CVE-2022-21443: Integer Underflow

Q: What is the severity of CVE-2022-21443?

CVE-2022-21443 has a low severity rating due to its impact mainly resulting in denial of service.

Q: How do I fix CVE-2022-21443?

To fix CVE-2022-21443, update to the specified patched versions of OpenJDK or the affected Java software mentioned in the remediation.

Q: Who is affected by CVE-2022-21443?

CVE-2022-21443 affects users of certain versions of OpenJDK, IBM Java, and other Java-based products.

Q: What types of attacks are possible with CVE-2022-21443?

CVE-2022-21443 allows an unauthenticated attacker to potentially cause a denial of service via unspecified attack vectors.

Q: When was CVE-2022-21443 discovered?

CVE-2022-21443 was discovered and publicly disclosed in 2022.

Published Apr 15, 2022

Updated

Eclipse Jetty is vulnerable to a denial of service, caused by an error related to some of the production servers spiking with CPU use. A remote attacker could exploit this vulnerability to consume CPU that remains high even without any traffic.

Other sources

It was discovered that the ObjectIdentifier class in the Libraries component of OpenJDK did not properly validate the encoded length of the object identifier. This could lead to an integer underflow and possibly cause a Java application to throw an out of memory (OOM) exception because of excessive memory allocation.

— Red Hat

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Affected Software

56 affected componentsFixes available

redhat/java<11-openjdk-1:11.0.15.0.9-2.el7_9

11-openjdk-1:11.0.15.0.9-2.el7_9

redhat/java<1.8.0-openjdk-1:1.8.0.332.b09-1.el7_9

1.8.0-openjdk-1:1.8.0.332.b09-1.el7_9

redhat/java<1.7.1-ibm-1:1.7.1.5.10-1jpp.1.el7

1.7.1-ibm-1:1.7.1.5.10-1jpp.1.el7

redhat/java<1.8.0-ibm-1:1.8.0.7.10-1jpp.1.el7

1.8.0-ibm-1:1.8.0.7.10-1jpp.1.el7

redhat/java<11-openjdk-1:11.0.15.0.9-2.el8_5

11-openjdk-1:11.0.15.0.9-2.el8_5

redhat/java<17-openjdk-1:17.0.3.0.6-2.el8_5

17-openjdk-1:17.0.3.0.6-2.el8_5

redhat/java<1.8.0-openjdk-1:1.8.0.332.b09-1.el8_5

1.8.0-openjdk-1:1.8.0.332.b09-1.el8_5

redhat/java<1.8.0-ibm-1:1.8.0.7.10-1.el8_6

1.8.0-ibm-1:1.8.0.7.10-1.el8_6

redhat/java<11-openjdk-1:11.0.15.0.9-2.el8_1

11-openjdk-1:11.0.15.0.9-2.el8_1

redhat/java<1.8.0-openjdk-1:1.8.0.332.b09-1.el8_1

1.8.0-openjdk-1:1.8.0.332.b09-1.el8_1

redhat/java<11-openjdk-1:11.0.15.0.9-2.el8_2

11-openjdk-1:11.0.15.0.9-2.el8_2

redhat/java<1.8.0-openjdk-1:1.8.0.332.b09-1.el8_2

1.8.0-openjdk-1:1.8.0.332.b09-1.el8_2

redhat/java<11-openjdk-1:11.0.15.0.9-2.el8_4

11-openjdk-1:11.0.15.0.9-2.el8_4

redhat/java<1.8.0-openjdk-1:1.8.0.332.b09-1.el8_4

1.8.0-openjdk-1:1.8.0.332.b09-1.el8_4

redhat/java<11-openjdk-1:11.0.15.0.10-1.el9_0

11-openjdk-1:11.0.15.0.10-1.el9_0

redhat/java<17-openjdk-1:17.0.3.0.7-1.el9_0

17-openjdk-1:17.0.3.0.7-1.el9_0

redhat/java<1.8.0-openjdk-1:1.8.0.332.b09-1.el9_0

1.8.0-openjdk-1:1.8.0.332.b09-1.el9_0

debian/openjdk-11

11.0.16+8-1~deb10u111.0.20+8-1~deb10u111.0.20+8-1~deb11u111.0.21+9-1

debian/openjdk-17

17.0.7+7-1~deb11u117.0.8+7-1~deb12u117.0.9+9-1

debian/openjdk-8

8u382-ga-2

IBM Cognos Command Center<=10.2.4.1

Oracle GraalVM=20.3.5

Oracle GraalVM=21.3.1

Oracle GraalVM=22.0.0.2

Oracle Java SE=7u331

Oracle Java SE=8u321

Oracle Java SE=11.0.14

Oracle Java SE=17.0.2

Oracle Java SE=18

NetApp Active Iq Unified Manager Vmware Vsphere

NetApp Active Iq Unified Manager Windows

NetApp Cloud Insights Acquisition Unit

NetApp Cloud Secure Agent

NetApp E-Series SANtricity OS Controller>=11.0.0<=11.70.1

NetApp E-series Santricity Storage Manager

NetApp E-series Santricity Web Services Web Services Proxy

NetApp Element Software

NetApp Hci Management Node

NetApp OnCommand Insight

NetApp Santricity Unified Manager

NetApp Solidfire

All of the following

NetApp Bootstrap Os

NetApp Hci Compute Node

Debian Debian Linux=9.0

Debian Debian Linux=10.0

Debian Debian Linux=11.0

Azul Zulu=6.45

Azul Zulu=7.52

Azul Zulu=8.60

Azul Zulu=11.54

Azul Zulu=13.46

Azul Zulu=15.38

Azul Zulu=17.32

Azul Zulu=18.28

NetApp Bootstrap Os

NetApp Hci Compute Node

Remediation

Patch Available

https://www.oracle.com/security-alerts/cpuapr2022.html

Event History

Apr 15, 2022

Data Sourced

via Red Hat·11:18 AM

DescriptionSeverityAffected Software

Apr 19, 2022

CVE Published

08:00 PM

CVE Published

via MITRE·08:37 PM

Data Sourced

via MITRE·08:37 PM

DescriptionSeverityWeakness

May 12, 56119

Event

05:07 PM

Parent advisories

This vulnerability appears in the following advisories.

Frequently Asked Questions

What is the severity of CVE-2022-21443?

CVE-2022-21443 has a low severity rating due to its impact mainly resulting in denial of service.

How do I fix CVE-2022-21443?