Visit Azul.com Support

Common Vulnerabilities and Exposures Fixes for October 2022

Table of Contents
Need help?
Schedule a consultation with an Azul performance expert.
Contact Us
Looking for Zing?
The Azul Zing Virtual Machine is now Azul Zulu Prime Builds of OpenJDK and part of Azul Platform Prime.
Learn more

The following Azul Platform Prime releases contain the January 2023 CPU release of OpenJDK:

CPU PSU

22.02.500.0

22.10.0.0

22.08.100.0

-

The following table lists the latest CVE fixes added in the Azul Platform Prime 22.08.100.0 release. The CVE IDs in the table apply to JDK 8, JDK 11, JDK 13, JDK 15, and JDK 17 unless noted otherwise.

October 2022 CVE Fix

CVSS VERSION 3.1 RISK

CVE # Component Protocol Remote Exploit w/o Auth. Base Score Attack Vector Attack Complex Privileges Req’d User Interact Scope Confiden-tiality Integrity Availability Versions Affected Notes

CVE-2022-21618

JGSS

Kerberos

Yes

5.3

Network

Low

None

None

Unchanged

None

Low

None

17, 15, 13, 11

Note 2

CVE-2022-21626

Security

HTTPS

Yes

5.3

Network

Low

None

None

Unchanged

None

None

Low

15, 13, 11, 8

Note 2

CVE-2022-21628

Lightweight HTTP Server

HTTP

Yes

5.3

Network

Low

None

None

Unchanged

None

None

Low

17, 15, 13, 11, 8, 7

Note 1

CVE-2022-21619

Security

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

Low

None

17, 15, 13, 11, 8

Note 2

CVE-2022-21624

JNDI

Multiple

Yes

3.7

Network

High

None

None

Unchanged

None

Low

None

17, 15, 13, 11, 8

Note 2

CVE-2022-39399

Networking

HTTP

Yes

3.7

Network

High

None

None

Unchanged

None

Low

None

17, 15, 13, 11

Note 1

CVE-2022-32215 This CVE is not applicable to Azul Prime Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM Enterprise Edition: Node (Node.js)

HTTPS

Yes

9.1

Network

Low

None

None

Unchanged

High

High

None

None

CVE-2022-21634 This CVE is not applicable to Azul Prime Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM Enterprise Edition: LLVM Interpreter

Multiple

Yes

7.5

Network

Low

None

None

Unchanged

None

None

High

None

CVE-2022-21597 This CVE is not applicable to Azul Prime Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM Enterprise Edition: JavaScript

HTTP

Yes

5.3

Network

Low

None

None

Unchanged

Low

None

None

None

Notes:

ID Notes

1

This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

2

This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.

Base and Impact Metric:

Metrics Values

Attack Vector

Network (N), Adjacent (A), Local (L), and Physical (P)

Attack Complexity

Low (L) and High (H)

Privileges Required

None (N), Low (L), and High (H)

User Interaction

None (N) and Required ®

Scope

Unchanged (U) and Changed ©

Confidentiality Impact

High (H), Low (L), and None (N)

Integrity Impact

High (H), Low (L), and None (N)

Availability Impact

High (H), Low (L), and None (N)

In-Depth Non-CVE Security Fixes

The following table lists the in-depth non-CVE security fixes implemented specifically for Azul Platform Prime.

October 2022 Non-CVE Security Fix

OpenJDK Patch ID Azul Prime Version Synopsis CPU/PSUCPU fixes are included in both CPU and PSU bundles. PSU fixes are included in the PSU bundles only.

JDK-8028265

17, 15, 13, 11, 8

Add legacy tz tests to OpenJDK

CPU, PSU

JDK-8291040

17, 15, 13, 11, 8

Upgrade WebKit

CPU, PSU

JDK-8290547

17, 15, 13, 11

Update font handling

CPU, PSU

JDK-8290540

17, 15, 13, 11, 8

Freer typing of fonts

CPU, PSU

JDK-8288508

17, 15, 13, 11, 8

Enhance ECDSA usage

CPU, PSU

JDK-8287446

17, 15, 13, 11

Enhance icon presentations

CPU, PSU

JDK-8286519

17, 15, 13, 11, 8

Better memory handling

CPU, PSU

JDK-8286511

17, 15, 13, 11, 8

Improve macro allocation

CPU, PSU

JDK-8285662

17, 15, 13, 11, 8

Better permission resolution

CPU, PSU

JDK-8282252

17, 15, 13, 11, 8

Improve BigInteger/Decimal validation

CPU, PSU

JDK-8292579

17, 15, 13, 11, 8

(tz) Update Timezone Data to 2022c

CPU, PSU