What is the vulnerability ID?

The vulnerability ID is CVE-2022-21277.

What is the affected software?

The affected software includes Oracle Java SE (versions 11.0.13 and 17.0.1) and Oracle GraalVM Enterprise Edition (versions 20.3.4 and 21.3.0).

How severe is the vulnerability?

The vulnerability has a severity rating of 5.3 (medium).

How can I fix the vulnerability?

To fix the vulnerability, update your Oracle Java SE or Oracle GraalVM Enterprise Edition to the latest patched version.

Where can I find more information about the vulnerability?

You can find more information about the vulnerability in the official Oracle security advisory (link: https://www.oracle.com/security-alerts/cpujan2022.html#AppendixJAVA) and the Red Hat security advisories (links: https://access.redhat.com/errata/RHSA-2022:0161, https://access.redhat.com/errata/RHSA-2022:0233).

Vulnerability/
CVE-2022-21277

medium

5.3

CWE

770

17/1/2022

18/1/2022

19/1/2022

3/8/2024

CVE-2022-21277

First published: Mon Jan 17 2022(Updated: )

A flaw was found in the way the TIFFNullDecompressor class implementation in the ImageIO component of OpenJDK performed reading of uncompressed TIFF files. A specially-crafted TIFF image could cause the decompressor to create image objects with an inconsistent state due to failure to fully read the image.

Credit: secalert_us@oracle.com

Affected Software	Affected Version	How to fix
redhat/java	<11-openjdk-1:11.0.14.0.9-1.el7_9	11-openjdk-1:11.0.14.0.9-1.el7_9
redhat/java	<17-openjdk-1:17.0.2.0.8-4.el8_5	17-openjdk-1:17.0.2.0.8-4.el8_5
redhat/java	<11-openjdk-1:11.0.14.0.9-2.el8_5	11-openjdk-1:11.0.14.0.9-2.el8_5
redhat/java	<11-openjdk-1:11.0.14.0.9-1.el8_1	11-openjdk-1:11.0.14.0.9-1.el8_1
redhat/java	<11-openjdk-1:11.0.14.0.9-1.el8_2	11-openjdk-1:11.0.14.0.9-1.el8_2
redhat/java	<11-openjdk-1:11.0.14.0.9-2.el8_4	11-openjdk-1:11.0.14.0.9-2.el8_4
debian/openjdk-11		11.0.16+8-1~deb10u1 11.0.21+9-1~deb10u1 11.0.20+8-1~deb11u1 11.0.21+9-1~deb11u1 11.0.22~6ea-1
debian/openjdk-17		17.0.7+7-1~deb11u1 17.0.9+9-1~deb11u1 17.0.9+9-1~deb12u1 17.0.9+9-2 17.0.10~6ea-1
Oracle GraalVM Enterprise Edition	=20.3.4
Oracle GraalVM Enterprise Edition	=21.3.0
Oracle Java SE 7	=11.0.13
Oracle Java SE 7	=17.0.1
Oracle JRE	=11.0.13
Oracle JRE	=17.0.1
Debian Linux	=10.0
Debian Linux	=11.0
NetApp 7-Mode Transition Tool
NetApp Active IQ Unified Manager for VMware vSphere
NetApp Active IQ Unified Manager
NetApp Cloud Insights Acquisition Unit
NetApp Cloud Secure Agent
NetApp E-Series SANtricity OS Controller	>=11.0.0<=11.70.1
NetApp SANtricity Storage Manager
NetApp E-Series SANtricity Web Services
NetApp SolidFire & HCI Management Node
NetApp OnCommand Insight
NetApp OnCommand Workflow Automation
NetApp SANtricity Storage Plugin for vCenter
NetApp E-Series SANtricity Unified Manager
NetApp SnapManager for Oracle
NetApp SnapManager for SAP
NetApp SolidFire & HCI Storage Node
OpenJDK 8	>=11<=11.0.13
OpenJDK 8	>=13<=13.0.9
OpenJDK 8	>=15<=15.0.5
OpenJDK 8	=17
OpenJDK 8	=17.0.1
NetApp Cloud Insights Telegraf

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is the vulnerability ID?
The vulnerability ID is CVE-2022-21277.
What is the affected software?
The affected software includes Oracle Java SE (versions 11.0.13 and 17.0.1) and Oracle GraalVM Enterprise Edition (versions 20.3.4 and 21.3.0).
How severe is the vulnerability?
The vulnerability has a severity rating of 5.3 (medium).
How can I fix the vulnerability?
To fix the vulnerability, update your Oracle Java SE or Oracle GraalVM Enterprise Edition to the latest patched version.
Where can I find more information about the vulnerability?
You can find more information about the vulnerability in the official Oracle security advisory (link: https://www.oracle.com/security-alerts/cpujan2022.html#AppendixJAVA) and the Red Hat security advisories (links: https://access.redhat.com/errata/RHSA-2022:0161, https://access.redhat.com/errata/RHSA-2022:0233).

collector/redhat-cve
collector/security-tracker-debian
agent/type
agent/first-publish-date
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2022-21277
agent/references
agent/severity
agent/weakness
agent/description
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/event
agent/trending
agent/source
agent/author
agent/softwarecombine
agent/tags
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/software-canonical-lookup-request
collector/nvd-index
package-manager/redhat
package-manager/debian
vendor/oracle
canonical/oracle graalvm enterprise edition
version/oracle graalvm enterprise edition/20.3.4
version/oracle graalvm enterprise edition/21.3.0
canonical/oracle java se 7
version/oracle java se 7/11.0.13
version/oracle java se 7/17.0.1
canonical/oracle jre
version/oracle jre/11.0.13
version/oracle jre/17.0.1
vendor/debian
canonical/debian linux
version/debian linux/10.0
version/debian linux/11.0
vendor/netapp
canonical/netapp 7-mode transition tool
canonical/netapp active iq unified manager for vmware vsphere
canonical/netapp active iq unified manager
canonical/netapp cloud insights acquisition unit
canonical/netapp cloud secure agent
canonical/netapp e-series santricity os controller
version/netapp e-series santricity os controller/11.0.0
version/netapp e-series santricity os controller/11.70.1
canonical/netapp santricity storage manager
canonical/netapp e-series santricity web services
canonical/netapp solidfire & hci management node
canonical/netapp oncommand insight
canonical/netapp oncommand workflow automation
canonical/netapp santricity storage plugin for vcenter
canonical/netapp e-series santricity unified manager
canonical/netapp snapmanager for oracle
canonical/netapp snapmanager for sap
canonical/netapp solidfire & hci storage node
canonical/openjdk 8
version/openjdk 8/11
version/openjdk 8/11.0.13
version/openjdk 8/13
version/openjdk 8/13.0.9
version/openjdk 8/15
version/openjdk 8/15.0.5
version/openjdk 8/17
version/openjdk 8/17.0.1
canonical/netapp cloud insights telegraf