Bug 1198670 – VUL-0: CVE-2022-21449: java-1_7_0-openjdk,java-1_8_0-openjdk,java-11-openjdk,java-17-openjdk: unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE

Bug 1198670 - (CVE-2022-21449) VUL-0: CVE-2022-21449: java-1_7_0-openjdk,java-1_8_0-openjdk,java-11-openjdk,java-17-openjdk: unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE

(CVE-2022-21449)
Summary:	VUL-0: CVE-2022-21449: java-1_7_0-openjdk,java-1_8_0-openjdk,java-11-openjdk,...

Status:	NEW
Duplicates:	1201643 (view as bug list)

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P2 - High Severity: Major
Target Milestone:	---
Assigned To:	Fridrich Strba
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/329556/
Whiteboard:	CVSSv3.1:SUSE:CVE-2022-21449:7.5:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2022-04-20 07:16 UTC by Alexander Bergmann
Modified:	2022-08-03 16:23 UTC (History)
CC List:	3 users (show)

See Also:	https://bugzilla.linux.ibm.com/show_bug.cgi?id=199036
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
CVE202221449.java (502 bytes, text/x-java) 2022-04-20 11:56 UTC, Marcus Meissner	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2022-04-20 07:16:35 UTC

CVE-2022-21449

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product
of Oracle Java SE (component: Libraries). Supported versions that are affected
are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise
Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows
unauthenticated attacker with network access via multiple protocols to
compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks
of this vulnerability can result in unauthorized creation, deletion or
modification access to critical data or all Oracle Java SE, Oracle GraalVM
Enterprise Edition accessible data. Note: This vulnerability applies to Java
deployments, typically in clients running sandboxed Java Web Start applications
or sandboxed Java applets, that load and run untrusted code (e.g., code that
comes from the internet) and rely on the Java sandbox for security. This
vulnerability can also be exploited by using APIs in the specified Component,
e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score
7.5 (Integrity impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21449
https://www.oracle.com/security-alerts/cpuapr2022.html#CVE-2022-21449
https://www.oracle.com/security-alerts/cpuapr2022.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21449

Comment 1 Marcus Meissner 2022-04-20 11:35:32 UTC

https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/

basically ECDSA signature checking can be bypassed if you pass in (0,0) as coordinate.

The blog references only Java 15 and later, but the above CVE also mentions lower versions.

Comment 2 Marcus Meissner 2022-04-20 11:56:40 UTC

Created attachment 858274 [details]
CVE202221449.java

converted jshell exploit to standalone java

with openjdk 17:

$ java CVE202221449.java
verify true

with openjdk 11:

$ java CVE202221449.java
verify false

Comment 3 Marcus Meissner 2022-04-20 11:57:42 UTC

(verify false = GOOD, verify true = BAD)

Comment 4 Marcus Meissner 2022-04-20 12:01:19 UTC

is in 15-sp4, needs update there asap

Comment 5 Marcus Meissner 2022-04-20 12:03:06 UTC

so java-11-openjdk and older not affected. 

java-17-openjdk is affected.

Comment 9 Gianluca Gabrielli 2022-07-20 10:57:16 UTC

*** Bug 1201643 has been marked as a duplicate of this bug. ***

Comment 10 LTC BugProxy 2022-07-20 11:06:49 UTC

IBM Security Update April 2022:
* https://www.ibm.com/support/pages/java-sdk-security-vulnerabilities
CVE-2022-21476 CVE-2022-21449 CVE-2022-21496 CVE-2022-21434
CVE-2022-21426 CVE-2022-21443

New available versions:
* java-1_8_0-ibm: 8.0.7.10
* java-1_7_1-ibm: 7.1.5.10
* java-1_7_0-ibm: 7.0.11.10

I'm adding IBM in CC.
Hi Pedro,

We were already tracking them with the following issues since April.

CVE-2022-21476 -> bsc#1198671
CVE-2022-21449 -> bsc#1198670
CVE-2022-21496 -> bsc#1198673
CVE-2022-21434 -> bsc#1198674
CVE-2022-21426 -> bsc#1198672
CVE-2022-21443 -> bsc#1198675

Probably nobody tagged you in them or asked to submit patches, that's our fault. Thanks to proactively submitted yourself.

I close this issue as duplicated.

