CVE-2022-21365: 
Java vulnerability analysis and mitigation

A vulnerability was discovered in Oracle Java SE and Oracle GraalVM Enterprise Edition's ImageIO component. The affected versions include Oracle Java SE versions 7u321, 8u311, 11.0.13, 17.0.1, and Oracle GraalVM Enterprise Edition versions 20.3.4 and 21.3.0. The vulnerability was disclosed on January 19, 2022 (Oracle CPU).

The vulnerability is easily exploitable by an unauthenticated attacker with network access via multiple protocols. It primarily affects Java deployments that run sandboxed Java Web Start applications or sandboxed Java applets, which load and run untrusted code from the internet and rely on the Java sandbox for security. The vulnerability can also be exploited through APIs in the ImageIO component, such as through a web service that supplies data to the APIs. The vulnerability has been assigned a CVSS 3.1 Base Score of 5.3 (Medium) with the vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (NVD).

Successful exploitation of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE and Oracle GraalVM Enterprise Edition (Oracle CPU).

Oracle has released patches to address this vulnerability. Users should upgrade to the fixed versions: Java SE 7u322 or later, 8u312 or later, 11.0.14 or later, 17.0.2 or later, and GraalVM Enterprise Edition versions after 20.3.4 and 21.3.0. Various Linux distributions have also released security updates, including Debian with openjdk-8 version 8u322-b06-1~deb9u1 and openjdk-11 version 11.0.14+9-1~deb10u1 (Debian Security).