Details of VAR-202204-0596

ID

VAR-202204-0596

CVE

CVE-2022-21434

TITLE

Red Hat Security Advisory 2022-1440-01

Trust: 0.1

sources: PACKETSTORM: 166794

DESCRIPTION

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: java-11-openjdk security, bug fix, and enhancement update Advisory ID: RHSA-2022:1440-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:1440 Issue date: 2022-04-20 CVE Names: CVE-2022-21426 CVE-2022-21434 CVE-2022-21443 CVE-2022-21476 CVE-2022-21496 ==================================================================== 1. Summary: An update for java-11-openjdk is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. The following packages have been upgraded to a later upstream version: java-11-openjdk (11.0.15.0.9). (BZ#2047531) Security Fix(es): * OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476) * OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426) * OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434) * OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443) * OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of OpenJDK Java must be restarted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 2047531 - Prepare for the next quarterly OpenJDK upstream release (2022-04, 11.0.15) [rhel-7] 2075788 - CVE-2022-21426 OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) 2075793 - CVE-2022-21443 OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) 2075836 - CVE-2022-21434 OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) 2075842 - CVE-2022-21476 OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) 2075849 - CVE-2022-21496 OpenJDK: URI parsing inconsistencies (JNDI, 8278972) 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: java-11-openjdk-11.0.15.0.9-2.el7_9.src.rpm x86_64: java-11-openjdk-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-11.0.15.0.9-2.el7_9.x86_64.rpm java-11-openjdk-debuginfo-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-debuginfo-11.0.15.0.9-2.el7_9.x86_64.rpm java-11-openjdk-headless-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-headless-11.0.15.0.9-2.el7_9.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: java-11-openjdk-debuginfo-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-debuginfo-11.0.15.0.9-2.el7_9.x86_64.rpm java-11-openjdk-demo-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-demo-11.0.15.0.9-2.el7_9.x86_64.rpm java-11-openjdk-devel-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-devel-11.0.15.0.9-2.el7_9.x86_64.rpm java-11-openjdk-javadoc-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-javadoc-11.0.15.0.9-2.el7_9.x86_64.rpm java-11-openjdk-javadoc-zip-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-javadoc-zip-11.0.15.0.9-2.el7_9.x86_64.rpm java-11-openjdk-jmods-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-jmods-11.0.15.0.9-2.el7_9.x86_64.rpm java-11-openjdk-src-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-src-11.0.15.0.9-2.el7_9.x86_64.rpm java-11-openjdk-static-libs-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-static-libs-11.0.15.0.9-2.el7_9.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: java-11-openjdk-11.0.15.0.9-2.el7_9.src.rpm x86_64: java-11-openjdk-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-11.0.15.0.9-2.el7_9.x86_64.rpm java-11-openjdk-debuginfo-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-debuginfo-11.0.15.0.9-2.el7_9.x86_64.rpm java-11-openjdk-headless-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-headless-11.0.15.0.9-2.el7_9.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: java-11-openjdk-debuginfo-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-debuginfo-11.0.15.0.9-2.el7_9.x86_64.rpm java-11-openjdk-demo-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-demo-11.0.15.0.9-2.el7_9.x86_64.rpm java-11-openjdk-devel-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-devel-11.0.15.0.9-2.el7_9.x86_64.rpm java-11-openjdk-javadoc-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-javadoc-11.0.15.0.9-2.el7_9.x86_64.rpm java-11-openjdk-javadoc-zip-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-javadoc-zip-11.0.15.0.9-2.el7_9.x86_64.rpm java-11-openjdk-jmods-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-jmods-11.0.15.0.9-2.el7_9.x86_64.rpm java-11-openjdk-src-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-src-11.0.15.0.9-2.el7_9.x86_64.rpm java-11-openjdk-static-libs-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-static-libs-11.0.15.0.9-2.el7_9.