Common Vulnerabilities and Exposures Fixes for October 2022

Table of Contents

October 2022 CVE Fix
In-Depth Non-CVE Security Fixes

Need help?

Schedule a consultation with an Azul performance expert.

The following Azul Platform Prime releases contain the January 2023 CPU release of OpenJDK:

CPU	PSU
22.02.500.0	22.10.0.0
22.08.100.0	-

CPU

PSU

22.02.500.0

22.10.0.0

22.08.100.0

The following table lists the latest CVE fixes added in the Azul Platform Prime 22.08.100.0 release. The CVE IDs in the table apply to JDK 8, JDK 11, JDK 13, JDK 15, and JDK 17 unless noted otherwise.

October 2022 CVE Fix

CVSS VERSION 3.1 RISK

CVE #	Component	Protocol	Remote Exploit w/o Auth.	Base Score	Attack Vector	Attack Complex	Privileges Req’d	User Interact	Scope	Confiden-tiality	Integrity	Availability	Versions Affected	Notes
CVE-2022-21618	JGSS	Kerberos	Yes	5.3	Network	Low	None	None	Unchanged	None	Low	None	17, 15, 13, 11	Note 2
CVE-2022-21626	Security	HTTPS	Yes	5.3	Network	Low	None	None	Unchanged	None	None	Low	15, 13, 11, 8	Note 2
CVE-2022-21628	Lightweight HTTP Server	HTTP	Yes	5.3	Network	Low	None	None	Unchanged	None	None	Low	17, 15, 13, 11, 8, 7	Note 1
CVE-2022-21619	Security	Multiple	Yes	3.7	Network	High	None	None	Unchanged	None	Low	None	17, 15, 13, 11, 8	Note 2
CVE-2022-21624	JNDI	Multiple	Yes	3.7	Network	High	None	None	Unchanged	None	Low	None	17, 15, 13, 11, 8	Note 2
CVE-2022-39399	Networking	HTTP	Yes	3.7	Network	High	None	None	Unchanged	None	Low	None	17, 15, 13, 11	Note 1
CVE-2022-32215 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Oracle GraalVM Enterprise Edition: Node (Node.js)	HTTPS	Yes	9.1	Network	Low	None	None	Unchanged	High	High	None	None
CVE-2022-21634 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Oracle GraalVM Enterprise Edition: LLVM Interpreter	Multiple	Yes	7.5	Network	Low	None	None	Unchanged	None	None	High	None
CVE-2022-21597 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Oracle GraalVM Enterprise Edition: JavaScript	HTTP	Yes	5.3	Network	Low	None	None	Unchanged	Low	None	None	None

CVE #

Component

Protocol

Remote Exploit w/o Auth.

Base Score

Attack Vector

Attack Complex

Privileges Req’d

User Interact

Scope

Confiden-tiality

Integrity

Availability

Versions Affected

Notes

CVE-2022-21618

JGSS

Kerberos

Yes

5.3

Network

Low

None

Unchanged

None

Low

None

17, 15, 13, 11

Note 2

CVE-2022-21626

Security

HTTPS

Yes

5.3

Network

Low

None

Unchanged

None

Low

15, 13, 11, 8

Note 2

CVE-2022-21628

Lightweight HTTP Server

HTTP

Yes

5.3

Network

Low

None

Unchanged

None

Low

17, 15, 13, 11, 8, 7

Note 1

CVE-2022-21619

Security

Multiple

Yes

3.7

Network

High

None

Unchanged

None

Low

None

17, 15, 13, 11, 8

Note 2

CVE-2022-21624

JNDI

Multiple

Yes

3.7

Network

High

None

Unchanged

None

Low

None

17, 15, 13, 11, 8

Note 2

CVE-2022-39399

Networking

HTTP

Yes

3.7

Network

High

None

Unchanged

None

Low

None

17, 15, 13, 11

Note 1

CVE-2022-32215 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM Enterprise Edition: Node (Node.js)

HTTPS

Yes

9.1

Network

Low

None

Unchanged

High

None

CVE-2022-21634 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM Enterprise Edition: LLVM Interpreter

Multiple

Yes

7.5

Network

Low

None

Unchanged

None

High

None

CVE-2022-21597 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM Enterprise Edition: JavaScript

HTTP

Yes

5.3

Network

Low

None

Unchanged

Low

None

Notes:

ID	Notes
1	This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
2	This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.

Notes

This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.

Base and Impact Metric:

Metrics	Values
Attack Vector	Network (N), Adjacent (A), Local (L), and Physical (P)
Attack Complexity	Low (L) and High (H)
Privileges Required	None (N), Low (L), and High (H)
User Interaction	None (N) and Required ®
Scope	Unchanged (U) and Changed ©
Confidentiality Impact	High (H), Low (L), and None (N)
Integrity Impact	High (H), Low (L), and None (N)
Availability Impact	High (H), Low (L), and None (N)

Metrics

Values

Attack Vector

Network (N), Adjacent (A), Local (L), and Physical (P)

Attack Complexity

Low (L) and High (H)

Privileges Required

None (N), Low (L), and High (H)

User Interaction

None (N) and Required ®

Scope

Confidentiality Impact

High (H), Low (L), and None (N)

Integrity Impact

High (H), Low (L), and None (N)

Availability Impact

High (H), Low (L), and None (N)

In-Depth Non-CVE Security Fixes

The following table lists the in-depth non-CVE security fixes implemented specifically for Azul Platform Prime.

October 2022 Non-CVE Security Fix

OpenJDK Patch ID	Azul Prime Version	Synopsis	CPU/PSUCPU fixes are included in both CPU and PSU bundles. PSU fixes are included in the PSU bundles only.
JDK-8028265	17, 15, 13, 11, 8	Add legacy tz tests to OpenJDK	CPU, PSU
JDK-8291040	17, 15, 13, 11, 8	Upgrade WebKit	CPU, PSU
JDK-8290547	17, 15, 13, 11	Update font handling	CPU, PSU
JDK-8290540	17, 15, 13, 11, 8	Freer typing of fonts	CPU, PSU
JDK-8288508	17, 15, 13, 11, 8	Enhance ECDSA usage	CPU, PSU
JDK-8287446	17, 15, 13, 11	Enhance icon presentations	CPU, PSU
JDK-8286519	17, 15, 13, 11, 8	Better memory handling	CPU, PSU
JDK-8286511	17, 15, 13, 11, 8	Improve macro allocation	CPU, PSU
JDK-8285662	17, 15, 13, 11, 8	Better permission resolution	CPU, PSU
JDK-8282252	17, 15, 13, 11, 8	Improve BigInteger/Decimal validation	CPU, PSU
JDK-8292579	17, 15, 13, 11, 8	(tz) Update Timezone Data to 2022c	CPU, PSU

OpenJDK Patch ID

Azul Prime Version

Synopsis

JDK-8028265

17, 15, 13, 11, 8

Add legacy tz tests to OpenJDK

CPU, PSU

JDK-8291040

17, 15, 13, 11, 8

Upgrade WebKit

CPU, PSU

JDK-8290547