CVE-2022-21540
First published: Tue Jul 19 2022(Updated: )
A flaw was found in the way the Hotspot component of OpenJDK generated class code. An untrusted Java application or applet could potentially use this flaw to bypass Java sandbox restrictions.
Credit: secalert_us@oracle.com secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/openjdk-11 | 11.0.16+8-1~deb10u1 11.0.21+9-1~deb10u1 11.0.20+8-1~deb11u1 11.0.21+9-1~deb11u1 11.0.21+9-1 | |
| debian/openjdk-17 | 17.0.7+7-1~deb11u1 17.0.8+7-1~deb12u1 17.0.9+9-1 | |
| debian/openjdk-8 | 8u392-ga-1 | |
| IBM Cloud Transformation Advisor | <=2.0.1 - 3.3.1 | |
| Oracle GraalVM Enterprise Edition | =20.3.6 | |
| Oracle GraalVM Enterprise Edition | =21.3.2 | |
| Oracle GraalVM Enterprise Edition | =22.1.0 | |
| Oracle JDK 6 | =1.7.0-update343 | |
| Oracle JDK 6 | =1.8.0-update333 | |
| Oracle JDK 6 | =11.0.15.1 | |
| Oracle JDK 6 | =17.0.3.1 | |
| Oracle JDK 6 | =18.0.1.1 | |
| Oracle Java Runtime Environment (JRE) | =1.7.0-update343 | |
| Oracle Java Runtime Environment (JRE) | =1.8.0-update333 | |
| Oracle Java Runtime Environment (JRE) | =11.0.15.1 | |
| Oracle Java Runtime Environment (JRE) | =17.0.3.1 | |
| Oracle Java Runtime Environment (JRE) | =18.0.1.1 | |
| OpenJDK 17 | >=11<=11.0.15 | |
| OpenJDK 17 | >=13<=13.0.11 | |
| OpenJDK 17 | >=15<=15.0.7 | |
| OpenJDK 17 | >=17<=17.0.3 | |
| OpenJDK 17 | =7 | |
| OpenJDK 17 | =7-update1 | |
| OpenJDK 17 | =7-update10 | |
| OpenJDK 17 | =7-update101 | |
| OpenJDK 17 | =7-update11 | |
| OpenJDK 17 | =7-update111 | |
| OpenJDK 17 | =7-update121 | |
| OpenJDK 17 | =7-update13 | |
| OpenJDK 17 | =7-update131 | |
| OpenJDK 17 | =7-update141 | |
| OpenJDK 17 | =7-update15 | |
| OpenJDK 17 | =7-update151 | |
| OpenJDK 17 | =7-update161 | |
| OpenJDK 17 | =7-update17 | |
| OpenJDK 17 | =7-update171 | |
| OpenJDK 17 | =7-update181 | |
| OpenJDK 17 | =7-update191 | |
| OpenJDK 17 | =7-update2 | |
| OpenJDK 17 | =7-update201 | |
| OpenJDK 17 | =7-update21 | |
| OpenJDK 17 | =7-update211 | |
| OpenJDK 17 | =7-update221 | |
| OpenJDK 17 | =7-update231 | |
| OpenJDK 17 | =7-update241 | |
| OpenJDK 17 | =7-update25 | |
| OpenJDK 17 | =7-update251 | |
| OpenJDK 17 | =7-update261 | |
| OpenJDK 17 | =7-update271 | |
| OpenJDK 17 | =7-update281 | |
| OpenJDK 17 | =7-update291 | |
| OpenJDK 17 | =7-update3 | |
| OpenJDK 17 | =7-update301 | |
| OpenJDK 17 | =7-update311 | |
| OpenJDK 17 | =7-update321 | |
| OpenJDK 17 | =7-update4 | |
| OpenJDK 17 | =7-update40 | |
| OpenJDK 17 | =7-update45 | |
| OpenJDK 17 | =7-update5 | |
| OpenJDK 17 | =7-update51 | |
| OpenJDK 17 | =7-update55 | |
| OpenJDK 17 | =7-update6 | |
| OpenJDK 17 | =7-update60 | |
| OpenJDK 17 | =7-update65 | |
| OpenJDK 17 | =7-update67 | |
| OpenJDK 17 | =7-update7 | |
| OpenJDK 17 | =7-update72 | |
| OpenJDK 17 | =7-update76 | |
| OpenJDK 17 | =7-update80 | |
| OpenJDK 17 | =7-update85 | |
