ID

VAR-202204-0596

CVE

CVE-2022-21434

TITLE

Oracle Java SE Input validation error vulnerability

DESCRIPTION

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). [openshift-logging 5.2] 6. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: java-1.7.1-ibm security update Advisory ID: RHSA-2022:4957-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://access.redhat.com/errata/RHSA-2022:4957 Issue date: 2022-06-08 CVE Names: CVE-2021-35561 CVE-2022-21299 CVE-2022-21434 CVE-2022-21443 CVE-2022-21496 ==================================================================== 1. Summary: An update for java-1.7.1-ibm is now available for Red Hat Enterprise Linux 7 Supplementary. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client Supplementary (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Supplementary (v. 7) - x86_64 Red Hat Enterprise Linux Server Supplementary (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 7) - x86_64 3. Description: IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 7 to version 7R1 SR5-FP10. Security Fix(es): * OpenJDK: Excessive memory allocation in HashMap and HashSet (Utility, 8266097) (CVE-2021-35561) * OpenJDK: Infinite loop related to incorrect handling of newlines in XMLEntityScanner (JAXP, 8270646) (CVE-2022-21299) * OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434) * OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443) * OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of IBM Java must be restarted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 2014524 - CVE-2021-35561 OpenJDK: Excessive memory allocation in HashMap and HashSet (Utility, 8266097) 2041472 - CVE-2022-21299 OpenJDK: Infinite loop related to incorrect handling of newlines in XMLEntityScanner (JAXP, 8270646) 2075793 - CVE-2022-21443 OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) 2075836 - CVE-2022-21434 OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) 2075849 - CVE-2022-21496 OpenJDK: URI parsing inconsistencies (JNDI, 8278972) 6. Package List: Red Hat Enterprise Linux Client Supplementary (v. 7): x86_64: java-1.7.1-ibm-1.7.1.5.10-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-demo-1.7.1.5.10-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-devel-1.7.1.5.10-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-jdbc-1.7.1.5.10-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-plugin-1.7.1.5.10-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-src-1.7.1.5.10-1jpp.1.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Supplementary (v. 7): x86_64: java-1.7.1-ibm-1.7.1.5.10-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-demo-1.7.1.5.10-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-devel-1.7.1.5.10-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-src-1.7.1.5.10-1jpp.1.el7.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 7): ppc64: java-1.7.1-ibm-1.7.1.5.10-1jpp.1.el7.ppc64.rpm java-1.7.1-ibm-demo-1.7.1.5.10-1jpp.1.el7.ppc64.rpm java-1.7.1-ibm-devel-1.7.1.5.10-1jpp.1.el7.ppc64.rpm java-1.7.1-ibm-jdbc-1.7.1.5.10-1jpp.1.el7.ppc64.rpm java-1.7.1-ibm-src-1.7.1.5.10-1jpp.1.el7.ppc64.rpm ppc64le: java-1.7.1-ibm-1.7.1.5.10-1jpp.1.el7.ppc64le.rpm java-1.7.1-ibm-demo-1.7.1.5.10-1jpp.1.el7.ppc64le.rpm java-1.7.1-ibm-devel-1.7.1.5.10-1jpp.1.el7.ppc64le.rpm java-1.7.1-ibm-jdbc-1.7.1.5.10-1jpp.1.el7.ppc64le.rpm java-1.7.1-ibm-src-1.7.1.5.10-1jpp.1.el7.ppc64le.rpm s390x: java-1.7.1-ibm-1.7.1.5.10-1jpp.1.el7.s390x.rpm java-1.7.1-ibm-demo-1.7.1.5.10-1jpp.1.el7.s390x.rpm java-1.7.1-ibm-devel-1.7.1.5.10-1jpp.1.el7.s390x.rpm java-1.7.1-ibm-jdbc-1.7.1.5.10-1jpp.1.el7.s390x.rpm java-1.7.1-ibm-src-1.7.1.5.10-1jpp.1.el7.s390x.rpm x86_64: java-1.7.1-ibm-1.7.1.5.10-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-demo-1.7.1.5.10-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-devel-1.7.1.5.10-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-jdbc-1.7.1.5.10-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-plugin-1.7.1.5.10-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-src-1.7.1.5.10-1jpp.1.