CVE-2022-21271 Overview
CVE-2022-21271 is a denial of service vulnerability affecting Oracle Java SE and Oracle GraalVM Enterprise Edition within the Libraries component. This easily exploitable vulnerability allows an unauthenticated attacker with network access via multiple protocols to cause a partial denial of service condition. The vulnerability impacts sandboxed Java Web Start applications, sandboxed Java applets that load and run untrusted code, and can also be exploited through APIs that supply data to the affected component.
Critical Impact
Unauthenticated remote attackers can cause partial denial of service in Java deployments running untrusted code or through web services supplying data to vulnerable APIs.
Affected Products
- Oracle Java SE: 7u321, 8u311, 11.0.13
- Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0
- Oracle HTTP Server: 12.2.1.3.0 and 12.2.1.4.0
- Oracle ZFS Storage Appliance Kit 8.8
- Oracle Solaris 11
- NetApp 7-Mode Transition Tool
- NetApp Active IQ Unified Manager (VMware vSphere and Windows)
- NetApp Cloud Insights Acquisition Unit
- NetApp Cloud Secure Agent
- NetApp E-Series SANtricity OS Controller
- NetApp E-Series SANtricity Storage Manager
- NetApp E-Series SANtricity Web Services
- NetApp HCI Management Node
- NetApp OnCommand Insight
- NetApp OnCommand Workflow Automation
- NetApp SANtricity Unified Manager
- NetApp SnapManager (Oracle and SAP)
- NetApp SolidFire
Discovery Timeline
- 2022-01-19 - CVE-2022-21271 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-21271
Vulnerability Analysis
This vulnerability resides in the Libraries component of Oracle Java SE and Oracle GraalVM Enterprise Edition. The flaw allows remote attackers to exploit the vulnerability without authentication through network-accessible protocols. When successfully exploited, an attacker can cause a partial denial of service condition, disrupting availability of affected Java applications.
The vulnerability is particularly concerning for environments running sandboxed Java Web Start applications or Java applets that execute untrusted code sourced from the internet. These deployments rely on the Java sandbox as a security boundary, making this vulnerability a direct threat to their security model.
Additionally, this vulnerability can be exploited through APIs in the Libraries component, such as web services that supply data to vulnerable API endpoints. This extends the attack surface beyond client-side Java deployments to server-side Java applications exposing such APIs.
Root Cause
The root cause lies in improper handling within the Libraries component of Oracle Java SE and Oracle GraalVM Enterprise Edition. While specific technical details have not been publicly disclosed by Oracle, the vulnerability allows attackers to trigger conditions that negatively impact application availability. The issue affects the processing of data that can be supplied through multiple network protocols or via API calls.
Attack Vector
The attack vector is network-based and does not require authentication, privileges, or user interaction. An attacker can exploit this vulnerability by:
- Client-side exploitation: Delivering malicious content to a victim running a sandboxed Java Web Start application or Java applet that loads untrusted code from the network
- Server-side exploitation: Sending specially crafted data to a web service or API that utilizes the affected Libraries component
The exploitation results in partial denial of service, degrading the availability of the affected Java SE or GraalVM Enterprise Edition deployment.
Detection Methods for CVE-2022-21271
Indicators of Compromise
- Unusual network traffic patterns targeting Java-based web services or APIs
- Unexpected resource consumption spikes in Java applications without corresponding legitimate load
- Java process crashes or hangs in applications using the affected Libraries component
- Error logs indicating processing failures in Java library functions
Detection Strategies
- Monitor Java application logs for unusual exceptions or errors in the Libraries component
- Implement network intrusion detection rules to identify anomalous traffic patterns to Java-based services
- Use application performance monitoring (APM) tools to detect degraded performance in Java applications
- Deploy SentinelOne Singularity Platform for real-time behavioral analysis of Java processes
Monitoring Recommendations
- Configure alerting for Java process resource utilization anomalies (CPU, memory spikes)
- Enable verbose logging for Java applications processing untrusted input
- Monitor network connections to Java services for patterns indicative of DoS attempts
- Review web service access logs for unusual request volumes or malformed payloads
How to Mitigate CVE-2022-21271
Immediate Actions Required
- Update Oracle Java SE to a patched version beyond 7u321, 8u311, or 11.0.13
- Update Oracle GraalVM Enterprise Edition beyond versions 20.3.4 and 21.3.0
- Apply vendor patches from Oracle's January 2022 or April 2022 Critical Patch Updates
- Review and update all dependent products including Oracle HTTP Server, Solaris, and NetApp products
- Restrict network access to Java-based services where possible
Patch Information
Oracle has released security patches addressing this vulnerability in their Critical Patch Updates. Administrators should consult the Oracle January 2022 Security Alert and Oracle April 2022 Security Alert for detailed patching guidance.
For NetApp products, refer to the NetApp Security Advisory NTAP-20220121-0007 for product-specific update information.
Gentoo Linux users should consult GLSA 202209-05 for distribution-specific patching guidance.
Workarounds
- Disable Java Web Start and Java applets in browsers if not required
- Restrict network access to Java-based APIs and web services to trusted sources only
- Implement rate limiting on web services that utilize the affected Libraries component
- Consider deploying Web Application Firewalls (WAF) to filter potentially malicious requests
- Isolate Java applications processing untrusted data in network segments with limited connectivity
# Example: Disable Java Plugin in browser (Windows)
# Remove Java plugin registration from browsers
reg delete "HKLM\SOFTWARE\MozillaPlugins\@java.com/JavaPlugin" /f
reg delete "HKLM\SOFTWARE\MozillaPlugins\@java.com/DTPlugin" /f
# Restrict network access to Java services using firewall rules (Linux iptables example)
iptables -A INPUT -p tcp --dport 8080 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
