CVE-2022-21540: 
NixOS vulnerability analysis and mitigation

CVE-2022-21540 is a vulnerability in Oracle Java SE and Oracle GraalVM Enterprise Edition, specifically affecting the Hotspot component. The vulnerability affects multiple versions including Oracle Java SE versions 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1, and Oracle GraalVM Enterprise Edition versions 20.3.6, 21.3.2, and 22.1.0. This easily exploitable vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Oracle Java SE and Oracle GraalVM Enterprise Edition (Oracle Advisory).

The vulnerability is related to class compilation issues in the Hotspot component. It has been assigned a CVSS v3.1 Base Score of 5.3 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges or user interaction, and can result in unauthorized read access to data (NVD).

Successful exploitation of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE and Oracle GraalVM Enterprise Edition accessible data. The vulnerability particularly affects Java deployments that load and run untrusted code, such as sandboxed Java Web Start applications or sandboxed Java applets (Oracle Advisory).

Oracle has released patches to address this vulnerability in the July 2022 Critical Patch Update. Users are advised to upgrade to the fixed versions: Java SE 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1, and GraalVM Enterprise Edition 20.3.6, 21.3.2, and 22.1.0. Various Linux distributions have also released patches, including Red Hat Enterprise Linux, Debian, and Fedora (Oracle Advisory, Debian Advisory).