CVE-2022-21540
First published: Tue Jul 19 2022(Updated: )
A flaw was found in the way the Hotspot component of OpenJDK generated class code. An untrusted Java application or applet could potentially use this flaw to bypass Java sandbox restrictions.
Credit: secalert_us@oracle.com secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/openjdk-11 | 11.0.16+8-1~deb10u1 11.0.21+9-1~deb10u1 11.0.20+8-1~deb11u1 11.0.21+9-1~deb11u1 11.0.21+9-1 | |
| debian/openjdk-17 | 17.0.7+7-1~deb11u1 17.0.8+7-1~deb12u1 17.0.9+9-1 | |
| debian/openjdk-8 | 8u392-ga-1 | |
| IBM Cloud Transformation Advisor | <=2.0.1 - 3.3.1 | |
| Oracle GraalVM Enterprise Edition | =20.3.6 | |
| Oracle GraalVM Enterprise Edition | =21.3.2 | |
| Oracle GraalVM Enterprise Edition | =22.1.0 | |
| Oracle Java SE 7 | =1.7.0-update343 | |
| Oracle Java SE 7 | =1.8.0-update333 | |
| Oracle Java SE 7 | =11.0.15.1 | |
| Oracle Java SE 7 | =17.0.3.1 | |
| Oracle Java SE 7 | =18.0.1.1 | |
| Oracle JRE | =1.7.0-update343 | |
| Oracle JRE | =1.8.0-update333 | |
| Oracle JRE | =11.0.15.1 | |
| Oracle JRE | =17.0.3.1 | |
| Oracle JRE | =18.0.1.1 | |
| OpenJDK 8 | >=11<=11.0.15 | |
| OpenJDK 8 | >=13<=13.0.11 | |
| OpenJDK 8 | >=15<=15.0.7 | |
| OpenJDK 8 | >=17<=17.0.3 | |
| OpenJDK 8 | =7 | |
| OpenJDK 8 | =7-update1 | |
| OpenJDK 8 | =7-update10 | |
| OpenJDK 8 | =7-update101 | |
| OpenJDK 8 | =7-update11 | |
| OpenJDK 8 | =7-update111 | |
| OpenJDK 8 | =7-update121 | |
| OpenJDK 8 | =7-update13 | |
| OpenJDK 8 | =7-update131 | |
| OpenJDK 8 | =7-update141 | |
| OpenJDK 8 | =7-update15 | |
| OpenJDK 8 | =7-update151 | |
| OpenJDK 8 | =7-update161 | |
| OpenJDK 8 | =7-update17 | |
| OpenJDK 8 | =7-update171 | |
| OpenJDK 8 | =7-update181 | |
| OpenJDK 8 | =7-update191 | |
| OpenJDK 8 | =7-update2 | |
| OpenJDK 8 | =7-update201 | |
| OpenJDK 8 | =7-update21 | |
| OpenJDK 8 | =7-update211 | |
| OpenJDK 8 | =7-update221 | |
| OpenJDK 8 | =7-update231 | |
| OpenJDK 8 | =7-update241 | |
| OpenJDK 8 | =7-update25 | |
| OpenJDK 8 | =7-update251 | |
| OpenJDK 8 | =7-update261 | |
| OpenJDK 8 | =7-update271 | |
| OpenJDK 8 | =7-update281 | |
| OpenJDK 8 | =7-update291 | |
| OpenJDK 8 | =7-update3 | |
| OpenJDK 8 | =7-update301 | |
| OpenJDK 8 | =7-update311 | |
| OpenJDK 8 | =7-update321 | |
| OpenJDK 8 | =7-update4 | |
| OpenJDK 8 | =7-update40 | |
| OpenJDK 8 | =7-update45 | |
| OpenJDK 8 | =7-update5 | |
| OpenJDK 8 | =7-update51 | |
| OpenJDK 8 | =7-update55 | |
| OpenJDK 8 | =7-update6 | |
| OpenJDK 8 | =7-update60 | |
| OpenJDK 8 | =7-update65 | |
| OpenJDK 8 | =7-update67 | |
| OpenJDK 8 | =7-update7 | |
| OpenJDK 8 | =7-update72 | |
| OpenJDK 8 | =7-update76 | |
| OpenJDK 8 | =7-update80 | |
| OpenJDK 8 | =7-update85 | |
| OpenJDK 8 | =7-update9 | |
| OpenJDK 8 | =7-update91 | |
| OpenJDK 8 | =7-update95 | |
| OpenJDK 8 | =7-update97 | |