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: java-11-openjdk-11.0.15.0.9-2.el7_9.src.rpm ppc64: java-11-openjdk-11.0.15.0.9-2.el7_9.ppc64.rpm java-11-openjdk-debuginfo-11.0.15.0.9-2.el7_9.ppc64.rpm java-11-openjdk-devel-11.0.15.0.9-2.el7_9.ppc64.rpm java-11-openjdk-headless-11.0.15.0.9-2.el7_9.ppc64.rpm ppc64le: java-11-openjdk-11.0.15.0.9-2.el7_9.ppc64le.rpm java-11-openjdk-debuginfo-11.0.15.0.9-2.el7_9.ppc64le.rpm java-11-openjdk-devel-11.0.15.0.9-2.el7_9.ppc64le.rpm java-11-openjdk-headless-11.0.15.0.9-2.el7_9.ppc64le.rpm s390x: java-11-openjdk-11.0.15.0.9-2.el7_9.s390x.rpm java-11-openjdk-debuginfo-11.0.15.0.9-2.el7_9.s390x.rpm java-11-openjdk-devel-11.0.15.0.9-2.el7_9.s390x.rpm java-11-openjdk-headless-11.0.15.0.9-2.el7_9.s390x.rpm x86_64: java-11-openjdk-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-11.0.15.0.9-2.el7_9.x86_64.rpm java-11-openjdk-debuginfo-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-debuginfo-11.0.15.0.9-2.el7_9.x86_64.rpm java-11-openjdk-devel-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-devel-11.0.15.0.9-2.el7_9.x86_64.rpm java-11-openjdk-headless-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-headless-11.0.15.0.9-2.el7_9.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: java-11-openjdk-debuginfo-11.0.15.0.9-2.el7_9.ppc64.rpm java-11-openjdk-demo-11.0.15.0.9-2.el7_9.ppc64.rpm java-11-openjdk-javadoc-11.0.15.0.9-2.el7_9.ppc64.rpm java-11-openjdk-javadoc-zip-11.0.15.0.9-2.el7_9.ppc64.rpm java-11-openjdk-jmods-11.0.15.0.9-2.el7_9.ppc64.rpm java-11-openjdk-src-11.0.15.0.9-2.el7_9.ppc64.rpm java-11-openjdk-static-libs-11.0.15.0.9-2.el7_9.ppc64.rpm ppc64le: java-11-openjdk-debuginfo-11.0.15.0.9-2.el7_9.ppc64le.rpm java-11-openjdk-demo-11.0.15.0.9-2.el7_9.ppc64le.rpm java-11-openjdk-javadoc-11.0.15.0.9-2.el7_9.ppc64le.rpm java-11-openjdk-javadoc-zip-11.0.15.0.9-2.el7_9.ppc64le.rpm java-11-openjdk-jmods-11.0.15.0.9-2.el7_9.ppc64le.rpm java-11-openjdk-src-11.0.15.0.9-2.el7_9.ppc64le.rpm java-11-openjdk-static-libs-11.0.15.0.9-2.el7_9.ppc64le.rpm s390x: java-11-openjdk-debuginfo-11.0.15.0.9-2.el7_9.s390x.rpm java-11-openjdk-demo-11.0.15.0.9-2.el7_9.s390x.rpm java-11-openjdk-javadoc-11.0.15.0.9-2.el7_9.s390x.rpm java-11-openjdk-javadoc-zip-11.0.15.0.9-2.el7_9.s390x.rpm java-11-openjdk-jmods-11.0.15.0.9-2.el7_9.s390x.rpm java-11-openjdk-src-11.0.15.0.9-2.el7_9.s390x.rpm java-11-openjdk-static-libs-11.0.15.0.9-2.el7_9.s390x.rpm x86_64: java-11-openjdk-debuginfo-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-debuginfo-11.0.15.0.9-2.el7_9.x86_64.rpm java-11-openjdk-demo-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-demo-11.0.15.0.9-2.el7_9.x86_64.rpm java-11-openjdk-javadoc-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-javadoc-11.0.15.0.9-2.el7_9.x86_64.rpm java-11-openjdk-javadoc-zip-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-javadoc-zip-11.0.15.0.9-2.el7_9.x86_64.rpm java-11-openjdk-jmods-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-jmods-11.0.15.0.9-2.el7_9.x86_64.rpm java-11-openjdk-src-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-src-11.0.15.0.9-2.el7_9.x86_64.rpm java-11-openjdk-static-libs-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-static-libs-11.0.15.0.9-2.el7_9.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: java-11-openjdk-11.0.15.0.9-2.el7_9.src.rpm x86_64: java-11-openjdk-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-11.0.15.0.9-2.el7_9.x86_64.rpm java-11-openjdk-debuginfo-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-debuginfo-11.0.15.0.9-2.el7_9.x86_64.rpm java-11-openjdk-devel-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-devel-11.0.15.0.9-2.el7_9.x86_64.rpm java-11-openjdk-headless-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-headless-11.0.15.0.9-2.el7_9.