| OpenJDK 17 | =7-update9 | |
| OpenJDK 17 | =7-update91 | |
| OpenJDK 17 | =7-update95 | |
| OpenJDK 17 | =7-update97 | |
| OpenJDK 17 | =7-update99 | |
| OpenJDK 17 | =8 | |
| OpenJDK 17 | =8-milestone1 | |
| OpenJDK 17 | =8-milestone2 | |
| OpenJDK 17 | =8-milestone3 | |
| OpenJDK 17 | =8-milestone4 | |
| OpenJDK 17 | =8-milestone5 | |
| OpenJDK 17 | =8-milestone6 | |
| OpenJDK 17 | =8-milestone7 | |
| OpenJDK 17 | =8-milestone8 | |
| OpenJDK 17 | =8-milestone9 | |
| OpenJDK 17 | =8-update101 | |
| OpenJDK 17 | =8-update102 | |
| OpenJDK 17 | =8-update11 | |
| OpenJDK 17 | =8-update111 | |
| OpenJDK 17 | =8-update112 | |
| OpenJDK 17 | =8-update121 | |
| OpenJDK 17 | =8-update131 | |
| OpenJDK 17 | =8-update141 | |
| OpenJDK 17 | =8-update151 | |
| OpenJDK 17 | =8-update152 | |
| OpenJDK 17 | =8-update161 | |
| OpenJDK 17 | =8-update162 | |
| OpenJDK 17 | =8-update171 | |
| OpenJDK 17 | =8-update172 | |
| OpenJDK 17 | =8-update181 | |
| OpenJDK 17 | =8-update191 | |
| OpenJDK 17 | =8-update192 | |
| OpenJDK 17 | =8-update20 | |
| OpenJDK 17 | =8-update201 | |
| OpenJDK 17 | =8-update202 | |
| OpenJDK 17 | =8-update211 | |
| OpenJDK 17 | =8-update212 | |
| OpenJDK 17 | =8-update221 | |
| OpenJDK 17 | =8-update222 | |
| OpenJDK 17 | =8-update231 | |
| OpenJDK 17 | =8-update232 | |
| OpenJDK 17 | =8-update241 | |
| OpenJDK 17 | =8-update242 | |
| OpenJDK 17 | =8-update25 | |
| OpenJDK 17 | =8-update252 | |
| OpenJDK 17 | =8-update262 | |
| OpenJDK 17 | =8-update271 | |
| OpenJDK 17 | =8-update281 | |
| OpenJDK 17 | =8-update282 | |
| OpenJDK 17 | =8-update291 | |
| OpenJDK 17 | =8-update301 | |
| OpenJDK 17 | =8-update302 | |
| OpenJDK 17 | =8-update31 | |
| OpenJDK 17 | =8-update312 | |
| OpenJDK 17 | =8-update322 | |
| OpenJDK 17 | =8-update332 | |
| OpenJDK 17 | =8-update40 | |
| OpenJDK 17 | =8-update45 | |
| OpenJDK 17 | =8-update5 | |
| OpenJDK 17 | =8-update51 | |
| OpenJDK 17 | =8-update60 | |
| OpenJDK 17 | =8-update65 | |
| OpenJDK 17 | =8-update66 | |
| OpenJDK 17 | =8-update71 | |
| OpenJDK 17 | =8-update72 | |
| OpenJDK 17 | =8-update73 | |
| OpenJDK 17 | =8-update74 | |
| OpenJDK 17 | =8-update77 | |
| OpenJDK 17 | =8-update91 | |
| OpenJDK 17 | =8-update92 | |
| OpenJDK 17 | =18 | |
| Fedora | =36 | |
| Debian | =10.0 | |
| Debian | =11.0 | |
| NetApp 7-Mode Transition Tool | ||
| NetApp Active IQ Unified Manager for VMware vSphere | ||
| netapp active iq unified manager windows | ||
| netapp cloud insights acquisition unit | ||
| netapp cloud secure agent | ||
| netapp hci management node | ||
| NetApp OnCommand Insight | ||
| netapp solidfire | ||
| netapp hci compute node | ||
| Azul Systems Zulu | =6.47 | |
| Azul Systems Zulu | =7.54 | |
| Azul Systems Zulu | =8.62 | |
| Azul Systems Zulu | =11.56 | |
| Azul Systems Zulu | =13.48 | |
| Azul Systems Zulu | =15.40 | |
| Azul Systems Zulu | =17.34 | |