| OpenJDK 8 | =7-update99 | |
| OpenJDK 8 | =8 | |
| OpenJDK 8 | =8-milestone1 | |
| OpenJDK 8 | =8-milestone2 | |
| OpenJDK 8 | =8-milestone3 | |
| OpenJDK 8 | =8-milestone4 | |
| OpenJDK 8 | =8-milestone5 | |
| OpenJDK 8 | =8-milestone6 | |
| OpenJDK 8 | =8-milestone7 | |
| OpenJDK 8 | =8-milestone8 | |
| OpenJDK 8 | =8-milestone9 | |
| OpenJDK 8 | =8-update101 | |
| OpenJDK 8 | =8-update102 | |
| OpenJDK 8 | =8-update11 | |
| OpenJDK 8 | =8-update111 | |
| OpenJDK 8 | =8-update112 | |
| OpenJDK 8 | =8-update121 | |
| OpenJDK 8 | =8-update131 | |
| OpenJDK 8 | =8-update141 | |
| OpenJDK 8 | =8-update151 | |
| OpenJDK 8 | =8-update152 | |
| OpenJDK 8 | =8-update161 | |
| OpenJDK 8 | =8-update162 | |
| OpenJDK 8 | =8-update171 | |
| OpenJDK 8 | =8-update172 | |
| OpenJDK 8 | =8-update181 | |
| OpenJDK 8 | =8-update191 | |
| OpenJDK 8 | =8-update192 | |
| OpenJDK 8 | =8-update20 | |
| OpenJDK 8 | =8-update201 | |
| OpenJDK 8 | =8-update202 | |
| OpenJDK 8 | =8-update211 | |
| OpenJDK 8 | =8-update212 | |
| OpenJDK 8 | =8-update221 | |
| OpenJDK 8 | =8-update222 | |
| OpenJDK 8 | =8-update231 | |
| OpenJDK 8 | =8-update232 | |
| OpenJDK 8 | =8-update241 | |
| OpenJDK 8 | =8-update242 | |
| OpenJDK 8 | =8-update25 | |
| OpenJDK 8 | =8-update252 | |
| OpenJDK 8 | =8-update262 | |
| OpenJDK 8 | =8-update271 | |
| OpenJDK 8 | =8-update281 | |
| OpenJDK 8 | =8-update282 | |
| OpenJDK 8 | =8-update291 | |
| OpenJDK 8 | =8-update301 | |
| OpenJDK 8 | =8-update302 | |
| OpenJDK 8 | =8-update31 | |
| OpenJDK 8 | =8-update312 | |
| OpenJDK 8 | =8-update322 | |
| OpenJDK 8 | =8-update332 | |
| OpenJDK 8 | =8-update40 | |
| OpenJDK 8 | =8-update45 | |
| OpenJDK 8 | =8-update5 | |
| OpenJDK 8 | =8-update51 | |
| OpenJDK 8 | =8-update60 | |
| OpenJDK 8 | =8-update65 | |
| OpenJDK 8 | =8-update66 | |
| OpenJDK 8 | =8-update71 | |
| OpenJDK 8 | =8-update72 | |
| OpenJDK 8 | =8-update73 | |
| OpenJDK 8 | =8-update74 | |
| OpenJDK 8 | =8-update77 | |
| OpenJDK 8 | =8-update91 | |
| OpenJDK 8 | =8-update92 | |
| OpenJDK 8 | =18 | |
| Red Hat Fedora | =36 | |
| Debian Linux | =10.0 | |
| Debian Linux | =11.0 | |
| NetApp 7-Mode Transition Tool | ||
| NetApp Active IQ Unified Manager for VMware vSphere | ||
| NetApp Active IQ Unified Manager | ||
| NetApp Cloud Insights Acquisition Unit | ||
| NetApp Cloud Secure Agent | ||
| NetApp SolidFire & HCI Management Node | ||
| NetApp OnCommand Insight | ||
| NetApp SolidFire & HCI Storage Node | ||
| NetApp HCI Compute Node | ||
| Azul Zulu JDK | =6.47 | |
| Azul Zulu JDK | =7.54 | |
| Azul Zulu JDK | =8.62 | |
| Azul Zulu JDK | =11.56 | |
| Azul Zulu JDK | =13.48 | |
| Azul Zulu JDK | =15.40 | |
| Azul Zulu JDK | =17.34 | |
| Azul Zulu JDK | =18.30 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://security-tracker.debian.org/tracker/CVE-2022-21540
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.debian.org/security/2022/dsa-5188
- https://www.debian.org/security/2022/dsa-5192
- https://security.netapp.com/advisory/ntap-20220729-0009/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KO3DXNKZ4EU3UZBT6AAR4XRKCD73KLMO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JN3EVGR7FD3ZLV5SBTJXUIDCMSK4QUE2/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YULPNO3PAWMEQQZV2C54I3H3ZOXFZUTB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5OZNAZJ4YHLOKRRRZSWRT5OJ25E4XLM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3XPOTPPBZIPFBZHQE5E7OW6PDACUMCJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4YNJSJ64NPCNKFPNBYITNZU5H3L4D6L/
- https://security.gentoo.org/glsa/202401-25
- https://exchange.xforce.ibmcloud.com/vulnerabilities/231567
- https://www.ibm.com/support/pages/node/6846257 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO3DXNKZ4EU3UZBT6AAR4XRKCD73KLMO/
- https://www.oracle.com/security-alerts/cpujul2022.html#AppendixJAVA
- https://www.oracle.com/java/technologies/javase/7-support-relnotes.html#R170_351
- https://www.oracle.com/java/technologies/javase/8u341-relnotes.html
- https://www.oracle.com/java/technologies/javase/11-0-16-relnotes.html
- https://www.oracle.com/java/technologies/javase/17-0-4-relnotes.html
- https://www.oracle.com/java/technologies/javase/18-0-2-relnotes.html
- https://access.redhat.com/errata/RHSA-2022:5685
- https://access.redhat.com/errata/RHSA-2022:5684
- https://access.redhat.com/errata/RHSA-2022:5683
- https://access.redhat.com/errata/RHSA-2022:5681
- https://access.redhat.com/errata/RHSA-2022:5687
- https://access.redhat.com/errata/RHSA-2022:5695
- https://access.redhat.com/errata/RHSA-2022:5701
- https://access.redhat.com/errata/RHSA-2022:5697
- https://access.redhat.com/errata/RHSA-2022:5696
- https://access.redhat.com/errata/RHSA-2022:5700
- https://access.redhat.com/errata/RHSA-2022:5698
- https://access.redhat.com/errata/RHSA-2022:5709
- https://access.redhat.com/errata/RHSA-2022:5726
- https://access.redhat.com/errata/RHSA-2022:5736
- https://access.redhat.com/errata/RHSA-2022:5753
- https://access.redhat.com/errata/RHSA-2022:5754
- https://access.redhat.com/errata/RHSA-2022:5755
- https://access.redhat.com/errata/RHSA-2022:5756
- https://access.redhat.com/errata/RHSA-2022:5757
- https://access.redhat.com/errata/RHSA-2022:5758
- https://github.com/openjdk/jdk17u/commit/8be0fc09f0ba2dd1dbfd6627456fa929d5574b04
- https://github.com/openjdk/jdk11u/commit/6c0ba0785a2f0900be301f72764cf4dcfa720991
- https://github.com/openjdk/jdk8u/commit/1dafef08cc922ee85a8e216387100dc681a5484d
- https://access.redhat.com/security/cve/cve-2022-21540
- https://bugzilla.redhat.com/show_bug.cgi?id=2108540
Frequently Asked Questions
What is the severity of CVE-2022-21540?
CVE-2022-21540 is classified as a critical vulnerability due to its potential to bypass Java sandbox restrictions.
How do I fix CVE-2022-21540?
To fix CVE-2022-21540, upgrade to the latest patched version of OpenJDK or Java SE as specified in the respective vendor advisories.
What systems are affected by CVE-2022-21540?
CVE-2022-21540 affects multiple versions of OpenJDK, Oracle JDK, and GraalVM, particularly those prior to their latest security updates.
Can CVE-2022-21540 be exploited remotely?
Yes, CVE-2022-21540 can potentially be exploited remotely by an unauthenticated attacker targeting untrusted Java applications.
Is there a workaround for CVE-2022-21540?
Currently, the best mitigation for CVE-2022-21540 is to apply the security patches provided by the vendors and avoid running untrusted Java applications.
- collector/security-tracker-debian
- agent/type
- agent/remedy
- agent/first-publish-date
- agent/author
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-21540
- agent/references
- agent/severity
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/debian
- vendor/ibm
- canonical/ibm cloud transformation advisor
- version/ibm cloud transformation advisor/2.0.1 - 3.3.1
- vendor/oracle
- canonical/oracle graalvm enterprise edition
- version/oracle graalvm enterprise edition/20.3.6
- version/oracle graalvm enterprise edition/21.3.2
- version/oracle graalvm enterprise edition/22.1.0
- canonical/oracle java se 7
- version/oracle java se 7/1.7.0-update343
- version/oracle java se 7/1.8.0-update333
- version/oracle java se 7/11.0.15.1
- version/oracle java se 7/17.0.3.1
- version/oracle java se 7/18.0.1.1
- canonical/oracle jre
- version/oracle jre/1.7.0-update343
- version/oracle jre/1.8.0-update333
- version/oracle jre/11.0.15.1
- version/oracle jre/17.0.3.1
- version/oracle jre/18.0.1.1
- canonical/openjdk 8
- version/openjdk 8/11
- version/openjdk 8/11.0.15
- version/openjdk 8/13
- version/openjdk 8/13.0.11
- version/openjdk 8/15
- version/openjdk 8/15.0.7
- version/openjdk 8/17
- version/openjdk 8/17.0.3
- version/openjdk 8/7
- version/openjdk 8/7-update1
- version/openjdk 8/7-update10
- version/openjdk 8/7-update101
- version/openjdk 8/7-update11
- version/openjdk 8/7-update111
- version/openjdk 8/7-update121
- version/openjdk 8/7-update13
- version/openjdk 8/7-update131
- version/openjdk 8/7-update141
- version/openjdk 8/7-update15
- version/openjdk 8/7-update151
- version/openjdk 8/7-update161
- version/openjdk 8/7-update17
- version/openjdk 8/7-update171
- version/openjdk 8/7-update181
- version/openjdk 8/7-update191
- version/openjdk 8/7-update2
- version/openjdk 8/7-update201
- version/openjdk 8/7-update21
- version/openjdk 8/7-update211
- version/openjdk 8/7-update221
- version/openjdk 8/7-update231
- version/openjdk 8/7-update241
- version/openjdk 8/7-update25
- version/openjdk 8/7-update251
- version/openjdk 8/7-update261
- version/openjdk 8/7-update271
- version/openjdk 8/7-update281
- version/openjdk 8/7-update291
- version/openjdk 8/7-update3
- version/openjdk 8/7-update301
- version/openjdk 8/7-update311
- version/openjdk 8/7-update321
- version/openjdk 8/7-update4
- version/openjdk 8/7-update40
- version/openjdk 8/7-update45
- version/openjdk 8/7-update5
- version/openjdk 8/7-update51
- version/openjdk 8/7-update55
- version/openjdk 8/7-update6
- version/openjdk 8/7-update60
- version/openjdk 8/7-update65
- version/openjdk 8/7-update67
- version/openjdk 8/7-update7
- version/openjdk 8/7-update72
- version/openjdk 8/7-update76
- version/openjdk 8/7-update80
- version/openjdk 8/7-update85
- version/openjdk 8/7-update9
- version/openjdk 8/7-update91
- version/openjdk 8/7-update95
- version/openjdk 8/7-update97
- version/openjdk 8/7-update99
- version/openjdk 8/8
- version/openjdk 8/8-milestone1
- version/openjdk 8/8-milestone2
- version/openjdk 8/8-milestone3
- version/openjdk 8/8-milestone4
- version/openjdk 8/8-milestone5
- version/openjdk 8/8-milestone6
- version/openjdk 8/8-milestone7
- version/openjdk 8/8-milestone8
- version/openjdk 8/8-milestone9
- version/openjdk 8/8-update101
- version/openjdk 8/8-update102
- version/openjdk 8/8-update11
- version/openjdk 8/8-update111
- version/openjdk 8/8-update112
- version/openjdk 8/8-update121
- version/openjdk 8/8-update131
- version/openjdk 8/8-update141
- version/openjdk 8/8-update151
- version/openjdk 8/8-update152
- version/openjdk 8/8-update161
- version/openjdk 8/8-update162
- version/openjdk 8/8-update171
- version/openjdk 8/8-update172
- version/openjdk 8/8-update181
- version/openjdk 8/8-update191
- version/openjdk 8/8-update192
- version/openjdk 8/8-update20
- version/openjdk 8/8-update201
- version/openjdk 8/8-update202
- version/openjdk 8/8-update211
- version/openjdk 8/8-update212
- version/openjdk 8/8-update221
- version/openjdk 8/8-update222
- version/openjdk 8/8-update231
- version/openjdk 8/8-update232
- version/openjdk 8/8-update241
- version/openjdk 8/8-update242
- version/openjdk 8/8-update25
- version/openjdk 8/8-update252
- version/openjdk 8/8-update262
- version/openjdk 8/8-update271
- version/openjdk 8/8-update281
- version/openjdk 8/8-update282
- version/openjdk 8/8-update291
- version/openjdk 8/8-update301
- version/openjdk 8/8-update302
- version/openjdk 8/8-update31
- version/openjdk 8/8-update312
- version/openjdk 8/8-update322
- version/openjdk 8/8-update332
- version/openjdk 8/8-update40
- version/openjdk 8/8-update45
- version/openjdk 8/8-update5
- version/openjdk 8/8-update51
- version/openjdk 8/8-update60
- version/openjdk 8/8-update65
- version/openjdk 8/8-update66
- version/openjdk 8/8-update71
- version/openjdk 8/8-update72
- version/openjdk 8/8-update73
- version/openjdk 8/8-update74
- version/openjdk 8/8-update77
- version/openjdk 8/8-update91
- version/openjdk 8/8-update92
- version/openjdk 8/18
- vendor/fedoraproject
- canonical/red hat fedora
- version/red hat fedora/36
- vendor/debian
- canonical/debian linux
- version/debian linux/10.0
- version/debian linux/11.0
- vendor/netapp
- canonical/netapp 7-mode transition tool
- canonical/netapp active iq unified manager for vmware vsphere
- canonical/netapp active iq unified manager
- canonical/netapp cloud insights acquisition unit
- canonical/netapp cloud secure agent
- canonical/netapp solidfire & hci management node
- canonical/netapp oncommand insight
- canonical/netapp solidfire & hci storage node
- canonical/netapp hci compute node
- vendor/azul
- canonical/azul zulu jdk
- version/azul zulu jdk/6.47
- version/azul zulu jdk/7.54
- version/azul zulu jdk/8.62
- version/azul zulu jdk/11.56
- version/azul zulu jdk/13.48
- version/azul zulu jdk/15.40
- version/azul zulu jdk/17.34
- version/azul zulu jdk/18.30