CVE-2022-21282 Overview
CVE-2022-21282 is an information disclosure vulnerability affecting the JAXP (Java API for XML Processing) component of Oracle Java SE and Oracle GraalVM Enterprise Edition. The flaw allows an unauthenticated attacker with network access to compromise affected installations through multiple protocols. Successful exploitation results in unauthorized read access to a subset of accessible data in the targeted Java runtime. The vulnerability impacts Oracle Java SE versions 7u321, 8u311, 11.0.13, and 17.0.1, as well as Oracle GraalVM Enterprise Edition 20.3.4 and 21.3.0. Oracle disclosed the issue in its January 2022 Critical Patch Update.
Critical Impact
Remote, unauthenticated attackers can obtain unauthorized read access to data processed by the JAXP component, exposing confidentiality of XML data handled by sandboxed Java Web Start applications, applets, and web services that supply data to JAXP APIs.
Affected Products
- Oracle Java SE 7u321, 8u311, 11.0.13, 17.0.1
- Oracle GraalVM Enterprise Edition 20.3.4 and 21.3.0
- Oracle OpenJDK and multiple NetApp products (7-Mode Transition Tool, Active IQ Unified Manager, OnCommand Insight, SnapManager, SolidFire, E-Series SANtricity) and Debian Linux 9/10/11
Discovery Timeline
- 2022-01-18 - Oracle releases security patch as part of the January 2022 Critical Patch Update
- 2022-01-19 - CVE-2022-21282 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-21282
Vulnerability Analysis
The vulnerability resides in the JAXP (Java API for XML Processing) component used by Oracle Java SE and GraalVM Enterprise Edition. JAXP provides interfaces for parsing, validating, and transforming XML documents through APIs such as javax.xml.parsers, javax.xml.transform, and javax.xml.xpath. The flaw enables an attacker to trigger unintended data read operations during XML processing, returning information that should remain inaccessible.
The attack surface includes two distinct deployment models. The first targets sandboxed Java Web Start applications and applets that load untrusted code from the internet and rely on the Java sandbox boundary. The second targets server-side applications that expose JAXP APIs through web services, where attacker-controlled XML data is supplied to the API for parsing or transformation.
The impact is limited to confidentiality, with no integrity or availability consequences. Only a subset of accessible data is exposed, not the entire runtime memory or filesystem.
Root Cause
NVD assigns this issue a NVD-CWE-noinfo classification because Oracle's advisory does not disclose detailed root-cause information. The flaw is characteristic of XML processing weaknesses such as improper restriction of external references or insufficient validation of XML structures during parsing.
Attack Vector
Exploitation requires network access but no authentication and no user interaction. An attacker delivers malicious XML data to a Java application that processes it through JAXP APIs, either by hosting untrusted code that runs inside a Java sandbox or by submitting crafted XML to a web service backed by JAXP.
The vulnerability mechanism involves XML processing weaknesses in the JAXP component. Refer to the Oracle CPU January 2022 Alert for vendor-supplied technical details.
Detection Methods for CVE-2022-21282
Indicators of Compromise
- Unexpected outbound network requests originating from Java processes that parse XML, particularly DNS or HTTP traffic to attacker-controlled hosts during XML processing.
- Java application log entries showing javax.xml.parsers, TransformerFactory, or XPath activity correlated with anomalous external entity resolution.
- Web service request logs containing crafted XML payloads with unusual DOCTYPE declarations, external references, or oversized XML structures.
Detection Strategies
- Inventory all Java runtimes across the environment and flag installations matching the vulnerable versions: Oracle Java SE 7u321, 8u311, 11.0.13, 17.0.1, and GraalVM Enterprise 20.3.4 and 21.3.0.
- Inspect web service endpoints that accept XML input for the use of JAXP parsers without secure processing features enabled.
- Correlate process telemetry from Java processes (java, javaw) with outbound network connections initiated during XML parsing operations.
Monitoring Recommendations
- Enable verbose XML parser logging in production Java applications to capture entity resolution and schema fetch events.
- Monitor NetApp management appliances and Debian-based servers running affected OpenJDK versions for unpatched Java runtimes through configuration management tooling.
- Track Oracle quarterly Critical Patch Update advisories and alert when affected Java versions remain deployed past the published patch date.
How to Mitigate CVE-2022-21282
Immediate Actions Required
- Apply the Oracle January 2022 Critical Patch Update to all affected Java SE and GraalVM Enterprise Edition installations.
- Upgrade Debian systems using the fixes in Debian Security Advisory DSA-5057 and Debian Security Advisory DSA-5058.
- Update NetApp products per NetApp Security Advisory NTAP-20220121-0007 where Java runtimes are bundled.
- Update Gentoo systems following Gentoo GLSA 202209-05.
Patch Information
Oracle addressed CVE-2022-21282 in the Oracle CPU January 2022 Alert. Fixed releases include Oracle Java SE 7u331, 8u321, 11.0.14, 17.0.2, and GraalVM Enterprise Edition 20.3.5 and 21.3.1. Downstream advisories from Debian, NetApp, and Gentoo provide distribution-specific packages.
Workarounds
- Disable the loading of untrusted Java Web Start applications and applets in client environments where Java is required.
- Configure JAXP parsers with secure processing features such as XMLConstants.FEATURE_SECURE_PROCESSING and disable external entity resolution where business logic permits.
- Restrict network exposure of web services that accept XML input from untrusted sources by placing them behind authenticated gateways.
# Verify installed Java version and identify vulnerable runtimes
java -version
# Debian/Ubuntu: apply security updates for OpenJDK
sudo apt-get update
sudo apt-get install --only-upgrade openjdk-11-jre openjdk-17-jre
# Validate patched version is in place
java -version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
