CVE-2022-21296: 
Java vulnerability analysis and mitigation

A vulnerability was identified in Oracle Java SE and Oracle GraalVM Enterprise Edition's JAXP component, tracked as CVE-2022-21296. The affected versions include Oracle Java SE versions 7u321, 8u311, 11.0.13, 17.0.1, and Oracle GraalVM Enterprise Edition versions 20.3.4 and 21.3.0. This vulnerability was disclosed in January 2022 as part of Oracle's Critical Patch Update (Oracle CPU).

The vulnerability is characterized by its ease of exploitation, allowing unauthenticated attackers with network access to compromise the system via multiple protocols. It received a CVSS 3.1 Base Score of 5.3 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

Successful exploitation of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE and Oracle GraalVM Enterprise Edition accessible data. The vulnerability specifically affects Java deployments that run sandboxed Java Web Start applications or sandboxed Java applets loading untrusted code from the internet. It can also be exploited through APIs in the JAXP component, such as through web services supplying data to the APIs (Oracle CPU).

Multiple vendors have released patches to address this vulnerability. Oracle has provided fixes in their January 2022 Critical Patch Update. Debian has released security updates for openjdk-11 (versions 11.0.14+9-1~deb10u1 for oldstable and 11.0.14+9-1~deb11u1 for stable) and openjdk-17 (version 17.0.2+8-1~deb11u1). Ubuntu has also provided fixes for affected versions (Debian Advisory, Debian Advisory).