[Info-vax] CVE-2022-21449 and Oracle products; Java, MySQL Connectors, databases, etc
Arne Vajhøj
arne at vajhoej.dk
Thu Apr 21 07:32:07 EDT 2022
On 4/20/2022 3:10 PM, Arne Vajhøj wrote:
> On 4/20/2022 2:36 PM, Stephen Hoffman wrote:
>> Seven other cryptographic flaws effecting Java 7, 8, and 11, and which
>> might (does?) mean that OpenVMS users of Java (VSI OpenJDK V8.0 u222,
>> HP/HPE Java JDK) are also vulnerable to remote exploitation.
>>
>> https://www.oracle.com/security-alerts/cpuapr2022.html
>
> A bunch of bugs CVE-2022-21449, CVE-2022-21476,
> CVE-2022-21426, CVE-2022-21496, CVE-2022-21434 and CVE-2022-21443
> impacts Java 7, 8, 11, 17 and 18. They may very likely also
> impact 9, 10, 12, 13, 14, 15 and 16 - but those are non-LTS versions
> are out of support. It also impacts the GraalVM versions that
> use those Java versions.
>
> There is every reason to believe that the problematic code
> is also in VMS I64 Java 8.
>
> But per the note at Oracle and the similar notes at Redhat then
> all these CVE's relate to running untrusted code in a sandbox
> (under security manager) - that means Java applets, Java Web Start
> and similar custom solutions.
>
> It are serious bugs as it allows the code to break out of the sandbox
> and access files.
>
> But my best guess is that zero VMS sites are using any of this.
Two additions:
1) some sources say that CVE-2022-21449 is not limited to sandboxed
environments, so it could apply to typical VMS scenarios
2) some sources say that CVE-2022-21449 only applies to Java 15 and
newer (which is not available for VMS)
Arne
More information about the Info-vax
mailing list