CVE-2022-21449

Description from NVD

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.2 and 18; Oracle GraalVM Enterprise Edition: 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

Information Acquisition Date:2022-05-01T14:54Z

CVSS 2.0: 5.0 MEDIUM CVSS 3.x: 7.5 HIGH

▼ CVSS3 Vec CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector (AV)	Network	Adjacent	Local	Physical
Attack Complexity (AC)	LOW	High
Privileges Required (PR)	None	Low	High
User Interaction (UI)	None	Required
Scope (S)	Unchange	Change
Confidentiality (C)	None	Low	High
Integrity (I)	None	Low	High
Availability (A)	None	Low	High

▼ CVSS2 Vec AV:N/AC:L/Au:N/C:N/I:P/A:N

Attack Vector (AV)	Network	Adjacent	Local
Access Complexity (AC)	Low	Medium	High
Authentication (Au)	None	Single	Multiple
Confidentiality (C)	None	Partial	Complete
Integrity (I)	None	Partial	Complete
Availability (A)	None	Partial	Complete

NVD References

https://www.oracle.com/security-alerts/cpuapr2022.html
source:MISC
tags:Patch Vendor Advisory

[oss-security] 20220428 CVE-2022-21449 and version reporting
source:MLIST
tags:Mailing List Third Party Advisory

[oss-security] 20220428 Re: CVE-2022-21449 and version reporting
source:MLIST
tags:Mailing List

[oss-security] 20220428 Re: CVE-2022-21449 and version reporting
source:MLIST
tags:Mailing List Third Party Advisory

[oss-security] 20220428 Re: CVE-2022-21449 and version reporting
source:MLIST
tags:

https://security.netapp.com/advisory/ntap-20220429-0006/
source:CONFIRM
tags:

[oss-security] 20220429 Re: CVE-2022-21449 and version reporting
source:MLIST
tags:

[oss-security] 20220430 Re: CVE-2022-21449 and version reporting
source:MLIST
tags:

This vulnerability may involve a PoC.

Description from Forti

Security Vulnerability CVE-2022-21449 in Oracle JRE

Information Acquisition Date:2022/04/30

Affected Products

Impact

Recommended Actions

References

Refer to Information on External Sites

CVE Infomation	Exploits or more Infomation
mitre	EXPLOIT DATABASE
NVD	0day.today
vulmon.com	github
CVE Details	Twitter
JVN ENG JPN
Reconshell

Software Tag: Java(1 tweets)

List of frequently cited URLs

URL	Num of Times Referred to
https://cvetrends.com	59
http://twinybots.ch	49
https://www.ipa.go.jp/security/ciadr/vul/20220420-jre.html	15
https://www.oracle.com/security-alerts/cpuapr2022.html	6
https://tweetedtimes.com/LinuxSec?s=tnp	6
https://thehackernews.com/2022/04/researcher-releases-poc-f...	6
https://ift.tt/aKLWnA9	5
https://access.redhat.com/security/cve/cve-2022-21449	5
https://infosecwriteups.com/what-caused-psychic-signatures-...	5
https://github.com/jfrog/jfrog-CVE-2022-21449	4
https://twitter.com/sweis/status/1516654768206204931	4
https://rssfeeds.cloudsite.builders/2022/04/21/cve-2022-214...	4
https://jfrog.com/blog/cve-2022-21449-psychic-signatures-an...	3
https://opsmtrs.com/3tbAFrI	3
https://www.reddit.com/r/netsec	3
https://arstechnica.com/information-technology/2022/04/majo...	3
https://neilmadden.blog/2022/04/19/psychic-signatures-in-java	3
https://openjdk.java.net/groups/vulnerability/advisories/20...	3
https://securityaffairs.co/wordpress/130522/security/poc-ja...	3
https://securityonline.info/cve-2022-21449-oracle-java-se-a...	3
https://nakedsecurity.sophos.com/2022/04/20/critical-crypto...	3
https://forest.watch.impress.co.jp/docs/news/1404535.html	3

Information from Twitter

User	URL	Info Source	Date
ipssignatures	https://twitter.com/jochen_christ/status/1516759280455761920	Source ipssignatures 1624711413833912321	2023/02/12
PizzaPolish	https://sekurak.pl/tajemnicza-podatnosc-w-javie-ktora-moze-...	Source PizzaPolish 1637930021108187136	2023/03/21

List of frequently cited URLs

URL	Num of Times Referred to
cvetrends.com	59
twinybots.ch	49
www.ipa.go.jp	15
www.oracle.com	6
tweetedtimes.com	6
thehackernews.com	6
ift.tt	5
access.redhat.com	5
infosecwriteups.com	5
github.com	4
twitter.com	4
rssfeeds.cloudsite.builders	4
jfrog.com	3
opsmtrs.com	3
www.reddit.com	3
arstechnica.com	3
neilmadden.blog	3
openjdk.java.net	3
securityaffairs.co	3
securityonline.info	3
nakedsecurity.sophos.com	3
forest.watch.impress.co.jp	3

Information from Twitter

User	URL	Info Source
ipssignatures	twitter.com	Show Tweet
PizzaPolish	sekurak.pl	Show Tweet

GitHub Search Results: Up to 10

Name	URL
jfrog/jfrog-CVE-2022-21449	https://github.com/jfrog/jfrog-CVE-2022-21449
khalednassar/CVE-2022-21449-TLS-PoC	https://github.com/khalednassar/CVE-2022-21449-TLS-PoC
jmiettinen/CVE-2022-21449-vuln-test	https://github.com/jmiettinen/CVE-2022-21449-vuln-test
thack1/CVE-2022-21449	https://github.com/thack1/CVE-2022-21449
marschall/psychic-signatures	https://github.com/marschall/psychic-signatures
Damok82/SignChecker	https://github.com/Damok82/SignChecker

GitHub Search Results: Up to 10

Name	URL
jfrog/jfrog-CVE-2022-21449	github.com
khalednassar/CVE-2022-21449-TLS-PoC	github.com
jmiettinen/CVE-2022-21449-vuln-test	github.com
thack1/CVE-2022-21449	github.com
marschall/psychic-signatures	github.com
Damok82/SignChecker	github.com

2023/03/21 Score : 0
Added Har-sia Database : 2022/04/20
Last Modified : 2023/03/21
Highest Scored Date : 2022/04/21
Highest Score : 177