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: java-11-openjdk-debuginfo-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-debuginfo-11.0.15.0.9-2.el7_9.x86_64.rpm java-11-openjdk-demo-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-demo-11.0.15.0.9-2.el7_9.x86_64.rpm java-11-openjdk-javadoc-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-javadoc-11.0.15.0.9-2.el7_9.x86_64.rpm java-11-openjdk-javadoc-zip-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-javadoc-zip-11.0.15.0.9-2.el7_9.x86_64.rpm java-11-openjdk-jmods-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-jmods-11.0.15.0.9-2.el7_9.x86_64.rpm java-11-openjdk-src-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-src-11.0.15.0.9-2.el7_9.x86_64.rpm java-11-openjdk-static-libs-11.0.15.0.9-2.el7_9.i686.rpm java-11-openjdk-static-libs-11.0.15.0.9-2.el7_9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-21426 https://access.redhat.com/security/cve/CVE-2022-21434 https://access.redhat.com/security/cve/CVE-2022-21443 https://access.redhat.com/security/cve/CVE-2022-21476 https://access.redhat.com/security/cve/CVE-2022-21496 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYmAx+NzjgjWX9erEAQjH/Q/+LWdIlvKxvVPZ5cWaFA2ZTaQrMfJiad6H 3lauUSupgikqAiHVhFviBTMlNpLg38lrt2gMgjDFodSi9SEUT9qp0ig1bC9FBqGt XifysNiTI6pJCIZiQDUlIsguakgJYv8oiuAPfBYZafV5LrVbgQXRBSlybpghXd87 21DymPq84hWR32lFNgQscDUI5MBmmMjn69Ta3iiKi51q5apNAggAyW6XzsA3JJQL M3/j0i1HcY4ONTip0M0lWxfneS/JTm6PO3NODBlIbHIBjMH2Ve6hBAdv2k67VgAm MGzhhwufwvbtq1WGvXZCxLCsRL092PSSoar3Mu3bnT7Aop2iQf28D9Fivk+IS2Ra n6/+Q6qwvonIbhMKg1DoPITivbbJyZJ47LRq7uc5zhx62z5ipVhx0PJU0UhGifRX ZHtOeLAWh+yob2cOs/5U2lydQ5whdJVeWWI8uC7jW+4N21OEVtpPU4yZezB5YTPl N4549Z8EcOOAOr4EM0v74Kv9Frrw6LoVKcC9nhCc/jLTlchYCl7p5LcQs+4xSkNO 12mg+dQAibL4txGMGkJVJBc0jIhN8CWuLPORnvjbfAQ9D6/esWGNBMrZZmbbqn5y 5d2CgprQx3Rk+4kI66emdZClZYB4P6tykCpPlFAVNtHbGcHFDHLBtchu5unRBbyw gxhzoRdL38A=hHHS -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Solution: For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update: https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html For Red Hat OpenShift Logging 5.3, see the following instructions to apply this update: https://docs.openshift.com/container-platform/4.7/logging/cluster-logging-upgrading.html 4. Bugs fixed (https://bugzilla.redhat.com/): 2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data 2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way 2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling 2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter 2058404 - CVE-2022-0759 kubeclient: kubeconfig parsing error can lead to MITM attacks 5. JIRA issues fixed (https://issues.jboss.org/): LOG-2334 - [release-5.3] Events listing out of order in Kibana 6.8.1 LOG-2450 - http.max_header_size set to 128kb causes communication with elasticsearch to stop working LOG-2481 - EO shouldn't grant cluster-wide permission to system:serviceaccount:openshift-monitoring:prometheus-k8s when ES cluster is deployed. [openshift-logging 5.3] 6. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: New Cryostat 2.1.0 on RHEL 8 container images have been released, adding a variety of features and bug fixes and addressing the following security vulnerability: CVE-2021-3121 (see References) Users of Cryostat 2.0.0 on RHEL 8 container images are advised to upgrade to these updated images, which contain backported patches to correct these security issues, fix these bugs and add these enhancements. Users of these images are also encouraged to rebuild all container images that depend on these images. You can find images updated by this advisory in Red Hat Container Catalog (see References). Solution: The Cryostat 2 on RHEL 8 container images provided by this update can be downloaded from the Red Hat Container Registry at registry.redhat.io. Dockerfiles and scripts should be amended either to refer to this new image specifically, or to the latest image generally. Bugs fixed (https://bugzilla.redhat.com/): 1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation 5. 9) - aarch64, noarch, ppc64le, s390x, x86_64 3. This update upgrades IBM Java SE 7 to version 7R1 SR5-FP10. For further information, refer to the release notes linked to in the References section. This update rectifies this situation and again uses the database provided in the JDK bundle. Users may also now configure the cacerts database in the java.security file using the property security.systemCACerts. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied

Trust: 1.8

sources: NVD: CVE-2022-21434 // VULHUB: VHN-407047 // PACKETSTORM: 166794 // PACKETSTORM: 167140 // PACKETSTORM: 167122 // PACKETSTORM: 167385 // PACKETSTORM: 167088 // PACKETSTORM: 167378 // PACKETSTORM: 167454 // PACKETSTORM: 166898 // PACKETSTORM: 166900

AFFECTED PRODUCTS

vendor:	oracle	model:	jdk	scope:	eq	version:	18	Trust: 1.0
vendor:	oracle	model:	jdk	scope:	eq	version:	1.7.0	Trust: 1.0
vendor:	netapp	model:	active iq unified manager	scope:	eq	version:	-	Trust: 1.0
vendor:	netapp	model:	cloud secure agent	scope:	eq	version:	-	Trust: 1.0
vendor:	netapp	model:	oncommand insight	scope:	eq	version:	-	Trust: 1.0
vendor:	azul	model:	zulu	scope:	eq	version:	13.46	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	9.0	Trust: 1.0
vendor:	netapp	model:	solidfire \& hci management node	scope:	eq	version:	-	Trust: 1.0
vendor:	azul	model:	zulu	scope:	eq	version:	6.45	Trust: 1.0
vendor:	oracle	model:	jdk	scope:	eq	version:	17.0.2	Trust: 1.0
vendor:	oracle	model:	jre	scope:	eq	version:	11.0.14	Trust: 1.0
vendor:	oracle	model:	jre	scope:	eq	version:	18	Trust: 1.0
vendor:	oracle	model:	jdk	scope:	eq	version:	1.8.0	Trust: 1.0
vendor:	oracle	model:	jre	scope:	eq	version:	1.7.0	Trust: 1.0
vendor:	oracle	model:	graalvm	scope:	eq	version:	22.0.0.2	Trust: 1.0
vendor:	netapp	model:	e-series santricity os controller	scope:	gte	version:	11.0.0	Trust: 1.0
vendor:	netapp	model:	solidfire\, enterprise sds \& hci storage node	scope:	eq	version:	-	Trust: 1.0
vendor:	azul	model:	zulu	scope:	eq	version:	8.60	Trust: 1.0
vendor:	netapp	model:	7-mode transition tool	scope:	eq	version:	-	Trust: 1.0
vendor:	oracle	model:	graalvm	scope:	eq	version:	20.3.5	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	11.0	Trust: 1.0
vendor:	netapp	model:	santricity unified manager	scope:	eq	version:	-	Trust: 1.0
vendor:	netapp	model:	e-series santricity os controller	scope:	lte	version:	11.70.1	Trust: 1.0
vendor:	netapp	model:	cloud insights acquisition unit	scope:	eq	version:	-	Trust: 1.0
vendor:	azul	model:	zulu	scope:	eq	version:	7.52	Trust: 1.0
vendor:	azul	model:	zulu	scope:	eq	version:	11.54	Trust: 1.0
vendor:	azul	model:	zulu	scope:	eq	version:	15.38	Trust: 1.0
vendor:	azul	model:	zulu	scope:	eq	version:	17.32	Trust: 1.0
vendor:	oracle	model:	jre	scope:	eq	version:	1.8.0	Trust: 1.0
vendor:	azul	model:	zulu	scope:	eq	version:	18.28	Trust: 1.0
vendor:	oracle	model:	graalvm	scope:	eq	version:	21.3.1	Trust: 1.0
vendor:	oracle	model:	jre	scope:	eq	version:	17.0.2	Trust: 1.0
vendor:	netapp	model:	e-series santricity web services	scope:	eq	version:	-	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	10.0	Trust: 1.0
vendor:	oracle	model:	jdk	scope:	eq	version:	11.0.14	Trust: 1.0
vendor:	netapp	model:	e-series santricity storage manager	scope:	eq	version:	-	Trust: 1.0
vendor:	netapp	model:	hci compute node	scope:	eq	version:	-	Trust: 1.0

