CWE
835
Advisory Published
CVE Published
CVE Published
Updated

CVE-2022-21299

First published: Mon Jan 17 2022(Updated: )

A flaw was found in the way the XMLEntityScanner and XML11EntityScanner classes in the JAXP component of OpenJDK handled and normalized newlines in XML entities. A specially-crafted XML document could cause a Java application to enter an infinite loop when parsed.

Credit: secalert_us@oracle.com

Affected SoftwareAffected VersionHow to fix
redhat/java<11-openjdk-1:11.0.14.0.9-1.el7_9
11-openjdk-1:11.0.14.0.9-1.el7_9
redhat/java<1.8.0-openjdk-1:1.8.0.322.b06-1.el7_9
1.8.0-openjdk-1:1.8.0.322.b06-1.el7_9
redhat/java<1.7.1-ibm-1:1.7.1.5.10-1jpp.1.el7
1.7.1-ibm-1:1.7.1.5.10-1jpp.1.el7
redhat/java<17-openjdk-1:17.0.2.0.8-4.el8_5
17-openjdk-1:17.0.2.0.8-4.el8_5
redhat/java<11-openjdk-1:11.0.14.0.9-2.el8_5
11-openjdk-1:11.0.14.0.9-2.el8_5
redhat/java<1.8.0-openjdk-1:1.8.0.322.b06-2.el8_5
1.8.0-openjdk-1:1.8.0.322.b06-2.el8_5
redhat/java<11-openjdk-1:11.0.14.0.9-1.el8_1
11-openjdk-1:11.0.14.0.9-1.el8_1
redhat/java<1.8.0-openjdk-1:1.8.0.322.b06-1.el8_1
1.8.0-openjdk-1:1.8.0.322.b06-1.el8_1
redhat/java<11-openjdk-1:11.0.14.0.9-1.el8_2
11-openjdk-1:11.0.14.0.9-1.el8_2
redhat/java<1.8.0-openjdk-1:1.8.0.322.b06-1.el8_2
1.8.0-openjdk-1:1.8.0.322.b06-1.el8_2
redhat/java<11-openjdk-1:11.0.14.0.9-2.el8_4
11-openjdk-1:11.0.14.0.9-2.el8_4
redhat/java<1.8.0-openjdk-1:1.8.0.322.b06-2.el8_4
1.8.0-openjdk-1:1.8.0.322.b06-2.el8_4
redhat/eap7-xerces-j2<0:2.12.0-3.SP04_redhat_00001.1.el8ea
0:2.12.0-3.SP04_redhat_00001.1.el8ea
redhat/eap7-xerces-j2<0:2.12.0-3.SP04_redhat_00001.1.el7ea
0:2.12.0-3.SP04_redhat_00001.1.el7ea
debian/openjdk-11
11.0.16+8-1~deb10u1
11.0.21+9-1~deb10u1
11.0.20+8-1~deb11u1
11.0.21+9-1~deb11u1
11.0.22~6ea-1
debian/openjdk-17
17.0.7+7-1~deb11u1
17.0.9+9-1~deb11u1
17.0.9+9-1~deb12u1
17.0.9+9-2
17.0.10~6ea-1
debian/openjdk-8
8u392-ga-1
IBM Cognos Analytics<=12.0.0-12.0.1
IBM Cognos Analytics<=11.2.0-11.2.4 FP2
IBM Cognos Analytics<=11.1.1-11.1.7 FP7
Oracle GraalVM Enterprise Edition=20.3.4
Oracle GraalVM Enterprise Edition=21.3.0
Oracle Java SE 7=1.7.0-update321
Oracle Java SE 7=1.8.0-update311
Oracle Java SE 7=11.0.13
Oracle Java SE 7=17.0.1
Oracle JRE=1.7.0-update321
Oracle JRE=1.8.0-update311
Oracle JRE=11.0.13
Oracle JRE=17.0.1
NetApp 7-Mode Transition Tool
NetApp Active IQ Unified Manager for VMware vSphere
NetApp Active IQ Unified Manager
NetApp Cloud Insights Acquisition Unit
NetApp Cloud Secure Agent
NetApp E-Series SANtricity OS Controller>=11.0.0<=11.70.1
NetApp SANtricity Storage Manager
NetApp E-Series SANtricity Web Services
NetApp SolidFire & HCI Management Node
NetApp OnCommand Insight
NetApp OnCommand Workflow Automation
NetApp SANtricity Storage Plugin for vCenter
NetApp E-Series SANtricity Unified Manager
NetApp SnapManager for Oracle
NetApp SnapManager for SAP
NetApp SolidFire & HCI Storage Node
Debian Linux=9.0
Debian Linux=10.0
Debian Linux=11.0
OpenJDK 8>=11<=11.0.13
OpenJDK 8>=13<=13.0.9
OpenJDK 8>=15<=15.0.5
OpenJDK 8=7
OpenJDK 8=7-update1
OpenJDK 8=7-update10
OpenJDK 8=7-update101
OpenJDK 8=7-update11
OpenJDK 8=7-update111
OpenJDK 8=7-update121
OpenJDK 8=7-update13
OpenJDK 8=7-update131
OpenJDK 8=7-update141
OpenJDK 8=7-update15
OpenJDK 8=7-update151
OpenJDK 8=7-update161
OpenJDK 8=7-update17
OpenJDK 8=7-update171
OpenJDK 8=7-update181
