First published: Tue Jan 18 2022(Updated: )
A flaw was found in the way the TIFFFaxDecompressor, TIFFLZWDecompressor, and TIFFPackBitsDecompressor classes implementations in the ImageIO component of OpenJDK handled memory allocations when processing TIFF images. A specially-crafted TIFF image with a small size could cause a Java application to allocate an excessive amount of memory when opened.
Credit: secalert_us@oracle.com secalert_us@oracle.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/java | <11-openjdk-1:11.0.14.0.9-1.el7_9 | 11-openjdk-1:11.0.14.0.9-1.el7_9 |
redhat/java | <17-openjdk-1:17.0.2.0.8-4.el8_5 | 17-openjdk-1:17.0.2.0.8-4.el8_5 |
redhat/java | <11-openjdk-1:11.0.14.0.9-2.el8_5 | 11-openjdk-1:11.0.14.0.9-2.el8_5 |
redhat/java | <11-openjdk-1:11.0.14.0.9-1.el8_1 | 11-openjdk-1:11.0.14.0.9-1.el8_1 |
redhat/java | <11-openjdk-1:11.0.14.0.9-1.el8_2 | 11-openjdk-1:11.0.14.0.9-1.el8_2 |
redhat/java | <11-openjdk-1:11.0.14.0.9-2.el8_4 | 11-openjdk-1:11.0.14.0.9-2.el8_4 |
debian/openjdk-11 | 11.0.16+8-1~deb10u1 11.0.21+9-1~deb10u1 11.0.20+8-1~deb11u1 11.0.21+9-1~deb11u1 11.0.22~6ea-1 | |
debian/openjdk-17 | 17.0.7+7-1~deb11u1 17.0.9+9-1~deb11u1 17.0.9+9-1~deb12u1 17.0.9+9-2 17.0.10~6ea-1 | |
Oracle GraalVM | =20.3.4 | |
Oracle GraalVM | =21.3.0 | |
Oracle JDK | =11.0.13 | |
Oracle JDK | =17.0.1 | |
Oracle JRE | =11.0.13 | |
Oracle JRE | =17.0.1 | |
NetApp 7-Mode Transition Tool | ||
Netapp Cloud Insights | ||
NetApp E-Series SANtricity OS Controller | >=11.0.0<=11.70.1 | |
Netapp E-series Santricity Storage Manager | ||
Netapp E-series Santricity Web Services Web Services Proxy | ||
Netapp Hci Management Node | ||
NetApp OnCommand Insight | ||
NetApp OnCommand Workflow Automation | ||
Netapp Santricity Unified Manager | ||
Netapp Snapmanager Oracle | ||
Netapp Snapmanager Sap | ||
Netapp Solidfire | ||
Debian Debian Linux | =10.0 | |
Debian Debian Linux | =11.0 | |
Oracle OpenJDK | >=11<=11.0.13 | |
Oracle OpenJDK | >=13<=13.0.9 | |
Oracle OpenJDK | >=15<=15.0.5 | |
Oracle OpenJDK | =17 | |
Oracle OpenJDK | =17.0.1 | |
Netapp Active Iq Unified Manager Vmware Vsphere | ||
Netapp Active Iq Unified Manager Windows | ||
Netapp Cloud Insights Acquisition Unit | ||
Netapp Cloud Secure Agent | ||
Netapp Santricity Storage Plugin Vcenter |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
The vulnerability ID for this Oracle Java SE vulnerability is CVE-2022-21366.
The affected component of this vulnerability is ImageIO.
The affected versions are Oracle Java SE 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition 20.3.4 and 21.3.0.
Yes, this vulnerability is easily exploitable.
The severity level of this vulnerability is medium.