sources: NVD: CVE-2022-21434

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-21434
value:	MEDIUM
Trust: 1.0
secalert_us@oracle.com:	CVE-2022-21434
value:	MEDIUM
Trust: 1.0
VULHUB:	VHN-407047
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2022-21434
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
VULHUB:	VHN-407047
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

secalert_us@oracle.com:	CVE-2022-21434
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-407047 // NVD: CVE-2022-21434 // NVD: CVE-2022-21434

PROBLEMTYPE DATA

problemtype:

NVD-CWE-noinfo

Trust: 1.0

sources: NVD: CVE-2022-21434

EXTERNAL IDS

db:	NVD	id:	CVE-2022-21434	Trust: 2.0
db:	PACKETSTORM	id:	167385	Trust: 0.2
db:	PACKETSTORM	id:	167378	Trust: 0.2
db:	PACKETSTORM	id:	167122	Trust: 0.2
db:	PACKETSTORM	id:	167088	Trust: 0.2
db:	PACKETSTORM	id:	167140	Trust: 0.2
db:	PACKETSTORM	id:	167454	Trust: 0.2
db:	PACKETSTORM	id:	167456	Trust: 0.1
db:	PACKETSTORM	id:	167327	Trust: 0.1
db:	PACKETSTORM	id:	167008	Trust: 0.1
db:	PACKETSTORM	id:	167980	Trust: 0.1
db:	PACKETSTORM	id:	167388	Trust: 0.1
db:	PACKETSTORM	id:	166967	Trust: 0.1
db:	PACKETSTORM	id:	167164	Trust: 0.1
db:	PACKETSTORM	id:	167142	Trust: 0.1
db:	PACKETSTORM	id:	167942	Trust: 0.1
db:	PACKETSTORM	id:	167271	Trust: 0.1
db:	PACKETSTORM	id:	167979	Trust: 0.1
db:	PACKETSTORM	id:	166954	Trust: 0.1
db:	VULHUB	id:	VHN-407047	Trust: 0.1
db:	PACKETSTORM	id:	166794	Trust: 0.1
db:	PACKETSTORM	id:	166898	Trust: 0.1
db:	PACKETSTORM	id:	166900	Trust: 0.1

sources: VULHUB: VHN-407047 // PACKETSTORM: 166794 // PACKETSTORM: 167140 // PACKETSTORM: 167122 // PACKETSTORM: 167385 // PACKETSTORM: 167088 // PACKETSTORM: 167378 // PACKETSTORM: 167454 // PACKETSTORM: 166898 // PACKETSTORM: 166900 // NVD: CVE-2022-21434

