CVE-2022-21282
First published: Mon Jan 17 2022(Updated: )
It was discovered that the TransformerImpl class implementation in the JAXP component of OpenJDK did not properly check access restrictions when performing URI resolution. This could possibly lead to information disclosure when performing XSLT transformations.
Credit: secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/java | <11-openjdk-1:11.0.14.0.9-1.el7_9 | 11-openjdk-1:11.0.14.0.9-1.el7_9 |
| redhat/java | <1.8.0-openjdk-1:1.8.0.322.b06-1.el7_9 | 1.8.0-openjdk-1:1.8.0.322.b06-1.el7_9 |
| redhat/java | <17-openjdk-1:17.0.2.0.8-4.el8_5 | 17-openjdk-1:17.0.2.0.8-4.el8_5 |
| redhat/java | <11-openjdk-1:11.0.14.0.9-2.el8_5 | 11-openjdk-1:11.0.14.0.9-2.el8_5 |
| redhat/java | <1.8.0-openjdk-1:1.8.0.322.b06-2.el8_5 | 1.8.0-openjdk-1:1.8.0.322.b06-2.el8_5 |
| redhat/java | <11-openjdk-1:11.0.14.0.9-1.el8_1 | 11-openjdk-1:11.0.14.0.9-1.el8_1 |
| redhat/java | <1.8.0-openjdk-1:1.8.0.322.b06-1.el8_1 | 1.8.0-openjdk-1:1.8.0.322.b06-1.el8_1 |
| redhat/java | <11-openjdk-1:11.0.14.0.9-1.el8_2 | 11-openjdk-1:11.0.14.0.9-1.el8_2 |
| redhat/java | <1.8.0-openjdk-1:1.8.0.322.b06-1.el8_2 | 1.8.0-openjdk-1:1.8.0.322.b06-1.el8_2 |
| redhat/java | <11-openjdk-1:11.0.14.0.9-2.el8_4 | 11-openjdk-1:11.0.14.0.9-2.el8_4 |
| redhat/java | <1.8.0-openjdk-1:1.8.0.322.b06-2.el8_4 | 1.8.0-openjdk-1:1.8.0.322.b06-2.el8_4 |
| debian/openjdk-11 | 11.0.16+8-1~deb10u1 11.0.21+9-1~deb10u1 11.0.20+8-1~deb11u1 11.0.21+9-1~deb11u1 11.0.22~6ea-1 | |
| debian/openjdk-17 | 17.0.7+7-1~deb11u1 17.0.9+9-1~deb11u1 17.0.9+9-1~deb12u1 17.0.9+9-2 17.0.10~6ea-1 | |
| debian/openjdk-8 | 8u392-ga-1 | |
| Oracle GraalVM Enterprise Edition | =20.3.4 | |
| Oracle GraalVM Enterprise Edition | =21.3.0 | |
| Oracle Java SE 7 | =1.7.0-update321 | |
| Oracle Java SE 7 | =1.8.0-update311 | |
| Oracle Java SE 7 | =11.0.13 | |
| Oracle Java SE 7 | =17.0.1 | |
| Oracle JRE | =1.7.0-update321 | |
| Oracle JRE | =1.8.0-update311 | |
| Oracle JRE | =11.0.13 | |
| Oracle JRE | =17.0.1 | |
| Debian Linux | =9.0 | |
| Debian Linux | =10.0 | |
| Debian Linux | =11.0 | |
| NetApp 7-Mode Transition Tool | ||
| NetApp Active IQ Unified Manager for VMware vSphere | ||
| NetApp Active IQ Unified Manager | ||
| NetApp Cloud Insights Acquisition Unit | ||
| NetApp Cloud Secure Agent | ||
| NetApp E-Series SANtricity OS Controller | >=11.0.0<=11.70.1 | |
| NetApp SANtricity Storage Manager | ||
| NetApp E-Series SANtricity Web Services | ||
| NetApp SolidFire & HCI Management Node | ||
| NetApp OnCommand Insight | ||
| NetApp OnCommand Workflow Automation | ||
| NetApp SANtricity Storage Plugin for vCenter | ||
| NetApp E-Series SANtricity Unified Manager | ||
| NetApp SnapManager for Oracle | ||
| NetApp SnapManager for SAP | ||
