CVE-2022-24816: 
Java vulnerability analysis and mitigation

JAI-EXT, an open-source project extending the Java Advanced Imaging (JAI) API, was found to contain a critical vulnerability (CVE-2022-24816) that allows remote code execution through Jiffle script injection. The vulnerability was disclosed on April 13, 2022, affecting versions prior to 1.1.22, with particular impact on the downstream GeoServer project. The vulnerability occurs when Jiffle scripts provided via network requests are compiled into Java code using Janino and then executed (GitHub Advisory).

The vulnerability has been assigned a Critical severity rating with a CVSS v3.1 base score of 10.0. The attack vector is Network-based (N), requiring Low attack complexity (L), with No privileges (N) or user interaction (N) needed. The scope is Changed (C), with High impact on Confidentiality, Integrity, and Availability (H,H,H). The vulnerability is classified as CWE-94 (Improper Control of Generation of Code - 'Code Injection') (NVD, GitHub Advisory).

The vulnerability allows attackers to execute arbitrary code remotely through Jiffle script injection. This poses a significant security risk as it could lead to complete system compromise, affecting the confidentiality, integrity, and availability of the affected systems. The impact is particularly severe for applications that expose Jiffle script functionality through network interfaces (GitHub Advisory).

Two mitigation options are available: 1) Upgrade to version 1.1.22 or later, which contains a patch that disables the ability to inject malicious code into the resulting script, or 2) For users unable to upgrade, remove the janino-x.y.z.jar from the classpath to negate the ability to compile Jiffle scripts from the final application (GitHub Advisory).