First published: Tue Jul 19 2022(Updated: )
A flaw was found in the way the Hotspot component of OpenJDK generated class code. An untrusted Java application or applet could potentially use this flaw to bypass Java sandbox restrictions.
Credit: secalert_us@oracle.com secalert_us@oracle.com
Affected Software | Affected Version | How to fix |
---|---|---|
debian/openjdk-11 | 11.0.16+8-1~deb10u1 11.0.21+9-1~deb10u1 11.0.20+8-1~deb11u1 11.0.21+9-1~deb11u1 11.0.21+9-1 | |
debian/openjdk-17 | 17.0.7+7-1~deb11u1 17.0.8+7-1~deb12u1 17.0.9+9-1 | |
debian/openjdk-8 | 8u392-ga-1 | |
IBM Cloud Transformation Advisor | <=2.0.1 - 3.3.1 | |
Oracle GraalVM Enterprise Edition | =20.3.6 | |
Oracle GraalVM Enterprise Edition | =21.3.2 | |
Oracle GraalVM Enterprise Edition | =22.1.0 | |
Oracle Java SE 7 | =1.7.0-update343 | |
Oracle Java SE 7 | =1.8.0-update333 | |
Oracle Java SE 7 | =11.0.15.1 | |
Oracle Java SE 7 | =17.0.3.1 | |
Oracle Java SE 7 | =18.0.1.1 | |
Oracle JRE | =1.7.0-update343 | |
Oracle JRE | =1.8.0-update333 | |
Oracle JRE | =11.0.15.1 | |
Oracle JRE | =17.0.3.1 | |
Oracle JRE | =18.0.1.1 | |
OpenJDK 8 | >=11<=11.0.15 | |
OpenJDK 8 | >=13<=13.0.11 | |
OpenJDK 8 | >=15<=15.0.7 | |
OpenJDK 8 | >=17<=17.0.3 | |
OpenJDK 8 | =7 | |
OpenJDK 8 | =7-update1 | |
OpenJDK 8 | =7-update10 | |
OpenJDK 8 | =7-update101 | |
OpenJDK 8 | =7-update11 | |
OpenJDK 8 | =7-update111 | |
OpenJDK 8 | =7-update121 | |
OpenJDK 8 | =7-update13 | |
OpenJDK 8 | =7-update131 | |
OpenJDK 8 | =7-update141 | |
OpenJDK 8 | =7-update15 | |
OpenJDK 8 | =7-update151 | |
OpenJDK 8 | =7-update161 | |
OpenJDK 8 | =7-update17 | |
OpenJDK 8 | =7-update171 | |
OpenJDK 8 | =7-update181 | |
OpenJDK 8 | =7-update191 | |
OpenJDK 8 | =7-update2 | |
OpenJDK 8 | =7-update201 | |
OpenJDK 8 | =7-update21 | |
OpenJDK 8 | =7-update211 | |
OpenJDK 8 | =7-update221 | |
OpenJDK 8 | =7-update231 | |
OpenJDK 8 | =7-update241 | |
OpenJDK 8 | =7-update25 | |
OpenJDK 8 | =7-update251 | |
OpenJDK 8 | =7-update261 | |
OpenJDK 8 | =7-update271 | |
OpenJDK 8 | =7-update281 | |
OpenJDK 8 | =7-update291 | |
OpenJDK 8 | =7-update3 | |
OpenJDK 8 | =7-update301 | |
OpenJDK 8 | =7-update311 | |
OpenJDK 8 | =7-update321 | |
OpenJDK 8 | =7-update4 | |
OpenJDK 8 | =7-update40 | |
OpenJDK 8 | =7-update45 | |
OpenJDK 8 | =7-update5 | |
OpenJDK 8 | =7-update51 | |
OpenJDK 8 | =7-update55 | |
OpenJDK 8 | =7-update6 | |
OpenJDK 8 | =7-update60 | |
OpenJDK 8 | =7-update65 | |
OpenJDK 8 | =7-update67 | |
OpenJDK 8 | =7-update7 | |
OpenJDK 8 | =7-update72 | |
OpenJDK 8 | =7-update76 | |
OpenJDK 8 | =7-update80 | |
OpenJDK 8 | =7-update85 | |
OpenJDK 8 | =7-update9 | |
OpenJDK 8 | =7-update91 | |
OpenJDK 8 | =7-update95 | |
OpenJDK 8 | =7-update97 | |
OpenJDK 8 | =7-update99 | |
OpenJDK 8 | =8 | |
OpenJDK 8 | =8-milestone1 | |
OpenJDK 8 | =8-milestone2 | |
OpenJDK 8 | =8-milestone3 | |
OpenJDK 8 | =8-milestone4 | |
OpenJDK 8 | =8-milestone5 | |
OpenJDK 8 | =8-milestone6 | |
OpenJDK 8 | =8-milestone7 | |
