CVE-2022-21305: 
Java vulnerability analysis and mitigation

CVE-2022-21305 is a vulnerability in Oracle Java SE and Oracle GraalVM Enterprise Edition, specifically affecting the Hotspot component. The vulnerability was disclosed in January 2022 and affects multiple versions including Oracle Java SE versions 7u321, 8u311, 11.0.13, 17.0.1, and Oracle GraalVM Enterprise Edition versions 20.3.4 and 21.3.0. This vulnerability is particularly concerning for Java deployments that run sandboxed Java Web Start applications or sandboxed Java applets that load and run untrusted code from the internet (Oracle CPE).

The vulnerability is classified as easily exploitable, allowing unauthenticated attackers with network access via multiple protocols to compromise Oracle Java SE and Oracle GraalVM Enterprise Edition. The vulnerability has been assigned a CVSS 3.1 Base Score of 5.3 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility with low attack complexity and no required privileges or user interaction (NetApp Advisory).

Successful exploitation of this vulnerability can result in unauthorized update, insert or delete access to some Oracle Java SE and Oracle GraalVM Enterprise Edition accessible data. The vulnerability is particularly impactful for systems that rely on the Java sandbox for security and can also be exploited through APIs in the specified Component, such as through web services that supply data to the APIs (Oracle CPE).

Oracle has released patches for the affected versions as part of its January 2022 Critical Patch Update. Various distributions have also released security updates, including Debian which has patched the vulnerability in openjdk-11 version 11.0.14+9-1~deb11u1 for bullseye and version 11.0.14+9-1~deb10u1 for buster, and in openjdk-17 version 17.0.2+8-1~deb11u1 (Debian DSA-5057, Debian DSA-5058).