Visit Azul.com Support

Common Vulnerabilities and Exposures Fixes

Table of Contents

Looking for Zing? The Azul Zing Virtual Machine is now Azul Zulu Prime Builds of OpenJDK and part of Azul Platform Prime. Learn more.

Azul Platform Prime 22.02.100.0 is based on Azul Platform Prime 22.02.3.0, which contains the April 2022 CPU release of OpenJDK.

The following table lists the latest CVE fixes added in the Azul Platform Prime 22.02.100.0 release. The CVE IDs in the table apply to JDK 7, JDK 8, JDK 11, JDK 13, and JDK 15 unless noted otherwise.

April 2022 CVE Fix

CVSS VERSION 3.1 RISK

CVE # Component Protocol Remote Exploit w/o Auth. Base Score Attack Vector Attack Complex Privileges Req’d User Interact Scope Confiden-tiality Integrity Availability Versions Affected Notes

CVE-2018-25032

ZIP

Multiple

Yes

7.5

Network

Low

None

None

Unchanged

None

None

High

17, 15, 13, 11, 8, 7, 6

CVE-2022-21449

Libraries

Multiple

Yes

7.5

Network

Low

None

None

Unchanged

None

High

None

18, 17, 15

Note 1

CVE-2022-21476

Libraries

Multiple

Yes

7.5

Network

Low

None

None

Unchanged

High

None

None

18, 17, 15, 13, 11, 8, 7

Note 1

CVE-2022-21426

JAXP

Multiple

Yes

5.3

Network

Low

None

None

Unchanged

None

None

Low

18, 17, 15, 13, 11, 8, 7, 6

Note 1

CVE-2022-21434

Libraries

Multiple

Yes

5.3

Network

Low

None

None

Unchanged

None

Low

None

18, 17, 15, 13, 11, 8, 7, 6

Note 1

CVE-2022-21496

JNDI

Multiple

Yes

5.3

Network

Low

None

None

Unchanged

None

Low

None

18, 17, 15, 13, 11, 8, 7, 6

Note 1

CVE-2022-21443

Libraries

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

None

Low

18, 17, 15, 13, 11, 8, 7, 6

Note 1

CVE-2022-0778 This CVE is not applicable to Azul Zulu. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM Enterprise Edition: Node (OpenSSL)

HTTPS

Yes

7.5

Network

Low

None

None

Unchanged

None

None

High

None

Notes:

ID Notes

1

This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.

Notes:

  1. This vulnerability applies to Java deployments, typically in clients running sandboxed Java applications, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.

Base and Impact Metric:

Metrics Values

Attack Vector

Network (N), Adjacent (A), Local (L), and Physical (P)

Attack Complexity

Low (L) and High (H)

Privileges Required

None (N), Low (L), and High (H)

User Interaction

None (N) and Required ®

Scope

Unchanged (U) and Changed ©

Confidentiality Impact

High (H), Low (L), and None (N)

Integrity Impact

High (H), Low (L), and None (N)

Availability Impact

High (H), Low (L), and None (N)

In-Depth Non-CVE Security Fixes

The following table lists the in-depth non-CVE security fixes implemented specifically for Azul Platform Prime.

April 2022 Non-CVE Security Fix

ZULU-35911 17, 15, 13, 11, 8, 7, 6 improve DDOT handling in xpath CPU

JDK-8284548

17, 15, 13, 11, 8, 7, 6

Invalid XPath expression causes StringIndexOutOfBoundsException

CPU

JDK-8282397

17, 15, 13, 11, 8, 7, 6

createTempFile method of java.io.File is failing when called with suffix of spaces character

CPU

JDK-8282300

17, 15, 13, 11, 8, 7, 6

Throws NamingException instead of InvalidNameException after JDK-8278972

CPU

JDK-8281498

17, 15, 13, 11, 8, 7, 6

Better DER support

CPU

JDK-8281388

17, 15, 13, 11, 8, 7, 6

Change wrapping of EncryptedPrivateKeyInfo

CPU

JDK-8281152

17, 15, 13, 11, 8, 7, 6

Improved WebKit support

CPU

JDK-8278805

17, 15, 13, 11, 8, 7, 6

Enhance BMP image loading

CPU

JDK-8278449

17, 15, 13, 11, 8, 7, 6

Improve keychain support

CPU

JDK-8278356

17, 15, 13, 11, 8, 7, 6

Improve file creation

CPU

JDK-8277465

17, 15, 13, 11, 8, 7, 6

Additional fix for JDK-8276371

CPU

JDK-8277227

17, 15, 13, 11, 8, 7, 6

Better identification of OIDs

CPU

JDK-8276371

17, 15, 13, 11, 8, 7, 6

Better long buffering

CPU

JDK-8274221

17, 15, 13, 11, 8, 7, 6

More definite BER encodings

CPU

JDK-8272594

17, 15, 13, 11, 8, 7, 6

Better record of recordings

CPU

JDK-8272588

17, 15, 13, 11, 8, 7, 6

Enhanced recording parsing

CPU

JDK-8272261

17, 15, 13, 11, 8, 7, 6

Improve JFR recording file processing

CPU

JDK-8272255

17, 15, 13, 11, 8, 7, 6

Completely handle MIDI files

CPU

JDK-8269938

17, 15, 13, 11, 8, 7, 6

Enhance XML processing passes redux

CPU