CVE-2022-21628: 
Java vulnerability analysis and mitigation

CVE-2022-21628 is a vulnerability in Oracle Java SE and Oracle GraalVM Enterprise Edition, specifically affecting the Lightweight HTTP Server component. The affected versions include Oracle Java SE versions 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19, and Oracle GraalVM Enterprise Edition versions 20.3.7, 21.3.3, and 22.2.0. This vulnerability was disclosed as part of Oracle's October 2022 Critical Patch Update (Oracle CPU).

The vulnerability is characterized as easily exploitable and can be accessed through HTTP protocol. It has received a CVSS 3.1 Base Score of 5.3 (MEDIUM) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. The vulnerability specifically affects the Lightweight HTTP Server component and can be exploited by an unauthenticated attacker with network access (NVD).

Successful exploitation of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE and Oracle GraalVM Enterprise Edition. The vulnerability applies specifically to Java deployments that load and run untrusted code, such as sandboxed Java Web Start applications or sandboxed Java applets (NVD).

Oracle has released patches for this vulnerability in their October 2022 Critical Patch Update. The fix involves implementing a maximum connection limit configuration through the jdk.httpserver.maxConnections system property. When set to a positive integer value, newly accepted connections are checked against the current count of established connections, and if the configured limit is reached, the new connection is closed immediately (Fedora Updates).