| Azul Systems Zulu | =18.30 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://security-tracker.debian.org/tracker/CVE-2022-21540
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.debian.org/security/2022/dsa-5188
- https://www.debian.org/security/2022/dsa-5192
- https://security.netapp.com/advisory/ntap-20220729-0009/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KO3DXNKZ4EU3UZBT6AAR4XRKCD73KLMO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JN3EVGR7FD3ZLV5SBTJXUIDCMSK4QUE2/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YULPNO3PAWMEQQZV2C54I3H3ZOXFZUTB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5OZNAZJ4YHLOKRRRZSWRT5OJ25E4XLM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3XPOTPPBZIPFBZHQE5E7OW6PDACUMCJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4YNJSJ64NPCNKFPNBYITNZU5H3L4D6L/
- https://security.gentoo.org/glsa/202401-25
- https://exchange.xforce.ibmcloud.com/vulnerabilities/231567
- https://www.ibm.com/support/pages/node/6846257 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO3DXNKZ4EU3UZBT6AAR4XRKCD73KLMO/
- https://www.oracle.com/security-alerts/cpujul2022.html#AppendixJAVA
- https://www.oracle.com/java/technologies/javase/7-support-relnotes.html#R170_351
- https://www.oracle.com/java/technologies/javase/8u341-relnotes.html
- https://www.oracle.com/java/technologies/javase/11-0-16-relnotes.html
- https://www.oracle.com/java/technologies/javase/17-0-4-relnotes.html
- https://www.oracle.com/java/technologies/javase/18-0-2-relnotes.html
- https://access.redhat.com/errata/RHSA-2022:5685
- https://access.redhat.com/errata/RHSA-2022:5684
- https://access.redhat.com/errata/RHSA-2022:5683
- https://access.redhat.com/errata/RHSA-2022:5681
- https://access.redhat.com/errata/RHSA-2022:5687
- https://access.redhat.com/errata/RHSA-2022:5695
- https://access.redhat.com/errata/RHSA-2022:5701
- https://access.redhat.com/errata/RHSA-2022:5697
- https://access.redhat.com/errata/RHSA-2022:5696
- https://access.redhat.com/errata/RHSA-2022:5700
- https://access.redhat.com/errata/RHSA-2022:5698
- https://access.redhat.com/errata/RHSA-2022:5709
- https://access.redhat.com/errata/RHSA-2022:5726
- https://access.redhat.com/errata/RHSA-2022:5736
- https://access.redhat.com/errata/RHSA-2022:5753
- https://access.redhat.com/errata/RHSA-2022:5754
- https://access.redhat.com/errata/RHSA-2022:5755
- https://access.redhat.com/errata/RHSA-2022:5756
- https://access.redhat.com/errata/RHSA-2022:5757
- https://access.redhat.com/errata/RHSA-2022:5758
- https://github.com/openjdk/jdk17u/commit/8be0fc09f0ba2dd1dbfd6627456fa929d5574b04
- https://github.com/openjdk/jdk11u/commit/6c0ba0785a2f0900be301f72764cf4dcfa720991
- https://github.com/openjdk/jdk8u/commit/1dafef08cc922ee85a8e216387100dc681a5484d
- https://access.redhat.com/security/cve/cve-2022-21540
- https://bugzilla.redhat.com/show_bug.cgi?id=2108540
Frequently Asked Questions
What is the severity of CVE-2022-21540?
