[Info-vax] CVE-2022-21449 and Oracle products; Java, MySQL Connectors, databases, etc
Arne Vajhøj
arne at vajhoej.dk
Wed Apr 20 15:10:33 EDT 2022
On 4/20/2022 2:36 PM, Stephen Hoffman wrote:
> Nasty ECDSA asymmetric cryptographic bug in Java.
CVE-2022-0778 is indeed a nasty bug - some bad data
during SSL handshake will cause an infinite loop.
But it is a bug in OpenSSL.
It does impact GraalVM but not the Java part - the node.js part
as it apparently use OpenSSL.
(GraalVM is a rather weird bundle of products)
> Effects Java 15, 16, and 17, and 18, and a whole lot of dependent
> products from Oracle and elsewhere.
No Java at all.
> Seven other cryptographic flaws effecting Java 7, 8, and 11, and which
> might (does?) mean that OpenVMS users of Java (VSI OpenJDK V8.0 u222,
> HP/HPE Java JDK) are also vulnerable to remote exploitation.
>
> https://www.oracle.com/security-alerts/cpuapr2022.html
A bunch of bugs CVE-2022-21449, CVE-2022-21476,
CVE-2022-21426, CVE-2022-21496, CVE-2022-21434 and CVE-2022-21443
impacts Java 7, 8, 11, 17 and 18. They may very likely also
impact 9, 10, 12, 13, 14, 15 and 16 - but those are non-LTS versions
are out of support. It also impacts the GraalVM versions that
use those Java versions.
There is every reason to believe that the problematic code
is also in VMS I64 Java 8.
But per the note at Oracle and the similar notes at Redhat then
all these CVE's relate to running untrusted code in a sandbox
(under security manager) - that means Java applets, Java Web Start
and similar custom solutions.
It are serious bugs as it allows the code to break out of the sandbox
and access files.
But my best guess is that zero VMS sites are using any of this.
> Given what all has been happening in aggregate and more generally, y'all
> really don't want to be down-revision on your critical patches.
That is always good advice.
Arne
More information about the Info-vax
mailing list