Visit Azul.com Support

Common Vulnerabilities and Exposures Fixes

Table of Contents

Looking for Zing? The Azul Zing Virtual Machine is now Azul Zulu Prime Builds of OpenJDK and part of Azul Platform Prime. Learn more.

Azul Platform Prime 22.07.0.0 is based on Azul Platform Prime 22.06.0.0 and 22.02.300.0, which contains the July 2022 CPU release of OpenJDK.

The following table lists the latest CVE fixes added in the Azul Platform Prime 22.02.300.0 release. The CVE IDs in the table apply to JDK 8, JDK 11, JDK 13, JDK 15, and JDK 17 unless noted otherwise.

July 2022 CVE Fix

CVSS VERSION 3.1 RISK

CVE # Component Protocol Remote Exploit w/o Auth. Base Score Attack Vector Attack Complex Privileges Req’d User Interact Scope Confiden-tiality Integrity Availability Versions Affected Notes

CVE-2022-34169

JAXP (Xalan-J)

Multiple

Yes

7.5

Network

Low

None

None

Unchanged

None

High

None

17, 15, 13, 11, 8

Note 1

CVE-2022-21541

Hotspot

Multiple

Yes

5.9

Network

High

None

None

Unchanged

None

High

None

17, 15, 13, 11, 8

Note 1

CVE-2022-21540

Hotspot

Multiple

Yes

5.3

Network

Low

None

None

Unchanged

Low

None

None

17, 15, 13, 11, 8

Note 1

CVE-2022-21549

Libraries

Multiple

Yes

5.3

Network

Low

None

None

Unchanged

None

Low

None

17

Note 1

CVE-2022-25647 This CVE is not applicable to Azul Zulu. It is listed here for comparison with other Java implementations which may contain this CVE.

Native Image (Gson)

None

No

6.2

Local

Low

None

None

Unchanged

None

None

High

None

Notes:

ID Notes

1

This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and relies on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.

Base and Impact Metric:

Metrics Values

Attack Vector

Network (N), Adjacent (A), Local (L), and Physical (P)

Attack Complexity

Low (L) and High (H)

Privileges Required

None (N), Low (L), and High (H)

User Interaction

None (N) and Required ®

Scope

Unchanged (U) and Changed ©

Confidentiality Impact

High (H), Low (L), and None (N)

Integrity Impact

High (H), Low (L), and None (N)

Availability Impact

High (H), Low (L), and None (N)

In-Depth Non-CVE Security Fixes

The following table lists the in-depth non-CVE security fixes implemented specifically for Azul Platform Prime.

July 2022 Non-CVE Security Fix

Patch ID Azul Prime Version Synopsis CPU/PSU

JDK-8286324

17, 15, 13, 11, 8

Upgrade libxslt

CPU

JDK-8286317

17, 15, 13, 11, 8

Upgrade libxml2

CPU

JDK-8285691

17, 15, 13, 11, 8

Additional fix for JDK-8282121

CPU

JDK-8285686

17, 15, 13, 11, 8, 7, 6

Update FreeType to 2.12.0

CPU

JDK-8284370

17, 15, 13, 11, 8, 7, 6

Improve zlib usage

CPU

JDK-8283389

17, 15, 13, 11, 8

Update XML processing

CPU

JDK-8283350

17, 15, 13, 11, 8, 7, 6

(tz) Update Timezone Data to 2022a

CPU

JDK-8283190

17, 15, 13, 11, 8, 7, 6

Improve MIDI processing

CPU

JDK-8282121

17, 15, 13, 11, 8

Improve WebKit referencing

CPU

JDK-8281159

17, 15, 13, 11, 8

Better JavaScript support

CPU

JDK-8277608

17, 15, 13, 11, 8, 7, 6

Address IP Addressing

CPU

JDK-8272249

17, 15, 13, 11, 8

Better properties of loaded Properties

CPU

JDK-8272243

17, 15, 13, 11, 8, 7, 6

Improve DER parsing

CPU