Vulnerability Details : CVE-2022-21628

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Lightweight HTTP Server). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Vulnerability category: Denial of service

Published 2022-10-18 21:15:14

Updated 2023-04-27 17:46:04

Source Oracle

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2022-21628

Probability of exploitation activity in the next 30 days: 0.09%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 37 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2022-21628

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L	3.9	1.4	[email protected]
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: Low

References for CVE-2022-21628

https://security.netapp.com/advisory/ntap-20221028-0012/

Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HNGMDNIHAA73BEX6XPA2IMXJSGOKKYE6/

Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PB3CIGOFG7CENUVVE4FFZT2HI5FO77XU/

Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QLQ7OD33W6LT3HWI7VYDFFJLV75Y73K/

Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3ARF4QF4N3X5GSFHXUBWARGLISGKJ33R/

Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EXSBV3W6EP6B7XJ63Z2FPVBH6HAPGJ5T/

Mailing List;Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpuoct2022.html

Patch;Vendor Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/37QDWJBGEPP65X43NXQTXQ7KASLUHON6/

Mailing List;Third Party Advisory

CVEs referencing this url

Products affected by CVE-2022-21628

Oracle » JDK » Version: 19
cpe:2.3:a:oracle:jdk:19:*:*:*:*:*:*:*
Matching versions
Oracle » JDK » Version: 17.0.4.1
cpe:2.3:a:oracle:jdk:17.0.4.1:*:*:*:*:*:*:*
Matching versions
Oracle » JDK » Version: 11.0.16.1
cpe:2.3:a:oracle:jdk:11.0.16.1:*:*:*:*:*:*:*
Matching versions
Oracle » JDK » Version: 1.8.0 Update Update345 Enterprise Performance Pack Edition
cpe:2.3:a:oracle:jdk:1.8.0:update345:*:*:enterprise_performance_pack:*:*:*
Matching versions
Oracle » JDK » Version: 1.8.0 Update Update341
cpe:2.3:a:oracle:jdk:1.8.0:update341:*:*:*:*:*:*
Matching versions
Oracle » JRE » Version: 19
cpe:2.3:a:oracle:jre:19:*:*:*:*:*:*:*
Matching versions
Oracle » JRE » Version: 17.0.4.1
cpe:2.3:a:oracle:jre:17.0.4.1:*:*:*:*:*:*:*
Matching versions
Oracle » JRE » Version: 11.0.16.1
cpe:2.3:a:oracle:jre:11.0.16.1:*:*:*:*:*:*:*
Matching versions
Oracle » JRE » Version: 1.8.0 Update Update345 Enterprise Performance Pack Edition
cpe:2.3:a:oracle:jre:1.8.0:update345:*:*:enterprise_performance_pack:*:*:*
Matching versions
Oracle » JRE » Version: 1.8.0 Update Update341
cpe:2.3:a:oracle:jre:1.8.0:update341:*:*:*:*:*:*
Matching versions
Oracle » Graalvm » Version: 20.3.7 Enterprise Edition
cpe:2.3:a:oracle:graalvm:20.3.7:*:*:*:enterprise:*:*:*
Matching versions
Oracle » Graalvm » Version: 21.3.3 Enterprise Edition
cpe:2.3:a:oracle:graalvm:21.3.3:*:*:*:enterprise:*:*:*
Matching versions
Oracle » Graalvm » Version: 22.2.0 Enterprise Edition
cpe:2.3:a:oracle:graalvm:22.2.0:*:*:*:enterprise:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 35
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 36
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
Matching versions
Netapp » Oncommand Workflow Automation » Version: N/A
cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
Matching versions
Netapp » Oncommand Insight » Version: N/A
cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
Matching versions
Netapp » E-series Santricity Os Controller
Versions from including (>=) 11.0 and up to, including, (<=) 11.70.2
cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*
Matching versions
Netapp » E-series Santricity Storage Manager » Version: N/A
cpe:2.3:a:netapp:e-series_santricity_storage_manager:-:*:*:*:*:*:*:*
Matching versions
Netapp » Santricity Web Services Proxy » Version: N/A
cpe:2.3:a:netapp:santricity_web_services_proxy:-:*:*:*:*:*:*:*
Matching versions
Netapp » 7-mode Transition Tool » Version: N/A
cpe:2.3:a:netapp:7-mode_transition_tool:-:*:*:*:*:*:*:*
Matching versions
Netapp » E-series Santricity Unified Manager » Version: N/A
cpe:2.3:a:netapp:e-series_santricity_unified_manager:-:*:*:*:*:*:*:*
Matching versions
Netapp » Cloud Insights Acquisition Unit » Version: N/A
cpe:2.3:a:netapp:cloud_insights_acquisition_unit:-:*:*:*:*:*:*:*
Matching versions
Netapp » Cloud Secure Agent » Version: N/A
cpe:2.3:a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:*
Matching versions
Netapp » Santricity Storage Plugin » Version: N/A For Vcenter
cpe:2.3:a:netapp:santricity_storage_plugin:-:*:*:*:*:vcenter:*:*
Matching versions
Azul » Zulu » Version: 17.36
cpe:2.3:a:azul:zulu:17.36:*:*:*:*:*:*:*
Matching versions
Azul » Zulu » Version: 7.56
cpe:2.3:a:azul:zulu:7.56:*:*:*:*:*:*:*
Matching versions
Azul » Zulu » Version: 8.64
cpe:2.3:a:azul:zulu:8.64:*:*:*:*:*:*:*
Matching versions
Azul » Zulu » Version: 11.58
cpe:2.3:a:azul:zulu:11.58:*:*:*:*:*:*:*
Matching versions
Azul » Zulu » Version: 13.50
cpe:2.3:a:azul:zulu:13.50:*:*:*:*:*:*:*
Matching versions
Azul » Zulu » Version: 15.42
cpe:2.3:a:azul:zulu:15.42:*:*:*:*:*:*:*
Matching versions
Azul » Zulu » Version: 6.49
cpe:2.3:a:azul:zulu:6.49:*:*:*:*:*:*:*
Matching versions
Azul » Zulu » Version: 19.28
cpe:2.3:a:azul:zulu:19.28:*:*:*:*:*:*:*
Matching versions