*** This bug has been marked as a duplicate of bug 1198670 ***

Comment 11 Swamp Workflow Management 2022-07-23 16:15:57 UTC

SUSE-SU-2022:2539-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1191912,1194931,1198670,1198671,1198672,1198673,1198674,1198675,1201643
CVE References: CVE-2021-35561,CVE-2022-21299,CVE-2022-21426,CVE-2022-21434,CVE-2022-21443,CVE-2022-21449,CVE-2022-21476,CVE-2022-21496
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    java-1_7_1-ibm-1.7.1_sr5.10-38.71.1
SUSE OpenStack Cloud 9 (src):    java-1_7_1-ibm-1.7.1_sr5.10-38.71.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    java-1_7_1-ibm-1.7.1_sr5.10-38.71.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    java-1_7_1-ibm-1.7.1_sr5.10-38.71.1
SUSE Linux Enterprise Server 12-SP5 (src):    java-1_7_1-ibm-1.7.1_sr5.10-38.71.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    java-1_7_1-ibm-1.7.1_sr5.10-38.71.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    java-1_7_1-ibm-1.7.1_sr5.10-38.71.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    java-1_7_1-ibm-1.7.1_sr5.10-38.71.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 12 Swamp Workflow Management 2022-07-23 16:17:27 UTC

SUSE-SU-2022:2540-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1191912,1194931,1198670,1198671,1198672,1198673,1198674,1198675,1201643
CVE References: CVE-2021-35561,CVE-2022-21299,CVE-2022-21426,CVE-2022-21434,CVE-2022-21443,CVE-2022-21449,CVE-2022-21476,CVE-2022-21496
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    java-1_8_0-ibm-1.8.0_sr7.10-30.90.1
SUSE OpenStack Cloud 9 (src):    java-1_8_0-ibm-1.8.0_sr7.10-30.90.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    java-1_8_0-ibm-1.8.0_sr7.10-30.90.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    java-1_8_0-ibm-1.8.0_sr7.10-30.90.1
SUSE Linux Enterprise Server 12-SP5 (src):    java-1_8_0-ibm-1.8.0_sr7.10-30.90.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    java-1_8_0-ibm-1.8.0_sr7.10-30.90.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    java-1_8_0-ibm-1.8.0_sr7.10-30.90.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    java-1_8_0-ibm-1.8.0_sr7.10-30.90.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 13 Swamp Workflow Management 2022-08-03 16:23:55 UTC

SUSE-SU-2022:2650-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1191912,1194931,1198670,1198671,1198672,1198673,1198674,1198675,1201643
CVE References: CVE-2021-35561,CVE-2022-21299,CVE-2022-21426,CVE-2022-21434,CVE-2022-21443,CVE-2022-21449,CVE-2022-21476,CVE-2022-21496
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    java-1_8_0-ibm-1.8.0_sr7.10-150000.3.59.1
openSUSE Leap 15.3 (src):    java-1_8_0-ibm-1.8.0_sr7.10-150000.3.59.1
SUSE Manager Server 4.1 (src):    java-1_8_0-ibm-1.8.0_sr7.10-150000.3.59.1
SUSE Manager Retail Branch Server 4.1 (src):    java-1_8_0-ibm-1.8.0_sr7.10-150000.3.59.1
SUSE Manager Proxy 4.1 (src):    java-1_8_0-ibm-1.8.0_sr7.10-150000.3.59.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    java-1_8_0-ibm-1.8.0_sr7.10-150000.3.59.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    java-1_8_0-ibm-1.8.0_sr7.10-150000.3.59.1
SUSE Linux Enterprise Server for SAP 15 (src):    java-1_8_0-ibm-1.8.0_sr7.10-150000.3.59.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    java-1_8_0-ibm-1.8.0_sr7.10-150000.3.59.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    java-1_8_0-ibm-1.8.0_sr7.10-150000.3.59.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    java-1_8_0-ibm-1.8.0_sr7.10-150000.3.59.1
SUSE Linux Enterprise Server 15-LTSS (src):    java-1_8_0-ibm-1.8.0_sr7.10-150000.3.59.1
SUSE Linux Enterprise Module for Legacy Software 15-SP4 (src):    java-1_8_0-ibm-1.8.0_sr7.10-150000.3.59.1
SUSE Linux Enterprise Module for Legacy Software 15-SP3 (src):    java-1_8_0-ibm-1.8.0_sr7.10-150000.3.59.1
SUSE Enterprise Storage 7 (src):    java-1_8_0-ibm-1.8.0_sr7.10-150000.3.59.1
SUSE Enterprise Storage 6 (src):    java-1_8_0-ibm-1.8.0_sr7.10-150000.3.59.1
SUSE CaaS Platform 4.0 (src):    java-1_8_0-ibm-1.8.0_sr7.10-150000.3.59.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.