Visit Azul.com Support

Common Vulnerabilities and Exposures Fixes

Table of Contents
Need help?
Schedule a consultation with an Azul performance expert.
Contact Us

The following Azul Platform Prime releases contain the January 2022 CPU release of OpenJDK:

CPU PSU

21.08.300.0

21.08.400.0

-

22.01.0.0

The following table lists the latest CVE fixes added in the Azul Platform Prime 21.08.300.0 release. The CVE IDs in the table apply to JDK 7, JDK 8, JDK 11, JDK 13, and JDK 15 unless noted otherwise.

January 2022 CVE Fix

CVSS VERSION 3.1 RISK

CVE # Component Protocol Remote Exploit w/o Auth. Base Score Attack Vector Attack Complex Privileges Req’d User Interact Scope Confiden-tiality Integrity Availability Versions Affected Notes

CVE-2022-21277

ImageIO

Multiple

Yes

5.3

Network

Low

None

None

Unchanged

None

None

Low

17, 15, 13, 11

Note 1

CVE-2022-21282

JAXP

Multiple

Yes

5.3

Network

Low

None

None

Unchanged

Low

None

None

17, 15, 13, 11, 8, 7

Note 1

CVE-2022-21283

Libraries

Multiple

Yes

5.3

Network

Low

None

None

Unchanged

None

None

Low

17, 15, 13, 11, 8, 7, 6

Note 1

CVE-2022-21291

Hotspot

Multiple

Yes

5.3

Network

Low

None

None

Unchanged

None

Low

None

17, 15, 13, 11

Note 1

CVE-2022-21293

Libraries

Multiple

Yes

5.3

Network

Low

None

None

Unchanged

None

None

Low

17, 15, 13, 11, 8, 7, 6

Note 1

CVE-2022-21294

Libraries

Multiple

Yes

5.3

Network

Low

None

None

Unchanged

None

None

Low

17, 15, 13, 11, 8, 7, 6

Note 1

CVE-2022-21296

JAXP

Multiple

Yes

5.3

Network

Low

None

None

Unchanged

Low

None

None

17, 15, 13, 11, 8, 7

Note 1

CVE-2022-21299

JAXP

Multiple

Yes

5.3

Network

Low

None

None

Unchanged

None

None

Low

17, 15, 13, 11, 8, 7, 6

Note 1

CVE-2022-21305

Hotspot

Multiple

Yes

5.3

Network

Low

None

None

Unchanged

None

Low

None

17, 15, 13, 11, 8, 7, 6

Note 1

CVE-2022-21340

Libraries

Multiple

Yes

5.3

Network

Low

None

None

Unchanged

None

None

Low

17, 15, 13, 11, 8, 7, 6

Note 1

CVE-2022-21341

Serialization

Multiple

Yes

5.3

Network

Low

None

None

Unchanged

None

None

Low

17, 15, 13, 11, 8, 7, 6

Note 1

CVE-2022-21349

2D

Multiple

Yes

5.3

Network

Low

None

None

Unchanged

None

None

Low

8, 7

Note 1

CVE-2022-21360

ImageIO

Multiple

Yes

5.3

Network

Low

None

None

Unchanged

None

None

Low

17, 15, 13, 11, 8, 7, 6

Note 1

CVE-2022-21365

ImageIO

Multiple

Yes

5.3

Network

Low

None

None

Unchanged

None

None

Low

17, 15, 13, 11, 8, 7, 6

Note 1

CVE-2022-21366

ImageIO

Multiple

Yes

5.3

Network

Low

None

None

Unchanged

None

None

Low

17, 15, 13, 11

Note 1

CVE-2022-21248

Serialization

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

Low

None

17, 15, 13, 11, 8, 7, 6

Note 1

CVE-2021-22959 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM Enterprise Edition: Node (Node.js)

HTTP

Yes

6.5

Network

Low

None

None

Unchanged

Low

Low

None

None

CVE-2022-21271 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM Enterprise Edition: Libraries

Multiple

Yes

5.3

Network

Low

None

None

Unchanged

None

None

Low

None

Note 1

Notes:

ID Notes

1

This vulnerability applies to Java deployments, typically in clients running sandboxed Java applications, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.

Notes:

  1. This vulnerability applies to Java deployments, typically in clients running sandboxed Java applications, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.

Base and Impact Metric:

Metrics Values

Attack Vector

Network (N), Adjacent (A), Local (L), and Physical (P)

Attack Complexity

Low (L) and High (H)

Privileges Required

None (N), Low (L), and High (H)

User Interaction

None (N) and Required ®

Scope

Unchanged (U) and Changed ©

Confidentiality Impact

High (H), Low (L), and None (N)

Integrity Impact

High (H), Low (L), and None (N)

Availability Impact

High (H), Low (L), and None (N)

In-Depth Non-CVE Security Fixes

The following table lists the in-depth non-CVE security fixes implemented specifically for Azul Platform Prime.

January 2022 Non-CVE Security Fix

Patch ID in OpenJDK Bug DB JDK Levels Applicable in Azul Platform Prime Synopsis Java Update Type

JDK-8268488

17, 15, 13, 11, 8

More valuable DerValue

CPU

JDK-8271962

17, 15, 13, 11, 8

Better TrueType font loading

CPU

JDK-8272462

17, 15, 13, 11, 8

Enhance image handling

CPU

JDK-8268512

17, 15, 13, 11, 8

More content for ContentInfo

CPU

JDK-8279541

11

Improve HarfBuzz

CPU

JDK-8273968

17, 15, 13, 11, 8

JCK javax_xml tests fail in CI

CPU

JDK-8268795

11, 8

Enhance digests of Jar files

CPU

JDK-8269944

17, 15, 13, 11, 8

Better HTTP transport redux

CPU

JDK-8272272

17, 15, 13, 11, 8

Enhance jcmd communication

CPU

JDK-8273290

17, 15, 13, 11, 8

Enhance sound handling

CPU

JDK-8268494

17, 15, 13, 11, 8

Better inlining of inlined interfaces

CPU

JDK-8271968

17, 15, 13, 11, 8

Better canonical naming

CPU

JDK-8266091

15, 13, 11

Improve Zip file handling

CPU

JDK-8269151

17, 15, 13, 11, 8

Better construction of EncryptedPrivateKeyInfo

CPU

JDK-8271987

13, 11, 8

Manifest improved manifest entries

CPU

JDK-8268801

17, 15, 13, 11, 8

Improve PKCS attribute handling

CPU