OpenJDK 8 | =8-milestone8 | |
OpenJDK 8 | =8-milestone9 | |
OpenJDK 8 | =8-update101 | |
OpenJDK 8 | =8-update102 | |
OpenJDK 8 | =8-update11 | |
OpenJDK 8 | =8-update111 | |
OpenJDK 8 | =8-update112 | |
OpenJDK 8 | =8-update121 | |
OpenJDK 8 | =8-update131 | |
OpenJDK 8 | =8-update141 | |
OpenJDK 8 | =8-update151 | |
OpenJDK 8 | =8-update152 | |
OpenJDK 8 | =8-update161 | |
OpenJDK 8 | =8-update162 | |
OpenJDK 8 | =8-update171 | |
OpenJDK 8 | =8-update172 | |
OpenJDK 8 | =8-update181 | |
OpenJDK 8 | =8-update191 | |
OpenJDK 8 | =8-update192 | |
OpenJDK 8 | =8-update20 | |
OpenJDK 8 | =8-update201 | |
OpenJDK 8 | =8-update202 | |
OpenJDK 8 | =8-update211 | |
OpenJDK 8 | =8-update212 | |
OpenJDK 8 | =8-update221 | |
OpenJDK 8 | =8-update222 | |
OpenJDK 8 | =8-update231 | |
OpenJDK 8 | =8-update232 | |
OpenJDK 8 | =8-update241 | |
OpenJDK 8 | =8-update242 | |
OpenJDK 8 | =8-update25 | |
OpenJDK 8 | =8-update252 | |
OpenJDK 8 | =8-update262 | |
OpenJDK 8 | =8-update271 | |
OpenJDK 8 | =8-update281 | |
OpenJDK 8 | =8-update282 | |
OpenJDK 8 | =8-update291 | |
OpenJDK 8 | =8-update301 | |
OpenJDK 8 | =8-update302 | |
OpenJDK 8 | =8-update31 | |
OpenJDK 8 | =8-update312 | |
OpenJDK 8 | =8-update322 | |
OpenJDK 8 | =8-update332 | |
OpenJDK 8 | =8-update40 | |
OpenJDK 8 | =8-update45 | |
OpenJDK 8 | =8-update5 | |
OpenJDK 8 | =8-update51 | |
OpenJDK 8 | =8-update60 | |
OpenJDK 8 | =8-update65 | |
OpenJDK 8 | =8-update66 | |
OpenJDK 8 | =8-update71 | |
OpenJDK 8 | =8-update72 | |
OpenJDK 8 | =8-update73 | |
OpenJDK 8 | =8-update74 | |
OpenJDK 8 | =8-update77 | |
OpenJDK 8 | =8-update91 | |
OpenJDK 8 | =8-update92 | |
OpenJDK 8 | =18 | |
Red Hat Fedora | =36 | |
Debian Linux | =10.0 | |
Debian Linux | =11.0 | |
NetApp 7-Mode Transition Tool | ||
NetApp Active IQ Unified Manager for VMware vSphere | ||
NetApp Active IQ Unified Manager | ||
NetApp Cloud Insights Acquisition Unit | ||
NetApp Cloud Secure Agent | ||
NetApp SolidFire & HCI Management Node | ||
NetApp OnCommand Insight | ||
NetApp SolidFire & HCI Storage Node | ||
NetApp HCI Compute Node | ||
Azul Zulu JDK | =6.47 | |
Azul Zulu JDK | =7.54 | |
Azul Zulu JDK | =8.62 | |
Azul Zulu JDK | =11.56 | |
Azul Zulu JDK | =13.48 | |
Azul Zulu JDK | =15.40 | |
Azul Zulu JDK | =17.34 | |
Azul Zulu JDK | =18.30 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-21540 is classified as a critical vulnerability due to its potential to bypass Java sandbox restrictions.
To fix CVE-2022-21540, upgrade to the latest patched version of OpenJDK or Java SE as specified in the respective vendor advisories.
CVE-2022-21540 affects multiple versions of OpenJDK, Oracle JDK, and GraalVM, particularly those prior to their latest security updates.
Yes, CVE-2022-21540 can potentially be exploited remotely by an unauthenticated attacker targeting untrusted Java applications.
Currently, the best mitigation for CVE-2022-21540 is to apply the security patches provided by the vendors and avoid running untrusted Java applications.