| NetApp SolidFire & HCI Storage Node | ||
| OpenJDK 8 | >=11<=11.0.13 | |
| OpenJDK 8 | >=13<=13.0.9 | |
| OpenJDK 8 | >=15<=15.0.5 | |
| OpenJDK 8 | =7 | |
| OpenJDK 8 | =7-update1 | |
| OpenJDK 8 | =7-update10 | |
| OpenJDK 8 | =7-update101 | |
| OpenJDK 8 | =7-update11 | |
| OpenJDK 8 | =7-update111 | |
| OpenJDK 8 | =7-update121 | |
| OpenJDK 8 | =7-update13 | |
| OpenJDK 8 | =7-update131 | |
| OpenJDK 8 | =7-update141 | |
| OpenJDK 8 | =7-update15 | |
| OpenJDK 8 | =7-update151 | |
| OpenJDK 8 | =7-update161 | |
| OpenJDK 8 | =7-update17 | |
| OpenJDK 8 | =7-update171 | |
| OpenJDK 8 | =7-update181 | |
| OpenJDK 8 | =7-update191 | |
| OpenJDK 8 | =7-update2 | |
| OpenJDK 8 | =7-update201 | |
| OpenJDK 8 | =7-update21 | |
| OpenJDK 8 | =7-update211 | |
| OpenJDK 8 | =7-update221 | |
| OpenJDK 8 | =7-update231 | |
| OpenJDK 8 | =7-update241 | |
| OpenJDK 8 | =7-update25 | |
| OpenJDK 8 | =7-update251 | |
| OpenJDK 8 | =7-update261 | |
| OpenJDK 8 | =7-update271 | |
| OpenJDK 8 | =7-update281 | |
| OpenJDK 8 | =7-update291 | |
| OpenJDK 8 | =7-update3 | |
| OpenJDK 8 | =7-update301 | |
| OpenJDK 8 | =7-update311 | |
| OpenJDK 8 | =7-update321 | |
| OpenJDK 8 | =7-update4 | |
| OpenJDK 8 | =7-update40 | |
| OpenJDK 8 | =7-update45 | |
| OpenJDK 8 | =7-update5 | |
| OpenJDK 8 | =7-update51 | |
| OpenJDK 8 | =7-update55 | |
| OpenJDK 8 | =7-update6 | |
| OpenJDK 8 | =7-update60 | |
| OpenJDK 8 | =7-update65 | |
| OpenJDK 8 | =7-update67 | |
| OpenJDK 8 | =7-update7 | |
| OpenJDK 8 | =7-update72 | |
| OpenJDK 8 | =7-update76 | |
| OpenJDK 8 | =7-update80 | |
| OpenJDK 8 | =7-update85 | |
| OpenJDK 8 | =7-update9 | |
| OpenJDK 8 | =7-update91 | |
| OpenJDK 8 | =7-update95 | |
| OpenJDK 8 | =7-update97 | |
| OpenJDK 8 | =7-update99 | |
| OpenJDK 8 | =8 | |
| OpenJDK 8 | =8-milestone1 | |
| OpenJDK 8 | =8-milestone2 | |
| OpenJDK 8 | =8-milestone3 | |
| OpenJDK 8 | =8-milestone4 | |
| OpenJDK 8 | =8-milestone5 | |
| OpenJDK 8 | =8-milestone6 | |
| OpenJDK 8 | =8-milestone7 | |
| OpenJDK 8 | =8-milestone8 | |
| OpenJDK 8 | =8-milestone9 | |
| OpenJDK 8 | =8-update101 | |
| OpenJDK 8 | =8-update102 | |
| OpenJDK 8 | =8-update11 | |
| OpenJDK 8 | =8-update111 | |
| OpenJDK 8 | =8-update112 | |
| OpenJDK 8 | =8-update121 | |
| OpenJDK 8 | =8-update131 | |
| OpenJDK 8 | =8-update141 | |
| OpenJDK 8 | =8-update151 | |
| OpenJDK 8 | =8-update152 | |
| OpenJDK 8 | =8-update161 | |
| OpenJDK 8 | =8-update162 | |
| OpenJDK 8 | =8-update171 | |
| OpenJDK 8 | =8-update172 | |
| OpenJDK 8 | =8-update181 | |
| OpenJDK 8 | =8-update191 | |
| OpenJDK 8 | =8-update192 | |
| OpenJDK 8 | =8-update20 | |
| OpenJDK 8 | =8-update201 | |
| OpenJDK 8 | =8-update202 | |
| OpenJDK 8 | =8-update211 | |
| OpenJDK 8 | =8-update212 | |
| OpenJDK 8 | =8-update221 | |