CVE-2022-21540 is classified as a critical vulnerability due to its potential to bypass Java sandbox restrictions.
How do I fix CVE-2022-21540?
To fix CVE-2022-21540, upgrade to the latest patched version of OpenJDK or Java SE as specified in the respective vendor advisories.
What systems are affected by CVE-2022-21540?
CVE-2022-21540 affects multiple versions of OpenJDK, Oracle JDK, and GraalVM, particularly those prior to their latest security updates.
Can CVE-2022-21540 be exploited remotely?
Yes, CVE-2022-21540 can potentially be exploited remotely by an unauthenticated attacker targeting untrusted Java applications.
Is there a workaround for CVE-2022-21540?
Currently, the best mitigation for CVE-2022-21540 is to apply the security patches provided by the vendors and avoid running untrusted Java applications.
- collector/security-tracker-debian
- agent/type
- agent/remedy
- agent/first-publish-date
- agent/author
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-21540
- agent/references
- agent/severity
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/debian
- vendor/ibm
- canonical/ibm cloud transformation advisor
- version/ibm cloud transformation advisor/2.0.1 - 3.3.1
- vendor/oracle
- canonical/oracle graalvm enterprise edition
- version/oracle graalvm enterprise edition/20.3.6
- version/oracle graalvm enterprise edition/21.3.2
- version/oracle graalvm enterprise edition/22.1.0
- canonical/oracle jdk 6
- version/oracle jdk 6/1.7.0-update343
- version/oracle jdk 6/1.8.0-update333
- version/oracle jdk 6/11.0.15.1
- version/oracle jdk 6/17.0.3.1
- version/oracle jdk 6/18.0.1.1
- canonical/oracle java runtime environment (jre)
- version/oracle java runtime environment (jre)/1.7.0-update343
- version/oracle java runtime environment (jre)/1.8.0-update333
- version/oracle java runtime environment (jre)/11.0.15.1
- version/oracle java runtime environment (jre)/17.0.3.1
- version/oracle java runtime environment (jre)/18.0.1.1
- canonical/openjdk 17
- version/openjdk 17/11
- version/openjdk 17/11.0.15
- version/openjdk 17/13
- version/openjdk 17/13.0.11
- version/openjdk 17/15
- version/openjdk 17/15.0.7
- version/openjdk 17/17
- version/openjdk 17/17.0.3
- version/openjdk 17/7
- version/openjdk 17/7-update1
- version/openjdk 17/7-update10
- version/openjdk 17/7-update101
- version/openjdk 17/7-update11
- version/openjdk 17/7-update111
- version/openjdk 17/7-update121
- version/openjdk 17/7-update13
- version/openjdk 17/7-update131
- version/openjdk 17/7-update141
- version/openjdk 17/7-update15
- version/openjdk 17/7-update151
- version/openjdk 17/7-update161
- version/openjdk 17/7-update17
- version/openjdk 17/7-update171
- version/openjdk 17/7-update181
- version/openjdk 17/7-update191
- version/openjdk 17/7-update2
- version/openjdk 17/7-update201
- version/openjdk 17/7-update21
- version/openjdk 17/7-update211
- version/openjdk 17/7-update221
- version/openjdk 17/7-update231
- version/openjdk 17/7-update241
- version/openjdk 17/7-update25
- version/openjdk 17/7-update251
- version/openjdk 17/7-update261
- version/openjdk 17/7-update271
- version/openjdk 17/7-update281
- version/openjdk 17/7-update291
- version/openjdk 17/7-update3
- version/openjdk 17/7-update301
- version/openjdk 17/7-update311
- version/openjdk 17/7-update321
- version/openjdk 17/7-update4
- version/openjdk 17/7-update40
- version/openjdk 17/7-update45
- version/openjdk 17/7-update5
- version/openjdk 17/7-update51