REFERENCES

url:	https://security.netapp.com/advisory/ntap-20220429-0006/	Trust: 1.1
url:	https://www.debian.org/security/2022/dsa-5128	Trust: 1.1
url:	https://www.debian.org/security/2022/dsa-5131	Trust: 1.1
url:	https://www.oracle.com/security-alerts/cpuapr2022.html	Trust: 1.1
url:	https://lists.debian.org/debian-lts-announce/2022/05/msg00017.html	Trust: 1.1
url:	https://security.netapp.com/advisory/ntap-20240621-0006/	Trust: 1.0
url:	https://access.redhat.com/security/cve/cve-2022-21443	Trust: 0.9
url:	https://listman.redhat.com/mailman/listinfo/rhsa-announce	Trust: 0.9
url:	https://nvd.nist.gov/vuln/detail/cve-2022-21443	Trust: 0.9
url:	https://access.redhat.com/security/team/contact/	Trust: 0.9
url:	https://access.redhat.com/security/cve/cve-2022-21434	Trust: 0.9
url:	https://nvd.nist.gov/vuln/detail/cve-2022-21496	Trust: 0.9
url:	https://access.redhat.com/security/cve/cve-2022-21496	Trust: 0.9
url:	https://nvd.nist.gov/vuln/detail/cve-2022-21434	Trust: 0.9
url:	https://bugzilla.redhat.com/):	Trust: 0.9
url:	https://nvd.nist.gov/vuln/detail/cve-2022-21426	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2022-21476	Trust: 0.8
url:	https://access.redhat.com/security/cve/cve-2022-21426	Trust: 0.8
url:	https://access.redhat.com/security/cve/cve-2022-21476	Trust: 0.8
url:	https://access.redhat.com/security/updates/classification/#important	Trust: 0.5
url:	https://access.redhat.com/articles/11258	Trust: 0.4
url:	https://access.redhat.com/security/team/key/	Trust: 0.4
url:	https://access.redhat.com/security/updates/classification/#moderate	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2022-1154	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2022-1154	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2018-25032	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2018-25032	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2022-1271	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2022-1271	Trust: 0.3
url:	https://issues.jboss.org/):	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-43797	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2022-0759	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-37137	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2021-43797	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2022-21698	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2022-25636	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2022-25636	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2021-37137	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2021-4028	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2021-37136	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2022-0778	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-4028	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-37136	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2022-0778	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2022-0759	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2022-21698	Trust: 0.2
url:	https://docs.openshift.com/container-platform/4.7/logging/cluster-logging-upgrading.html	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2022-21449	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2022-21449	Trust: 0.2
url:	https://access.redhat.com/errata/rhsa-2022:1440	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:2218	Trust: 0.1
url:	https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html	Trust: 0.1
url:	https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:2217	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:1729	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-3121	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-3121	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:1679	Trust: 0.1
url:	https://access.redhat.com/containers	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:2137	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-35561	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:4957	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-35561	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-21299	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-21299	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:1438	Trust: 0.1
url:	https://access.redhat.com/documentation/en-us/openjdk/8/html/installing_and_using_openjdk_8_for_rhel/assembly_installing-openjdk-8-on-red-hat-enterprise-linux_openjdk#installing-jdk11-on-rhel-using-archive_openjdk	Trust: 0.1
url:	https://access.redhat.com/documentation/en-us/openjdk/17/html/installing_and_using_openjdk_17_for_windows/index	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:1437	Trust: 0.1

CREDITS

Red Hat

Trust: 0.9

sources: PACKETSTORM: 166794 // PACKETSTORM: 167140 // PACKETSTORM: 167122 // PACKETSTORM: 167385 // PACKETSTORM: 167088 // PACKETSTORM: 167378 // PACKETSTORM: 167454 // PACKETSTORM: 166898 // PACKETSTORM: 166900

SOURCES

db:	VULHUB	id:	VHN-407047
db:	PACKETSTORM	id:	166794
db:	PACKETSTORM	id:	167140
db:	PACKETSTORM	id:	167122
db:	PACKETSTORM	id:	167385
db:	PACKETSTORM	id:	167088
db:	PACKETSTORM	id:	167378
db:	PACKETSTORM	id:	167454
db:	PACKETSTORM	id:	166898
db:	PACKETSTORM	id:	166900
db:	NVD	id:	CVE-2022-21434

LAST UPDATE DATE

2024-11-20T21:34:02.011000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-407047	date:	2022-07-28T00:00:00
db:	NVD	id:	CVE-2022-21434	date:	2024-06-21T19:15:22.170

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-407047	date:	2022-04-19T00:00:00
db:	PACKETSTORM	id:	166794	date:	2022-04-21T15:08:25
db:	PACKETSTORM	id:	167140	date:	2022-05-12T15:53:27
db:	PACKETSTORM	id:	167122	date:	2022-05-12T15:38:35
db:	PACKETSTORM	id:	167385	date:	2022-06-03T15:56:14
db:	PACKETSTORM	id:	167088	date:	2022-05-11T16:48:11
db:	PACKETSTORM	id:	167378	date:	2022-06-03T15:37:50
db:	PACKETSTORM	id:	167454	date:	2022-06-09T16:10:41
db:	PACKETSTORM	id:	166898	date:	2022-04-29T12:36:12
db:	PACKETSTORM	id:	166900	date:	2022-04-29T12:36:41
db:	NVD	id:	CVE-2022-21434	date:	2022-04-19T21:15:15.387