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 7): x86_64: java-1.7.1-ibm-1.7.1.5.10-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-demo-1.7.1.5.10-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-devel-1.7.1.5.10-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-jdbc-1.7.1.5.10-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-plugin-1.7.1.5.10-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-src-1.7.1.5.10-1jpp.1.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-35561 https://access.redhat.com/security/cve/CVE-2022-21299 https://access.redhat.com/security/cve/CVE-2022-21434 https://access.redhat.com/security/cve/CVE-2022-21443 https://access.redhat.com/security/cve/CVE-2022-21496 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYqFNktzjgjWX9erEAQgVmQ/9GVBo37J6v+OZMGpw0ZHgDJUgh3zCaX4m bBY2BzzMC+pUhPK9maAqESuM8AcAmatr/UawuxaGvFD7r89QuNRfKTDUpBwzZZLz T60TmAxTFMqNYnHloZAMt2lVosBALa9juOLFL68JeZnMImH4X/GgfLi8vaKwcpSs 7rJKSABBFN4dKP2nH5dzwfywxMR/U+WenDZW2bVW46QtNuH+5RE6iV5uhM/QvsQ3 x4EkfTfaU78yXgyUSBf/68weQS2M6jMb2mb37CEDCBTdYAumGZqE2lwPTV10qvLG OZXvT29LemSojVp2WvkhZLwzccLMA9zOQbhsnY3pyzHt6qGO2Mrl8mpocNyfnAN5 v3EMGZECmZwcpj9dabAhGUOaKoAb+u60pt2UVDJhr93t+4Ixti7cZk2fKp83mbp8 GK98I7bm1pFqGFunTV9RetJEuxgpL5LFAn7I5hznf/Wd/cSMskAuHS6F9XCQo7Po Z7nzdXGZpIFTMTWIzMEHxGmW5gBte7tpLx3fktXzavEf0Xs/MzjOC+9EDWuSuos3 dwgYa9eXABZ2BBd+lk65ndsxWC7FSbwyErnhdJ+087feofeQjazxC2bADsEeGIxv T5x2OtyhTjYtPqPtis5Yi0jLpoBPT/B+vYbb5H/dwqL7Z1fd+tUfvlJPKAOTcUH0 0DBc/eIU86Y\xebZP -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . 8) - ppc64le, s390x, x86_64 3. Bugs fixed (https://bugzilla.redhat.com/): 2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data 2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way 2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling 2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter 5. JIRA issues fixed (https://issues.jboss.org/): LOG-2437 - EO shouldn't grant cluster-wide permission to system:serviceaccount:openshift-monitoring:prometheus-k8s when ES cluster is deployed. [openshift-logging 5.4] LOG-2442 - Log file metric exporter not working with /var/log/pods LOG-2448 - Audit and journald logs cannot be viewed from LokiStack, when logs are forwarded with Vector as collector. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. All OpenShift Container Platform 4.7 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html 3. Solution: For OpenShift Container Platform 4.7 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html 4. Bugs fixed (https://bugzilla.redhat.com/): 2066837 - CVE-2022-24769 moby: Default inheritable capabilities for linux container should be empty 2081642 - Placeholder bug for OCP 4.7.0 extras release 5. For the stable distribution (bullseye), these problems have been fixed in version 17.0.3+7-1~deb11u1. We recommend that you upgrade your openjdk-17 packages. For the detailed security status of openjdk-17 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openjdk-17 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmJxl3wACgkQEMKTtsN8 Tja/zg/7BeUmTL3RGbn6PBexYoRYRGd5TIgkjajpMhKJfgMJezJ95sDP1jKZmZ7W 5W7R3iqBYUIjJl+wcoDpSN2HyApXNUkLTMeTbNgJCwipJwk4LG79zcXLxAtBqmJl hKt8ij5V4wQiou1NDhTYpGdLLQUQ8wQEX05veO5U80KYuMc2TzvRwsjzzAF1K3WM zEKV8HJ3SLJcnb24s2PLpoPZLaWerJurcUwQG01OJVlp4smvuBzw1imExMOG5P9D iX9CogACSoupamHCkpInajxtvzLx/Kb39obHOVIJmYlVJif9Vt4XMd+IRFv1ZiWK bvmsexifgn96D2Qc9uoHMKanMsqb5bjN+jtyRSq/BRpADManyU9O0NPFAxuqkBk2 Zj1YiljDHTHdMmp/lnpMZA8Zxnm7JVQlNxxvrBsLttiEhytCkhAxBOzprXg00yoH HQaRiOsPCDUTlvS73V3e5QfqTjWihUHiIwprxzL0nVIq7gZfwDs7/80QPZjm/yPK OwOLGSobA2J/iyEG5VlLEaxyOBeyAfw5uMR5iHe0TKofyxBXFdSo69/oYDB8CVYp ncJxX9e32EIrB/4aqCM9r/nVhos4QdwDfJIWncQVooQQisPd8zXLccSi9PkFxFQS k4BnXv70QlIq9PnWi209kPyaU3TcQwEYRjZJBZqYRESaHLLnPGw= =O0QV -----END PGP SIGNATURE-----

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

input validation error

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2025-11-19T22:10:34.160000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE