u1. We recommend that you upgrade your openjdk-11 packages. For the detailed security status of openjdk-11 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openjdk-11 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmJz7AUACgkQEMKTtsN8 TjYPqQ//acxZ7tw58VvpicLhG3iTGRpUcVEVZwCcs1EGSs5sBAT20Q/rvZNc932o //8ipzrsv1pZX4txFzDi9gI279f27RTIhb+vJCWblPoRt7rXVkB7N5TR0UT4IurP ZCDcKF0PaStHPPrD7ZvVVUSQU09cDvHb0ibNnuXguOLCji9sIaPoubIAJ+NAkMIM 54inl1f4FQSwf1yqvZbjlnSvsDmBQ7nGE//yyajhN+JY29SkZdseLRgkAtGsG9+G 8XshJHdAGSuIeCUpJzbcYFdeikwXzQNP0DhvBGyClNmYUS/C4w9KCo8ab6L1rWhQ vnVDIAdX4zH+GTxtZ7xuelNvYUwiTW4DhYHtEoU8UvrhzJJ0ZtidAdEhoLlxJkdK e767zzyHFx9qbd5UFgwn8XMoJKlkkJtThTARypBcbN7mq9j7bxGV0JGTm1K76KJp j2lIau4swGGkFWD2kTLVO5O/chj5l4gsxX2Mi9ipLiBeD2TVTwY/MV1iX5q4EVMg 3Kt4ZSw2AxgwCPzaaSTBpkRcwJyspsAzIQfkmhnJ170v9iUsf5hg3oJV+Mhxqm/F znuzj1FKQ++A50O+6fGPA48T2DRATM7BMGBbjzWjRJ7KEptHEFnBGdkCU33I0YSm MIYXEATq5Z7D5g5SX2WZLOReTr7Y/PLCd6FRZGcFvbs5zjcKSGM= =Ysyl -----END PGP SIGNATURE----- . 9) - aarch64, noarch, ppc64le, s390x, x86_64 3. 8) - aarch64, ppc64le, s390x, x86_64 3. Bug Fix(es): * Enable the import of plain keys into the NSS Software Token while in FIPS mode [rhel-8, openjdk-17] (BZ#2018189) * Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode [rhel-8, openjdk-17] (BZ#2055396) 4. Bugs fixed (https://bugzilla.redhat.com/): 2018189 - Enable the import of plain keys into the NSS Software Token while in FIPS mode [rhel-8, openjdk-17] [rhel-8.5.0.z] 2055396 - Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode [rhel-8, openjdk-17] [rhel-8.5.0.z] 2075788 - CVE-2022-21426 OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) 2075793 - CVE-2022-21443 OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) 2075821 - CVE-2022-21449 OpenJDK: Improper ECDSA signature verification (Libraries, 8277233) 2075836 - CVE-2022-21434 OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) 2075842 - CVE-2022-21476 OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) 2075849 - CVE-2022-21496 OpenJDK: URI parsing inconsistencies (JNDI, 8278972) 6. This update rectifies this situation and again uses the database provided in the JDK bundle. Users may also now configure the cacerts database in the java.security file using the property security.systemCACerts. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Solution: For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update: https://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html For Red Hat OpenShift Logging 5.4, see the following instructions to apply this update: https://docs.openshift.com/container-platform/4.7/logging/cluster-logging-upgrading.html 4. Bugs fixed (https://bugzilla.redhat.com/): 2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data 2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way 2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling 2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter 5. JIRA issues fixed (https://issues.jboss.org/): LOG-2437 - EO shouldn't grant cluster-wide permission to system:serviceaccount:openshift-monitoring:prometheus-k8s when ES cluster is deployed. [openshift-logging 5.4] LOG-2442 - Log file metric exporter not working with /var/log/pods LOG-2448 - Audit and journald logs cannot be viewed from LokiStack, when logs are forwarded with Vector as collector. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: java-1.8.0-ibm security update Advisory ID: RHSA-2023:3136-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://access.redhat.com/errata/RHSA-2023:3136 Issue date: 2023-05-16 CVE Names: CVE-2022-21426 CVE-2023-21830 CVE-2023-21843 ==================================================================== 1. Summary: An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 7 Supplementary. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client Supplementary (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Supplementary (v. 7) - x86_64 Red Hat Enterprise Linux Server Supplementary (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 7) - x86_64 3. Description: IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. Security Fix(es): * OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426) * OpenJDK: improper restrictions in CORBA deserialization (Serialization, 8285021) (CVE-2023-21830) * OpenJDK: soundbank URL remote loading (Sound, 8293742) (CVE-2023-21843) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of IBM Java must be restarted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 2075788 - CVE-2022-21426 OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) 2160475 - CVE-2023-21843 OpenJDK: soundbank URL remote loading (Sound, 8293742) 2160490 - CVE-2023-21830 OpenJDK: improper restrictions in CORBA deserialization (Serialization, 8285021) 6. Package List: Red Hat Enterprise Linux Client Supplementary (v. 7): x86_64: java-1.8.0-ibm-1.8.0.8.0-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-demo-1.8.0.8.0-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-devel-1.8.0.8.0-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-jdbc-1.8.0.8.0-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-plugin-1.8.0.8.0-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-src-1.8.0.8.0-1jpp.1.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Supplementary (v. 7): x86_64: java-1.8.0-ibm-1.8.0.8.0-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-demo-1.8.0.8.0-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-devel-1.8.0.8.0-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-src-1.8.0.8.0-1jpp.1.el7.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 7): ppc64: java-1.8.0-ibm-1.8.0.8.0-1jpp.1.el7.ppc64.rpm java-1.8.0-ibm-demo-1.8.0.8.0-1jpp.1.el7.ppc64.rpm java-1.8.0-ibm-devel-1.8.0.8.0-1jpp.1.el7.ppc64.rpm java-1.8.0-ibm-jdbc-1.8.0.8.0-1jpp.1.el7.ppc64.rpm java-1.8.0-ibm-plugin-1.8.0.8.0-1jpp.1.el7.ppc64.rpm java-1.8.0-ibm-src-1.8.0.8.0-1jpp.1.el7.ppc64.rpm ppc64le: java-1.8.0-ibm-1.8.0.8.0-1jpp.1.el7.ppc64le.rpm java-1.8.0-ibm-demo-1.8.0.8.0-1jpp.1.el7.ppc64le.rpm java-1.8.0-ibm-devel-1.8.0.8.0-1jpp.1.el7.ppc64le.rpm java-1.8.0-ibm-jdbc-1.8.0.8.0-1jpp.1.el7.ppc64le.rpm java-1.8.0-ibm-src-1.8.0.8.0-1jpp.1.el7.ppc64le.rpm s390x: java-1.8.0-ibm-1.8.0.8.0-1jpp.1.el7.s390x.rpm java-1.8.0-ibm-demo-1.8.0.8.0-1jpp.1.el7.s390x.rpm java-1.8.0-ibm-devel-1.8.0.8.0-1jpp.1.el7.s390x.rpm java-1.8.0-ibm-jdbc-1.8.0.8.0-1jpp.1.el7.s390x.rpm java-1.8.0-ibm-src-1.8.0.8.0-1jpp.1.el7.s390x.rpm x86_64: java-1.8.0-ibm-1.8.0.8.0-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-demo-1.8.0.8.0-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-devel-1.8.0.8.0-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-jdbc-1.8.0.8.0-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-plugin-1.8.0.8.0-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-src-1.8.0.8.0-1jpp.1.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 7): x86_64: java-1.8.0-ibm-1.8.0.8.0-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-demo-1.8.0.8.0-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-devel-1.8.0.8.0-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-jdbc-1.8.0.8.0-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-plugin-1.8.0.8.0-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-src-1.8.0.8.0-1jpp.1.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZGQXddzjgjWX9erEAQjtrg//WDCW8/RkoEyTvEChqF7uHnK4V3rBSk9+ ubpNx/M2kajuILXohNxBY4tcm3jyvoL6gwwCQ3iMlWA369AHI7DturxjJQr3GziD pbyWqMR4sIyAKJpf32a4MlUBAg01jby2PCxeiD4Llw1Gf2U/BRsDalXoVz/s7dhB jCO3qNpIbZNmg8gG7jbWbgtCMreM17sONQdWCg5sgfRAKakgcH8xMCWpb02tmLCR gS7f4m24sLDhSvWQGxkhkXwhpiG5wGIYnFaS7cQzdHpHS37qOVGshTpgJEsI9c0S zTfYYkpCJivl/aENlnYKpVgHmSPP9Qxo0TO18A8y53bJXJBLNBjw6fjDkJLcfOuI jwHGNnbR1vAhQieD5ACT7rTADBx8fsv2EAqgvGgopuuOPHSKQYxQgCBQu/ZqBf02 1n3cw0OieNoqW7HqW4qrTkYxma9L5WxfAPTgZhN0OUiWMgLfNtQjuRoSHKGNtwAk //tqVreuJPxNGBajdvXEhDLxuBeLiUnxvkgLgaZ+J39MeI3pV5XPbR1qswy7Nsor 4L+ulZussEs8yZfPzhBMfyARuOGBFX07Cfy1cT381KsisjoUK6OsKnByO/tsOa7d nrm/7B+ANBS59mTjRDKtE4/cdVIwvn9qt9/zg8kSUS1x7CjaQ2qyLbTczKyFRiSK QcLjOlHi3+I=ckJc -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce

Trust: 1.89

sources: NVD: CVE-2022-21426 // VULHUB: VHN-407039 // PACKETSTORM: 167980 // PACKETSTORM: 167008 // PACKETSTORM: 169366 // PACKETSTORM: 167378 // PACKETSTORM: 166804 // PACKETSTORM: 166796 // PACKETSTORM: 166900 // PACKETSTORM: 166898 // PACKETSTORM: 167142 // PACKETSTORM: 172404

AFFECTED PRODUCTS

vendor:netappmodel:e-series santricity os controllerscope:gteversion:11.0.0

Trust: 1.0

vendor:netappmodel:e-series santricity storage managerscope:eqversion: -

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:9.0

Trust: 1.0

vendor:netappmodel:cloud secure agentscope:eqversion: -

Trust: 1.0

vendor:azulmodel:zuluscope:eqversion:6.45

Trust: 1.0

vendor:oraclemodel:graalvmscope:eqversion:22.0.0.2

Trust: 1.0

vendor:oraclemodel:jrescope:eqversion:11.0.14

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:11.0

Trust: 1.0

vendor:netappmodel:active iq unified managerscope:eqversion: -

Trust: 1.0

vendor:netappmodel:solidfire \& hci management nodescope:eqversion: -

Trust: 1.0

vendor:netappmodel:7-mode transition toolscope:eqversion: -

Trust: 1.0

vendor:netappmodel:oncommand insightscope:eqversion: -

Trust: 1.0

vendor:oraclemodel:jdkscope:eqversion:18

Trust: 1.0

vendor:oraclemodel:jrescope:eqversion:1.8.0

Trust: 1.0

vendor:azulmodel:zuluscope:eqversion:11.54

Trust: 1.0

vendor:oraclemodel:jrescope:eqversion:1.7.0

Trust: 1.0

vendor:azulmodel:zuluscope:eqversion:18.28

Trust: 1.0

vendor:oraclemodel:jrescope:eqversion:17.0.2

Trust: 1.0

vendor:oraclemodel:graalvmscope:eqversion:20.3.5

Trust: 1.0

vendor:netappmodel:e-series santricity os controllerscope:lteversion:11.70.1

Trust: 1.0

vendor:azulmodel:zuluscope:eqversion:13.46

Trust: 1.0

vendor:netappmodel:solidfire\, enterprise sds \& hci storage nodescope:eqversion: -

Trust: 1.0

vendor:azulmodel:zuluscope:eqversion:8.60

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:10.0

Trust: 1.0

vendor:oraclemodel:jdkscope:eqversion:11.0.14

Trust: 1.0

vendor:oraclemodel:jdkscope:eqversion:1.8.0

Trust: 1.0

vendor:oraclemodel:jdkscope:eqversion:1.7.0

Trust: 1.0

vendor:netappmodel:cloud insights acquisition unitscope:eqversion: -

Trust: 1.0

vendor:azulmodel:zuluscope:eqversion:7.52

Trust: 1.0

vendor:oraclemodel:jdkscope:eqversion:17.0.2

Trust: 1.0

vendor:netappmodel:hci compute nodescope:eqversion: -

Trust: 1.0

vendor:netappmodel:e-series santricity web servicesscope:eqversion: -

Trust: 1.0

vendor:netappmodel:santricity unified managerscope:eqversion: -

Trust: 1.0

vendor:azulmodel:zuluscope:eqversion:15.38

Trust: 1.0

vendor:oraclemodel:jrescope:eqversion:18

Trust: 1.0

vendor:azulmodel:zuluscope:eqversion:17.32

Trust: 1.0

vendor:oraclemodel:graalvmscope:eqversion:21.3.1

Trust: 1.0

sources: NVD: CVE-2022-21426

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-21426
value: MEDIUM

Trust: 1.0

secalert_us@oracle.com: CVE-2022-21426
value: MEDIUM

Trust: 1.0

VULHUB: VHN-407039
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2022-21426
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

VULHUB: VHN-407039
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

secalert_us@oracle.com: CVE-2022-21426
baseSeverity: MEDIUM
baseScore: 5.3
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: LOW
exploitabilityScore: 3.9
impactScore: 1.4
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-407039 // NVD: CVE-2022-21426 // NVD: CVE-2022-21426

