Common Vulnerabilities and Exposures Fixes
The following Azul Platform Prime releases contain the January 2022 CPU release of OpenJDK:
| CPU | PSU |
|---|---|
21.08.300.0 |
21.08.400.0 |
- |
22.01.0.0 |
The following table lists the latest CVE fixes added in the Azul Platform Prime 21.08.300.0 release. The CVE IDs in the table apply to JDK 7, JDK 8, JDK 11, JDK 13, and JDK 15 unless noted otherwise.
January 2022 CVE Fix
CVSS VERSION 3.1 RISK
| CVE # | Component | Protocol | Remote Exploit w/o Auth. | Base Score | Attack Vector | Attack Complex | Privileges Req’d | User Interact | Scope | Confiden-tiality | Integrity | Availability | Versions Affected | Notes |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
ImageIO |
Multiple |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
Low |
17, 15, 13, 11 |
Note 1 |
|
JAXP |
Multiple |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
Low |
None |
None |
17, 15, 13, 11, 8, 7 |
Note 1 |
|
Libraries |
Multiple |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
Low |
17, 15, 13, 11, 8, 7, 6 |
Note 1 |
|
Hotspot |
Multiple |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
None |
Low |
None |
17, 15, 13, 11 |
Note 1 |
|
Libraries |
Multiple |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
Low |
17, 15, 13, 11, 8, 7, 6 |
Note 1 |
|
Libraries |
Multiple |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
Low |
17, 15, 13, 11, 8, 7, 6 |
Note 1 |
|
JAXP |
Multiple |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
Low |
None |
None |
17, 15, 13, 11, 8, 7 |
Note 1 |
|
JAXP |
Multiple |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
Low |
17, 15, 13, 11, 8, 7, 6 |
Note 1 |
|
Hotspot |
Multiple |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
None |
Low |
None |
17, 15, 13, 11, 8, 7, 6 |
Note 1 |
|
Libraries |
Multiple |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
Low |
17, 15, 13, 11, 8, 7, 6 |
Note 1 |
|
Serialization |
Multiple |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
Low |
17, 15, 13, 11, 8, 7, 6 |
Note 1 |
|
2D |
Multiple |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
Low |
8, 7 |
Note 1 |
|
ImageIO |
Multiple |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
Low |
17, 15, 13, 11, 8, 7, 6 |
Note 1 |
|
ImageIO |
Multiple |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
Low |
17, 15, 13, 11, 8, 7, 6 |
Note 1 |
|
ImageIO |
Multiple |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
Low |
17, 15, 13, 11 |
Note 1 |
|
Serialization |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
None |
Low |
None |
17, 15, 13, 11, 8, 7, 6 |
Note 1 |
|
CVE-2021-22959 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM Enterprise Edition: Node (Node.js) |
HTTP |
Yes |
6.5 |
Network |
Low |
None |
None |
Unchanged |
Low |
Low |
None |
None |
|
CVE-2022-21271 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM Enterprise Edition: Libraries |
Multiple |
Yes |
5.3 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
Low |
None |
Note 1 |
Notes:
| ID | Notes |
|---|---|
1 |
This vulnerability applies to Java deployments, typically in clients running sandboxed Java applications, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. |
Notes:
-
This vulnerability applies to Java deployments, typically in clients running sandboxed Java applications, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
Base and Impact Metric:
| Metrics | Values |
|---|---|
Attack Vector |
Network (N), Adjacent (A), Local (L), and Physical (P) |
Attack Complexity |
Low (L) and High (H) |
Privileges Required |
None (N), Low (L), and High (H) |
User Interaction |
None (N) and Required ® |
Scope |
Unchanged (U) and Changed © |
Confidentiality Impact |
High (H), Low (L), and None (N) |
Integrity Impact |
High (H), Low (L), and None (N) |
Availability Impact |
High (H), Low (L), and None (N) |
In-Depth Non-CVE Security Fixes
The following table lists the in-depth non-CVE security fixes implemented specifically for Azul Platform Prime.
January 2022 Non-CVE Security Fix
| Patch ID in OpenJDK Bug DB | JDK Levels Applicable in Azul Platform Prime | Synopsis | Java Update Type |
|---|---|---|---|
17, 15, 13, 11, 8 |
More valuable DerValue |
CPU |
|
17, 15, 13, 11, 8 |
Better TrueType font loading |
CPU |
|
17, 15, 13, 11, 8 |
Enhance image handling |
CPU |
|
17, 15, 13, 11, 8 |
More content for ContentInfo |
CPU |
|
11 |
Improve HarfBuzz |
CPU |
|
17, 15, 13, 11, 8 |
JCK javax_xml tests fail in CI |
CPU |
|
11, 8 |
Enhance digests of Jar files |
CPU |
|
17, 15, 13, 11, 8 |
Better HTTP transport redux |
CPU |
|
17, 15, 13, 11, 8 |
Enhance jcmd communication |
CPU |
|
17, 15, 13, 11, 8 |
Enhance sound handling |
CPU |
|
17, 15, 13, 11, 8 |
Better inlining of inlined interfaces |
CPU |
|
17, 15, 13, 11, 8 |
Better canonical naming |
CPU |
|
15, 13, 11 |
Improve Zip file handling |
CPU |
|
17, 15, 13, 11, 8 |
Better construction of EncryptedPrivateKeyInfo |
CPU |
|
13, 11, 8 |
Manifest improved manifest entries |
CPU |
|
17, 15, 13, 11, 8 |
Improve PKCS attribute handling |
CPU |