CVE-2022-21360: Oracle GraalVM ImageIO DOS Vulnerability

CVE-2022-21360 Overview

CVE-2022-21360 is a denial of service vulnerability in the ImageIO component of Oracle Java SE and Oracle GraalVM Enterprise Edition. This easily exploitable vulnerability allows an unauthenticated attacker with network access via multiple protocols to cause a partial denial of service (DoS) condition on affected systems.

The vulnerability primarily impacts Java deployments running sandboxed Java Web Start applications or sandboxed Java applets that load and execute untrusted code from the internet. Additionally, attackers can exploit this vulnerability through APIs in the ImageIO component, such as web services that supply data to these APIs.

Critical Impact
Unauthenticated remote attackers can cause service disruption by exploiting the ImageIO component to trigger partial denial of service conditions in Java applications.

Affected Products

Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1
Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0
Oracle OpenJDK: Multiple versions through 7u321, 8u312, 11.x through 11.0.13, and 17.0.1
NetApp Products: 7-Mode Transition Tool, Active IQ Unified Manager, Cloud Insights Acquisition Unit, Cloud Secure Agent, E-Series SANtricity products, HCI Management Node, OnCommand Insight, OnCommand Workflow Automation, SANtricity Storage Plugin, SANtricity Unified Manager, SnapManager, SolidFire
Debian Linux: 9.0, 10.0, 11.0

Discovery Timeline

2022-01-19 - CVE-2022-21360 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-21360

Vulnerability Analysis

This vulnerability resides in the ImageIO component of Oracle Java SE and GraalVM Enterprise Edition. The ImageIO API provides a pluggable architecture for working with images in various formats, and this flaw allows attackers to manipulate how the component processes image data, resulting in resource consumption that degrades service availability.

The vulnerability is characterized by its ease of exploitation, requiring no authentication or privileges to attack. An attacker can remotely trigger the vulnerability over the network using multiple protocols, making it accessible from various attack vectors. The impact is limited to availability, causing partial denial of service without affecting data confidentiality or integrity.

Root Cause

The vulnerability stems from improper handling of image data within the ImageIO component. When processing specially crafted image data, the component can enter a state that consumes excessive resources, leading to degraded service performance. The issue affects how the Java runtime processes certain image formats through the ImageIO APIs.

Attack Vector

The attack can be executed through two primary vectors:

Client-side exploitation: Attackers can craft malicious content that gets loaded by sandboxed Java Web Start applications or Java applets running in browsers. When the application processes the malicious image data through ImageIO, the DoS condition is triggered.
Server-side exploitation: Web services or applications that accept image data from external sources and process it using ImageIO APIs are vulnerable. An attacker can submit specially crafted image data to these services to cause service degradation.

The attack requires no user interaction beyond the normal operation of vulnerable applications, and no authentication is needed to exploit the vulnerability. The network-based attack vector means that any system exposing vulnerable Java applications to the network is potentially at risk.

Detection Methods for CVE-2022-21360

Indicators of Compromise

Unusual resource consumption patterns in Java processes, particularly when processing image data
Repeated failed or slow image processing operations in application logs
Network requests containing malformed or oversized image data targeting Java-based services
Increased CPU or memory usage correlated with ImageIO operations

Detection Strategies

Monitor Java application logs for exceptions related to ImageIO processing failures
Implement network intrusion detection rules to identify potentially malicious image payloads
Use application performance monitoring to detect unusual latency or resource consumption in image processing functions
Deploy endpoint detection to identify Java processes exhibiting abnormal behavior patterns

Monitoring Recommendations

Enable detailed logging for Java applications processing external image data
Set up alerts for resource exhaustion events in Java runtime environments
Monitor network traffic for large or malformed image file transfers to Java-based services
Track Java process health metrics including memory usage, CPU utilization, and thread counts

How to Mitigate CVE-2022-21360

Immediate Actions Required

Update Oracle Java SE to the latest patched version released in the January 2022 Critical Patch Update
Upgrade Oracle GraalVM Enterprise Edition to a version newer than 20.3.4 and 21.3.0
Update OpenJDK installations to the latest patched versions available for your distribution
Review and restrict network access to Java-based services processing untrusted image data

Patch Information

Oracle has released fixes for this vulnerability as part of the January 2022 Critical Patch Update. Organizations should apply patches according to these resources:

Oracle January 2022 CPU Alert - Official Oracle security advisory with patch information
Debian DSA-5057 Advisory - Debian security update for OpenJDK 17
Debian DSA-5058 Advisory - Debian security update for OpenJDK 11
NetApp Security Advisory NTAP-20220121-0007 - NetApp product updates
Gentoo GLSA 202209-05 - Gentoo Linux security advisory