OpenJDK 8=7-update191
OpenJDK 8=7-update2
OpenJDK 8=7-update201
OpenJDK 8=7-update21
OpenJDK 8=7-update211
OpenJDK 8=7-update221
OpenJDK 8=7-update231
OpenJDK 8=7-update241
OpenJDK 8=7-update25
OpenJDK 8=7-update251
OpenJDK 8=7-update261
OpenJDK 8=7-update271
OpenJDK 8=7-update281
OpenJDK 8=7-update291
OpenJDK 8=7-update3
OpenJDK 8=7-update301
OpenJDK 8=7-update311
OpenJDK 8=7-update321
OpenJDK 8=7-update4
OpenJDK 8=7-update40
OpenJDK 8=7-update45
OpenJDK 8=7-update5
OpenJDK 8=7-update51
OpenJDK 8=7-update55
OpenJDK 8=7-update6
OpenJDK 8=7-update60
OpenJDK 8=7-update65
OpenJDK 8=7-update67
OpenJDK 8=7-update7
OpenJDK 8=7-update72
OpenJDK 8=7-update76
OpenJDK 8=7-update80
OpenJDK 8=7-update85
OpenJDK 8=7-update9
OpenJDK 8=7-update91
OpenJDK 8=7-update95
OpenJDK 8=7-update97
OpenJDK 8=7-update99
OpenJDK 8=8
OpenJDK 8=8-milestone1
OpenJDK 8=8-milestone2
OpenJDK 8=8-milestone3
OpenJDK 8=8-milestone4
OpenJDK 8=8-milestone5
OpenJDK 8=8-milestone6
OpenJDK 8=8-milestone7
OpenJDK 8=8-milestone8
OpenJDK 8=8-milestone9
OpenJDK 8=8-update101
OpenJDK 8=8-update102
OpenJDK 8=8-update11
OpenJDK 8=8-update111
OpenJDK 8=8-update112
OpenJDK 8=8-update121
OpenJDK 8=8-update131
OpenJDK 8=8-update141
OpenJDK 8=8-update151
OpenJDK 8=8-update152
OpenJDK 8=8-update161
OpenJDK 8=8-update162
OpenJDK 8=8-update171
OpenJDK 8=8-update172
OpenJDK 8=8-update181
OpenJDK 8=8-update191
OpenJDK 8=8-update192
OpenJDK 8=8-update20
OpenJDK 8=8-update201
OpenJDK 8=8-update202
OpenJDK 8=8-update211
OpenJDK 8=8-update212
OpenJDK 8=8-update221
OpenJDK 8=8-update222
OpenJDK 8=8-update231
OpenJDK 8=8-update232
OpenJDK 8=8-update241
OpenJDK 8=8-update242
OpenJDK 8=8-update25
OpenJDK 8=8-update252
OpenJDK 8=8-update262
OpenJDK 8=8-update271
OpenJDK 8=8-update281
OpenJDK 8=8-update282
OpenJDK 8=8-update291
OpenJDK 8=8-update301
OpenJDK 8=8-update302
OpenJDK 8=8-update31
OpenJDK 8=8-update312
OpenJDK 8=8-update40
OpenJDK 8=8-update45
OpenJDK 8=8-update5
OpenJDK 8=8-update51
OpenJDK 8=8-update60
OpenJDK 8=8-update65
OpenJDK 8=8-update66
OpenJDK 8=8-update71
OpenJDK 8=8-update72
OpenJDK 8=8-update73
OpenJDK 8=8-update74
OpenJDK 8=8-update77
OpenJDK 8=8-update91
OpenJDK 8=8-update92
OpenJDK 8=17
OpenJDK 8=17.0.1
NetApp Cloud Insights Telegraf

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2022-21299?

    CVE-2022-21299 is characterized as a high-severity vulnerability due to its potential to cause an infinite loop in applications that process specially-crafted XML documents.

  • How do I fix CVE-2022-21299?

    To fix CVE-2022-21299, you should apply the latest patches available for affected versions of OpenJDK, specifically versions 1.7, 1.8, 11, and 17.

  • What types of software are affected by CVE-2022-21299?

    CVE-2022-21299 affects various builds of OpenJDK including versions from Red Hat and Oracle, as well as related distributions such as IBM Cognos Analytics.

  • How does CVE-2022-21299 impact Java applications?

    CVE-2022-21299 can lead Java applications that parse certain XML documents into an infinite loop, potentially causing denial of service.

  • Is CVE-2022-21299 related to any other vulnerabilities?

    While CVE-2022-21299 is a distinct vulnerability, its issues surrounding XML parsing may have similarities to other XML-related vulnerabilities in Java.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203