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

sources: NVD: CVE-2022-21426

THREAT TYPE

remote

Trust: 0.1

sources: PACKETSTORM: 167980

TYPE

info disclosure

Trust: 0.1

sources: PACKETSTORM: 169366

EXTERNAL IDS

db:NVDid:CVE-2022-21426

Trust: 2.1

db:PACKETSTORMid:167378

Trust: 0.2

db:PACKETSTORMid:167008

Trust: 0.2

db:PACKETSTORMid:167980

Trust: 0.2

db:PACKETSTORMid:167142

Trust: 0.2

db:PACKETSTORMid:167385

Trust: 0.1

db:PACKETSTORMid:167327

Trust: 0.1

db:PACKETSTORMid:167388

Trust: 0.1

db:PACKETSTORMid:166967

Trust: 0.1

db:PACKETSTORMid:167122

Trust: 0.1

db:PACKETSTORMid:167088

Trust: 0.1

db:PACKETSTORMid:167164

Trust: 0.1

db:PACKETSTORMid:167140

Trust: 0.1

db:PACKETSTORMid:167271

Trust: 0.1

db:PACKETSTORMid:167979

Trust: 0.1

db:PACKETSTORMid:166954

Trust: 0.1

db:VULHUBid:VHN-407039

Trust: 0.1

db:PACKETSTORMid:169366

Trust: 0.1

db:PACKETSTORMid:166804

Trust: 0.1

db:PACKETSTORMid:166796

Trust: 0.1

db:PACKETSTORMid:166900

Trust: 0.1

db:PACKETSTORMid:166898

Trust: 0.1

db:PACKETSTORMid:172404

Trust: 0.1

sources: VULHUB: VHN-407039 // PACKETSTORM: 167980 // PACKETSTORM: 167008 // PACKETSTORM: 169366 // PACKETSTORM: 167378 // PACKETSTORM: 166804 // PACKETSTORM: 166796 // PACKETSTORM: 166900 // PACKETSTORM: 166898 // PACKETSTORM: 167142 // PACKETSTORM: 172404 // NVD: CVE-2022-21426

REFERENCES

url:https://security.netapp.com/advisory/ntap-20220429-0006/

Trust: 1.1

url:https://www.debian.org/security/2022/dsa-5128

Trust: 1.1

url:https://www.debian.org/security/2022/dsa-5131

Trust: 1.1

url:https://www.oracle.com/security-alerts/cpuapr2022.html

Trust: 1.1

url:https://lists.debian.org/debian-lts-announce/2022/05/msg00017.html

Trust: 1.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-21426

Trust: 1.0

url:https://nvd.nist.gov/vuln/detail/cve-2022-21443

Trust: 0.9

url:https://nvd.nist.gov/vuln/detail/cve-2022-21496

Trust: 0.9

url:https://nvd.nist.gov/vuln/detail/cve-2022-21434

Trust: 0.9

url:https://nvd.nist.gov/vuln/detail/cve-2022-21476

Trust: 0.9

url:https://access.redhat.com/security/cve/cve-2022-21426

Trust: 0.8

url:https://access.redhat.com/security/team/contact/

Trust: 0.8

url:https://bugzilla.redhat.com/):

Trust: 0.8

url:https://listman.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.8

url:https://access.redhat.com/security/cve/cve-2022-21476

Trust: 0.7

url:https://access.redhat.com/security/cve/cve-2022-21496

Trust: 0.7

url:https://access.redhat.com/security/cve/cve-2022-21443

Trust: 0.7

url:https://access.redhat.com/security/cve/cve-2022-21434

Trust: 0.7

url:https://nvd.nist.gov/vuln/detail/cve-2022-21449

Trust: 0.5

url:https://access.redhat.com/security/updates/classification/#important

Trust: 0.5

url:https://access.redhat.com/security/team/key/

Trust: 0.4

url:https://access.redhat.com/articles/11258

Trust: 0.4

url:https://access.redhat.com/security/cve/cve-2022-21449

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2022-0778

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2018-25032

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2018-25032

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-0778

Trust: 0.2

url:https://access.redhat.com/security/updates/classification/#moderate

Trust: 0.2

url:https://launchpad.net/ubuntu/+source/openjdk-8/8u342-b07-0ubuntu1~22.04

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/openjdk-8/8u342-b07-0ubuntu1~20.04

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/openjdk-17/17.0.4+8-1~18.04

Trust: 0.1

url:https://ubuntu.com/security/notices/usn-5546-1

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-21540

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/openjdk-17/17.0.4+8-1~22.04

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.16+8-0ubuntu1~20.04

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/openjdk-18/18.0.2+9-2~22.04

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-21541

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.16+8-0ubuntu1~22.04

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-34169

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/openjdk-17/17.0.4+8-1~20.04

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/openjdk-8/8u342-b07-0ubuntu1~18.04

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.16+8-0ubuntu1~18.04

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-21549

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-31566

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-22825

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-23308

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-25236

Trust: 0.1

url:https://access.redhat.com/security/updates/classification/#low

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-23177

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-23219

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-23218

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2022:1747

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.9/html/serverless/index

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-23177

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-22825

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-23308

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-22827

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/serverless/index

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-22823

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-25235

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-3999

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-46143

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-22826

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-23218

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-41772

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-25235

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-23852

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless/index

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-46143

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-22827

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-3999

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-22824

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-22823

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-22824

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-45960

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-41772

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-22826

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-41771

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-22822

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-41771

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-23852

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-23219

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-25315

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/serverless/index

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-31566

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-22822

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-45960

Trust: 0.1

url:https://www.debian.org/security/faq

Trust: 0.1

url:https://www.debian.org/security/

Trust: 0.1

url:https://security-tracker.debian.org/tracker/openjdk-11

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2022:2137

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2022:1443

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2022:1445

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/openjdk/17/html/installing_and_using_openjdk_17_for_windows/index

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2022:1437

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2022:1438

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/openjdk/8/html/installing_and_using_openjdk_8_for_rhel/assembly_installing-openjdk-8-on-red-hat-enterprise-linux_openjdk#installing-jdk11-on-rhel-using-archive_openjdk

Trust: 0.1

url:https://issues.jboss.org/):

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-43797

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-1154

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-37137

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-1154

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-43797

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-21698

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-25636

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-25636

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-37137

Trust: 0.1

url:https://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-4028

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-37136

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-4028

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-37136

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2022:2216

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-21698

Trust: 0.1

url:https://docs.openshift.com/container-platform/4.7/logging/cluster-logging-upgrading.html

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-1271

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-1271

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-21843

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2023:3136

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2023-21830

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2023-21843

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-21830

Trust: 0.1

sources: VULHUB: VHN-407039 // PACKETSTORM: 167980 // PACKETSTORM: 167008 // PACKETSTORM: 169366 // PACKETSTORM: 167378 // PACKETSTORM: 166804 // PACKETSTORM: 166796 // PACKETSTORM: 166900 // PACKETSTORM: 166898 // PACKETSTORM: 167142 // PACKETSTORM: 172404 // NVD: CVE-2022-21426

CREDITS

Red Hat

Trust: 0.8

sources: PACKETSTORM: 167008 // PACKETSTORM: 167378 // PACKETSTORM: 166804 // PACKETSTORM: 166796 // PACKETSTORM: 166900 // PACKETSTORM: 166898 // PACKETSTORM: 167142 // PACKETSTORM: 172404

SOURCES

db:VULHUBid:VHN-407039
db:PACKETSTORMid:167980
db:PACKETSTORMid:167008
db:PACKETSTORMid:169366
db:PACKETSTORMid:167378
db:PACKETSTORMid:166804
db:PACKETSTORMid:166796
db:PACKETSTORMid:166900
db:PACKETSTORMid:166898
db:PACKETSTORMid:167142
db:PACKETSTORMid:172404
db:NVDid:CVE-2022-21426

LAST UPDATE DATE

2026-07-11T19:59:36.973000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-407039date:2022-07-28T00:00:00
db:NVDid:CVE-2022-21426date:2026-06-17T04:26:14.593

SOURCES RELEASE DATE

db:VULHUBid:VHN-407039date:2022-04-19T00:00:00
db:PACKETSTORMid:167980date:2022-08-05T14:51:20
db:PACKETSTORMid:167008date:2022-05-10T14:49:09
db:PACKETSTORMid:169366date:2022-05-28T19:12:00
db:PACKETSTORMid:167378date:2022-06-03T15:37:50
db:PACKETSTORMid:166804date:2022-04-21T15:10:06
db:PACKETSTORMid:166796date:2022-04-21T15:08:42
db:PACKETSTORMid:166900date:2022-04-29T12:36:41
db:PACKETSTORMid:166898date:2022-04-29T12:36:12
db:PACKETSTORMid:167142date:2022-05-12T15:55:09
db:PACKETSTORMid:172404date:2023-05-17T14:05:00
db:NVDid:CVE-2022-21426date:2022-04-19T21:15:15.157