| OpenJDK 8 | =8-update222 | |
| OpenJDK 8 | =8-update231 | |
| OpenJDK 8 | =8-update232 | |
| OpenJDK 8 | =8-update241 | |
| OpenJDK 8 | =8-update242 | |
| OpenJDK 8 | =8-update25 | |
| OpenJDK 8 | =8-update252 | |
| OpenJDK 8 | =8-update262 | |
| OpenJDK 8 | =8-update271 | |
| OpenJDK 8 | =8-update281 | |
| OpenJDK 8 | =8-update282 | |
| OpenJDK 8 | =8-update291 | |
| OpenJDK 8 | =8-update301 | |
| OpenJDK 8 | =8-update302 | |
| OpenJDK 8 | =8-update31 | |
| OpenJDK 8 | =8-update312 | |
| OpenJDK 8 | =8-update40 | |
| OpenJDK 8 | =8-update45 | |
| OpenJDK 8 | =8-update5 | |
| OpenJDK 8 | =8-update51 | |
| OpenJDK 8 | =8-update60 | |
| OpenJDK 8 | =8-update65 | |
| OpenJDK 8 | =8-update66 | |
| OpenJDK 8 | =8-update71 | |
| OpenJDK 8 | =8-update72 | |
| OpenJDK 8 | =8-update73 | |
| OpenJDK 8 | =8-update74 | |
| OpenJDK 8 | =8-update77 | |
| OpenJDK 8 | =8-update91 | |
| OpenJDK 8 | =8-update92 | |
| OpenJDK 8 | =17 | |
| OpenJDK 8 | =17.0.1 | |
| NetApp Cloud Insights Telegraf |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.debian.org/debian-lts-announce/2022/02/msg00011.html
- https://security.gentoo.org/glsa/202209-05
- https://security.netapp.com/advisory/ntap-20220121-0007/
- https://www.debian.org/security/2022/dsa-5057
- https://www.debian.org/security/2022/dsa-5058
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html#AppendixJAVA
- https://access.redhat.com/errata/RHSA-2022:0161
- https://access.redhat.com/errata/RHSA-2022:0233
- https://access.redhat.com/errata/RHSA-2022:0209
- https://access.redhat.com/errata/RHSA-2022:0185
- https://access.redhat.com/errata/RHSA-2022:0211
- https://access.redhat.com/errata/RHSA-2022:0204
- https://access.redhat.com/errata/RHSA-2022:0166
- https://access.redhat.com/errata/RHSA-2022:0165
- https://access.redhat.com/errata/RHSA-2022:0228
- https://access.redhat.com/errata/RHSA-2022:0229
- https://github.com/openjdk/jdk17u/commit/592542fb28e26479ac591e9c08f83bd4a3988070
- https://github.com/openjdk/jdk11u-dev/commit/62af7d0aaeb16107a5e8bb22b3f164be407f4499
- http://hg.openjdk.java.net/jdk8u/monojdk8u/rev/fb79a897664c
- https://access.redhat.com/errata/RHSA-2022:0304
- https://access.redhat.com/errata/RHSA-2022:0305
- https://access.redhat.com/errata/RHSA-2022:0307
- https://access.redhat.com/errata/RHSA-2022:0306
- https://access.redhat.com/errata/RHSA-2022:0312
- https://access.redhat.com/errata/RHSA-2022:0321
- https://access.redhat.com/errata/RHSA-2022:0317
- https://access.redhat.com/security/cve/cve-2022-21282
- https://bugzilla.redhat.com/show_bug.cgi?id=2041435
- https://www.cve.org/CVERecord?id=CVE-2022-21282 https://nvd.nist.gov/vuln/detail/CVE-2022-21282
- https://security-tracker.debian.org/tracker/CVE-2022-21282
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2022-21282?
CVE-2022-21282 has been classified as a moderate severity vulnerability.
How do I fix CVE-2022-21282?
To fix CVE-2022-21282, update to the recommended versions of OpenJDK specified in the remediation section.
What are the affected software versions for CVE-2022-21282?
CVE-2022-21282 affects multiple versions of OpenJDK including 11, 1.8, and 17.
What can be compromised due to CVE-2022-21282?
CVE-2022-21282 could lead to information disclosure when performing XSLT transformations.
Is CVE-2022-21282 exploitable over the network?
Yes, CVE-2022-21282 can be exploited remotely under certain conditions.
- collector/redhat-cve
- collector/security-tracker-debian
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-21282
- agent/references
- agent/severity
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/redhat
- package-manager/debian
- vendor/oracle
- canonical/oracle graalvm enterprise edition
- version/oracle graalvm enterprise edition/20.3.4
- version/oracle graalvm enterprise edition/21.3.0
- canonical/oracle java se 7
- version/oracle java se 7/1.7.0-update321
- version/oracle java se 7/1.8.0-update311
- version/oracle java se 7/11.0.13
- version/oracle java se 7/17.0.1
- canonical/oracle jre
- version/oracle jre/1.7.0-update321
- version/oracle jre/1.8.0-update311
- version/oracle jre/11.0.13
- version/oracle jre/17.0.1
- vendor/debian
- canonical/debian linux
- version/debian linux/9.0
- version/debian linux/10.0
- version/debian linux/11.0
- vendor/netapp
- canonical/netapp 7-mode transition tool
- canonical/netapp active iq unified manager for vmware vsphere
- canonical/netapp active iq unified manager
- canonical/netapp cloud insights acquisition unit
- canonical/netapp cloud secure agent
- canonical/netapp e-series santricity os controller
- version/netapp e-series santricity os controller/11.0.0
- version/netapp e-series santricity os controller/11.70.1
- canonical/netapp santricity storage manager
- canonical/netapp e-series santricity web services
- canonical/netapp solidfire & hci management node
- canonical/netapp oncommand insight
- canonical/netapp oncommand workflow automation
- canonical/netapp santricity storage plugin for vcenter
- canonical/netapp e-series santricity unified manager
- canonical/netapp snapmanager for oracle
- canonical/netapp snapmanager for sap
- canonical/netapp solidfire & hci storage node
- canonical/openjdk 8
- version/openjdk 8/11
- version/openjdk 8/11.0.13
- version/openjdk 8/13
- version/openjdk 8/13.0.9
- version/openjdk 8/15
- version/openjdk 8/15.0.5
- version/openjdk 8/7
- version/openjdk 8/7-update1
- version/openjdk 8/7-update10
- version/openjdk 8/7-update101
- version/openjdk 8/7-update11
- version/openjdk 8/7-update111
- version/openjdk 8/7-update121
- version/openjdk 8/7-update13
- version/openjdk 8/7-update131
- version/openjdk 8/7-update141
- version/openjdk 8/7-update15
- version/openjdk 8/7-update151
- version/openjdk 8/7-update161
- version/openjdk 8/7-update17
- version/openjdk 8/7-update171
- version/openjdk 8/7-update181
- version/openjdk 8/7-update191
- version/openjdk 8/7-update2
- version/openjdk 8/7-update201
- version/openjdk 8/7-update21