Workarounds

Disable Java Web Start and browser-based Java applets if not required for business operations
Implement input validation and filtering for image data before processing through ImageIO APIs
Deploy web application firewalls to filter potentially malicious image content
Consider sandboxing or containerizing Java applications that process untrusted image data
Restrict network access to vulnerable services using firewall rules until patches can be applied

bash

# Verify current Java version
java -version

# Update Java on Debian/Ubuntu systems
sudo apt update
sudo apt install openjdk-17-jdk

# Update Java on RHEL/CentOS systems
sudo yum update java-17-openjdk

CVE-2022-21360 Overview

Critical Impact
Unauthenticated remote attackers can cause service disruption by exploiting the ImageIO component to trigger partial denial of service conditions in Java applications.

Affected Products

Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1
Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0
Oracle OpenJDK: Multiple versions through 7u321, 8u312, 11.x through 11.0.13, and 17.0.1
NetApp Products: 7-Mode Transition Tool, Active IQ Unified Manager, Cloud Insights Acquisition Unit, Cloud Secure Agent, E-Series SANtricity products, HCI Management Node, OnCommand Insight, OnCommand Workflow Automation, SANtricity Storage Plugin, SANtricity Unified Manager, SnapManager, SolidFire
Debian Linux: 9.0, 10.0, 11.0

Discovery Timeline

2022-01-19 - CVE-2022-21360 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-21360

Vulnerability Analysis

Root Cause

Attack Vector

The attack can be executed through two primary vectors:

Client-side exploitation: Attackers can craft malicious content that gets loaded by sandboxed Java Web Start applications or Java applets running in browsers. When the application processes the malicious image data through ImageIO, the DoS condition is triggered.
Server-side exploitation: Web services or applications that accept image data from external sources and process it using ImageIO APIs are vulnerable. An attacker can submit specially crafted image data to these services to cause service degradation.

Detection Methods for CVE-2022-21360

Indicators of Compromise

Unusual resource consumption patterns in Java processes, particularly when processing image data
Repeated failed or slow image processing operations in application logs
Network requests containing malformed or oversized image data targeting Java-based services
Increased CPU or memory usage correlated with ImageIO operations

Detection Strategies

Monitor Java application logs for exceptions related to ImageIO processing failures
Implement network intrusion detection rules to identify potentially malicious image payloads
Use application performance monitoring to detect unusual latency or resource consumption in image processing functions
Deploy endpoint detection to identify Java processes exhibiting abnormal behavior patterns

Monitoring Recommendations

Enable detailed logging for Java applications processing external image data
Set up alerts for resource exhaustion events in Java runtime environments
Monitor network traffic for large or malformed image file transfers to Java-based services
Track Java process health metrics including memory usage, CPU utilization, and thread counts

How to Mitigate CVE-2022-21360

Immediate Actions Required

Update Oracle Java SE to the latest patched version released in the January 2022 Critical Patch Update
Upgrade Oracle GraalVM Enterprise Edition to a version newer than 20.3.4 and 21.3.0
Update OpenJDK installations to the latest patched versions available for your distribution
Review and restrict network access to Java-based services processing untrusted image data

Patch Information

Oracle has released fixes for this vulnerability as part of the January 2022 Critical Patch Update. Organizations should apply patches according to these resources:

Oracle January 2022 CPU Alert - Official Oracle security advisory with patch information
Debian DSA-5057 Advisory - Debian security update for OpenJDK 17
Debian DSA-5058 Advisory - Debian security update for OpenJDK 11
NetApp Security Advisory NTAP-20220121-0007 - NetApp product updates
Gentoo GLSA 202209-05 - Gentoo Linux security advisory

Workarounds

Disable Java Web Start and browser-based Java applets if not required for business operations
Implement input validation and filtering for image data before processing through ImageIO APIs
Deploy web application firewalls to filter potentially malicious image content
Consider sandboxing or containerizing Java applications that process untrusted image data
Restrict network access to vulnerable services using firewall rules until patches can be applied

bash

# Verify current Java version
java -version

# Update Java on Debian/Ubuntu systems
sudo apt update
sudo apt install openjdk-17-jdk

# Update Java on RHEL/CentOS systems
sudo yum update java-17-openjdk

CVE-2022-21360: Oracle GraalVM ImageIO DOS Vulnerability

CVE-2022-21360 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2022-21360

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2022-21360

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2022-21360

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2022-21360: Oracle GraalVM ImageIO DOS Vulnerability

CVE-2022-21360 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2022-21360

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2022-21360

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2022-21360

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform