REDHAT-BUG-2041801
First published: Tue Jan 18 2022(Updated: )
It was discovered that the ObjectInputStream class implementation in the Serialization component of OpenJDK did not check superclasses against the deserialization filter (defined via jdk.serialFilter system or security property) in cases when those classes were available locally and not included in the serialized stream. A specially-crafted serialized stream could possibly use this flaw to bypass class deserialization restrictions.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| OpenJDK 17 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.oracle.com/security-alerts/cpujan2022.html#AppendixJAVA
- https://access.redhat.com/errata/RHSA-2022:0161
- https://access.redhat.com/errata/RHSA-2022:0233
- https://access.redhat.com/errata/RHSA-2022:0209
- https://access.redhat.com/errata/RHSA-2022:0185
- https://access.redhat.com/errata/RHSA-2022:0211
- https://access.redhat.com/errata/RHSA-2022:0204
- https://access.redhat.com/errata/RHSA-2022:0166
- https://access.redhat.com/errata/RHSA-2022:0165
- https://access.redhat.com/errata/RHSA-2022:0228
- https://access.redhat.com/errata/RHSA-2022:0229
- https://github.com/openjdk/jdk17u/commit/b1f8775f6bd56f85ab556ef1e78b3f842a666db2
- https://github.com/openjdk/jdk11u-dev/commit/3393744851e30e514f85cc6c3ab529bcd3970d1b
- http://hg.openjdk.java.net/jdk8u/monojdk8u/rev/77ccfc2d7c3c
- https://access.redhat.com/errata/RHSA-2022:0304
- https://access.redhat.com/errata/RHSA-2022:0305
- https://access.redhat.com/errata/RHSA-2022:0307
- https://access.redhat.com/errata/RHSA-2022:0306
- https://access.redhat.com/errata/RHSA-2022:0312
- https://access.redhat.com/errata/RHSA-2022:0321
- https://access.redhat.com/errata/RHSA-2022:0317
- https://access.redhat.com/security/cve/cve-2022-21248
- https://access.redhat.com/errata/RHSA-2022:0970
- https://access.redhat.com/errata/RHSA-2022:0969
- https://access.redhat.com/errata/RHSA-2022:0968
- https://bugzilla.redhat.com/show_bug.cgi?id=2041801
Frequently Asked Questions
What is the severity of REDHAT-BUG-2041801?
The severity of REDHAT-BUG-2041801 is classified as critical due to the potential for remote code execution through deserialization vulnerabilities.
How do I fix REDHAT-BUG-2041801?
To fix REDHAT-BUG-2041801, update to the latest version of OpenJDK which contains patches addressing the vulnerability.
What affected software does REDHAT-BUG-2041801 impact?
REDHAT-BUG-2041801 specifically impacts Oracle OpenJDK versions that are vulnerable to the deserialization issue.
What are the risks associated with REDHAT-BUG-2041801?
The risks of REDHAT-BUG-2041801 include potential unauthorized access and execution of malicious code on a system that utilizes vulnerable serialization mechanisms.
Can REDHAT-BUG-2041801 be exploited without authentication?
Yes, REDHAT-BUG-2041801 can potentially be exploited without authentication, allowing attackers to execute code remotely.
- agent/references
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-21248
- agent/severity
- agent/description
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/oracle
- canonical/openjdk 17