- version/openjdk 8/7-update211
- version/openjdk 8/7-update221
- version/openjdk 8/7-update231
- version/openjdk 8/7-update241
- version/openjdk 8/7-update25
- version/openjdk 8/7-update251
- version/openjdk 8/7-update261
- version/openjdk 8/7-update271
- version/openjdk 8/7-update281
- version/openjdk 8/7-update291
- version/openjdk 8/7-update3
- version/openjdk 8/7-update301
- version/openjdk 8/7-update311
- version/openjdk 8/7-update321
- version/openjdk 8/7-update4
- version/openjdk 8/7-update40
- version/openjdk 8/7-update45
- version/openjdk 8/7-update5
- version/openjdk 8/7-update51
- version/openjdk 8/7-update55
- version/openjdk 8/7-update6
- version/openjdk 8/7-update60
- version/openjdk 8/7-update65
- version/openjdk 8/7-update67
- version/openjdk 8/7-update7
- version/openjdk 8/7-update72
- version/openjdk 8/7-update76
- version/openjdk 8/7-update80
- version/openjdk 8/7-update85
- version/openjdk 8/7-update9
- version/openjdk 8/7-update91
- version/openjdk 8/7-update95
- version/openjdk 8/7-update97
- version/openjdk 8/7-update99
- version/openjdk 8/8
- version/openjdk 8/8-milestone1
- version/openjdk 8/8-milestone2
- version/openjdk 8/8-milestone3
- version/openjdk 8/8-milestone4
- version/openjdk 8/8-milestone5
- version/openjdk 8/8-milestone6
- version/openjdk 8/8-milestone7
- version/openjdk 8/8-milestone8
- version/openjdk 8/8-milestone9
- version/openjdk 8/8-update101
- version/openjdk 8/8-update102
- version/openjdk 8/8-update11
- version/openjdk 8/8-update111
- version/openjdk 8/8-update112
- version/openjdk 8/8-update121
- version/openjdk 8/8-update131
- version/openjdk 8/8-update141
- version/openjdk 8/8-update151
- version/openjdk 8/8-update152
- version/openjdk 8/8-update161
- version/openjdk 8/8-update162
- version/openjdk 8/8-update171
- version/openjdk 8/8-update172
- version/openjdk 8/8-update181
- version/openjdk 8/8-update191
- version/openjdk 8/8-update192
- version/openjdk 8/8-update20
- version/openjdk 8/8-update201
- version/openjdk 8/8-update202
- version/openjdk 8/8-update211
- version/openjdk 8/8-update212
- version/openjdk 8/8-update221
- version/openjdk 8/8-update222
- version/openjdk 8/8-update231
- version/openjdk 8/8-update232
- version/openjdk 8/8-update241
- version/openjdk 8/8-update242
- version/openjdk 8/8-update25
- version/openjdk 8/8-update252
- version/openjdk 8/8-update262
- version/openjdk 8/8-update271
- version/openjdk 8/8-update281
- version/openjdk 8/8-update282
- version/openjdk 8/8-update291
- version/openjdk 8/8-update301
- version/openjdk 8/8-update302
- version/openjdk 8/8-update31
- version/openjdk 8/8-update312
- version/openjdk 8/8-update40
- version/openjdk 8/8-update45
- version/openjdk 8/8-update5
- version/openjdk 8/8-update51
- version/openjdk 8/8-update60
- version/openjdk 8/8-update65
- version/openjdk 8/8-update66
- version/openjdk 8/8-update71
- version/openjdk 8/8-update72
- version/openjdk 8/8-update73
- version/openjdk 8/8-update74
- version/openjdk 8/8-update77
- version/openjdk 8/8-update91
- version/openjdk 8/8-update92
- version/openjdk 8/17
- version/openjdk 8/17.0.1
- canonical/netapp cloud insights telegraf