- version/openjdk 17/7-update55
- version/openjdk 17/7-update6
- version/openjdk 17/7-update60
- version/openjdk 17/7-update65
- version/openjdk 17/7-update67
- version/openjdk 17/7-update7
- version/openjdk 17/7-update72
- version/openjdk 17/7-update76
- version/openjdk 17/7-update80
- version/openjdk 17/7-update85
- version/openjdk 17/7-update9
- version/openjdk 17/7-update91
- version/openjdk 17/7-update95
- version/openjdk 17/7-update97
- version/openjdk 17/7-update99
- version/openjdk 17/8
- version/openjdk 17/8-milestone1
- version/openjdk 17/8-milestone2
- version/openjdk 17/8-milestone3
- version/openjdk 17/8-milestone4
- version/openjdk 17/8-milestone5
- version/openjdk 17/8-milestone6
- version/openjdk 17/8-milestone7
- version/openjdk 17/8-milestone8
- version/openjdk 17/8-milestone9
- version/openjdk 17/8-update101
- version/openjdk 17/8-update102
- version/openjdk 17/8-update11
- version/openjdk 17/8-update111
- version/openjdk 17/8-update112
- version/openjdk 17/8-update121
- version/openjdk 17/8-update131
- version/openjdk 17/8-update141
- version/openjdk 17/8-update151
- version/openjdk 17/8-update152
- version/openjdk 17/8-update161
- version/openjdk 17/8-update162
- version/openjdk 17/8-update171
- version/openjdk 17/8-update172
- version/openjdk 17/8-update181
- version/openjdk 17/8-update191
- version/openjdk 17/8-update192
- version/openjdk 17/8-update20
- version/openjdk 17/8-update201
- version/openjdk 17/8-update202
- version/openjdk 17/8-update211
- version/openjdk 17/8-update212
- version/openjdk 17/8-update221
- version/openjdk 17/8-update222
- version/openjdk 17/8-update231
- version/openjdk 17/8-update232
- version/openjdk 17/8-update241
- version/openjdk 17/8-update242
- version/openjdk 17/8-update25
- version/openjdk 17/8-update252
- version/openjdk 17/8-update262
- version/openjdk 17/8-update271
- version/openjdk 17/8-update281
- version/openjdk 17/8-update282
- version/openjdk 17/8-update291
- version/openjdk 17/8-update301
- version/openjdk 17/8-update302
- version/openjdk 17/8-update31
- version/openjdk 17/8-update312
- version/openjdk 17/8-update322
- version/openjdk 17/8-update332
- version/openjdk 17/8-update40
- version/openjdk 17/8-update45
- version/openjdk 17/8-update5
- version/openjdk 17/8-update51
- version/openjdk 17/8-update60
- version/openjdk 17/8-update65
- version/openjdk 17/8-update66
- version/openjdk 17/8-update71
- version/openjdk 17/8-update72
- version/openjdk 17/8-update73
- version/openjdk 17/8-update74
- version/openjdk 17/8-update77
- version/openjdk 17/8-update91
- version/openjdk 17/8-update92
- version/openjdk 17/18
- vendor/fedoraproject
- canonical/fedora
- version/fedora/36
- vendor/debian
- canonical/debian
- version/debian/10.0
- version/debian/11.0
- vendor/netapp
- canonical/netapp 7-mode transition tool
- canonical/netapp active iq unified manager for vmware vsphere
- canonical/netapp active iq unified manager windows
- canonical/netapp cloud insights acquisition unit
- canonical/netapp cloud secure agent
- canonical/netapp hci management node
- canonical/netapp oncommand insight
- canonical/netapp solidfire
- canonical/netapp hci compute node
- vendor/azul
- canonical/azul systems zulu
- version/azul systems zulu/6.47
- version/azul systems zulu/7.54
- version/azul systems zulu/8.62
- version/azul systems zulu/11.56
- version/azul systems zulu/13.48
- version/azul systems zulu/15.40
- version/azul systems zulu/17.34
- version/azul systems zulu/18.30