CVE-2022-21434: Medium severity ibm cognos command center vulnerability

Q: What is the severity of CVE-2022-21434?

CVE-2022-21434 has a low integrity impact but no confidentiality or availability impact.

Q: How do I fix CVE-2022-21434?

To fix CVE-2022-21434, update to the recommended versions provided, such as 11-openjdk-1:11.0.15.0.9-2.el7_9 or equivalent.

Q: What products are affected by CVE-2022-21434?

CVE-2022-21434 affects several products including Oracle Java SE, GraalVM Enterprise Edition, and various OpenJDK versions.

Q: Can an attacker exploit CVE-2022-21434?

Yes, an unauthenticated attacker can potentially exploit CVE-2022-21434 due to its unspecified nature.

Q: Is there a workaround for CVE-2022-21434?

There are no specific workarounds; the recommended action is to upgrade to the specified fixed versions.

Published Apr 15, 2022

Updated

An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.

Other sources

It was discovered that the AnnotationInvocationHandler class in the Libraries component of OpenJDK did not properly convert an object argument into its textual representation, allowing calls to the overridable toString() method when generating an Exception.

— Red Hat

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

Affected Software

58 affected componentsFixes available

redhat/java<11-openjdk-1:11.0.15.0.9-2.el7_9

11-openjdk-1:11.0.15.0.9-2.el7_9

redhat/java<1.8.0-openjdk-1:1.8.0.332.b09-1.el7_9

1.8.0-openjdk-1:1.8.0.332.b09-1.el7_9

redhat/java<1.7.1-ibm-1:1.7.1.5.10-1jpp.1.el7

1.7.1-ibm-1:1.7.1.5.10-1jpp.1.el7

redhat/java<1.8.0-ibm-1:1.8.0.7.10-1jpp.1.el7

1.8.0-ibm-1:1.8.0.7.10-1jpp.1.el7

redhat/java<11-openjdk-1:11.0.15.0.9-2.el8_5

11-openjdk-1:11.0.15.0.9-2.el8_5

redhat/java<17-openjdk-1:17.0.3.0.6-2.el8_5

17-openjdk-1:17.0.3.0.6-2.el8_5

redhat/java<1.8.0-openjdk-1:1.8.0.332.b09-1.el8_5

1.8.0-openjdk-1:1.8.0.332.b09-1.el8_5

redhat/java<1.8.0-ibm-1:1.8.0.7.10-1.el8_6

1.8.0-ibm-1:1.8.0.7.10-1.el8_6

redhat/java<11-openjdk-1:11.0.15.0.9-2.el8_1

11-openjdk-1:11.0.15.0.9-2.el8_1

redhat/java<1.8.0-openjdk-1:1.8.0.332.b09-1.el8_1

1.8.0-openjdk-1:1.8.0.332.b09-1.el8_1

redhat/java<11-openjdk-1:11.0.15.0.9-2.el8_2

11-openjdk-1:11.0.15.0.9-2.el8_2

redhat/java<1.8.0-openjdk-1:1.8.0.332.b09-1.el8_2

1.8.0-openjdk-1:1.8.0.332.b09-1.el8_2

redhat/java<11-openjdk-1:11.0.15.0.9-2.el8_4

11-openjdk-1:11.0.15.0.9-2.el8_4

redhat/java<1.8.0-openjdk-1:1.8.0.332.b09-1.el8_4

1.8.0-openjdk-1:1.8.0.332.b09-1.el8_4

redhat/java<11-openjdk-1:11.0.15.0.10-1.el9_0

11-openjdk-1:11.0.15.0.10-1.el9_0

redhat/java<17-openjdk-1:17.0.3.0.7-1.el9_0

17-openjdk-1:17.0.3.0.7-1.el9_0

redhat/java<1.8.0-openjdk-1:1.8.0.332.b09-1.el9_0

1.8.0-openjdk-1:1.8.0.332.b09-1.el9_0

debian/openjdk-11

11.0.16+8-1~deb10u111.0.20+8-1~deb10u111.0.20+8-1~deb11u111.0.21+9-1

debian/openjdk-17

17.0.7+7-1~deb11u117.0.8+7-1~deb12u117.0.9+9-1

debian/openjdk-8

8u382-ga-2

IBM Cognos Command Center<=10.2.4.1

Oracle GraalVM=20.3.5

Oracle GraalVM=21.3.1

Oracle GraalVM=22.0.0.2

Oracle JDK=1.7.0-update331

Oracle JDK=1.8.0-update321

Oracle JDK=11.0.14

Oracle JDK=17.0.2

Oracle JDK=18

Oracle JRE=1.7.0-update331

Oracle JRE=1.8.0-update321

Oracle JRE=11.0.14

Oracle JRE=17.0.2

Oracle JRE=18

Debian Debian Linux=9.0

Debian Debian Linux=10.0

Debian Debian Linux=11.0

NetApp 7-Mode Transition Tool

NetApp Active Iq Unified Manager Vsphere

NetApp Active Iq Unified Manager Windows

NetApp Cloud Insights Acquisition Unit

NetApp Cloud Secure Agent

NetApp E-Series SANtricity OS Controller>=11.0.0<=11.70.1

NetApp E-series Santricity Storage Manager

NetApp E-series Santricity Web Services Web Services Proxy

NetApp OnCommand Insight

NetApp Santricity Unified Manager

NetApp Solidfire\, Enterprise Sds \& Hci Storage Node

NetApp Solidfire \& Hci Management Node

NetApp Hci Compute Node Firmware

Azul Zulu=6.45

Azul Zulu=7.52

Azul Zulu=8.60

Azul Zulu=11.54

Azul Zulu=13.46

Azul Zulu=15.38

Azul Zulu=17.32

Azul Zulu=18.28

Remediation

Patch Available

https://www.oracle.com/security-alerts/cpuapr2022.html

Event History

Apr 15, 2022

Data Sourced

via Red Hat·03:19 PM

DescriptionSeverityAffected Software

Apr 19, 2022

CVE Published

08:00 PM

CVE Published

via MITRE·08:37 PM

Data Sourced

via MITRE·08:37 PM

DescriptionSeverityWeakness

Parent advisories

This vulnerability appears in the following advisories.

Frequently Asked Questions

What is the severity of CVE-2022-21434?

CVE-2022-21434 has a low integrity impact but no confidentiality or availability impact.

How do I fix CVE-2022-21434?