by using the XML parsing APIs, or by sending specially crafted requests. The attacker must host the code on an insecure web server, or provide a link to the code. Access to these APIs can be disabled by setting the graal.serialization.enabled property to false. [CVE-2018-13087] - Improper Initialization of the Graal Compiler Service. [CVE-2018-13088] - Improper Restriction of the Permissions of the Graal Native Code Generator. - Data Injection Vulnerability in the Oracle JDK. [CVE-2018-13089] - Improper Restriction of the Permissions of the Graal Native Code Generator. - Unrestricted Upload of Code via the Java Web Console. - Unrestricted Upload of Code via the Java Debugger. - Incorrect Access Control for User-Defined Classes and Packages. - Improper Restriction of the Permissions of the Graal Native Code Generator. - Data Injection Vulnerability in the Oracle JDK. [CVE-2018-13090] - Improper Restriction of the Permissions of the Graal Native Code Generator. - Unrestricted Upload of Code via the Java Web Console. - Unrestricted Upload of Code via the Java Debugger. - Incorrect Access Control for User-Defined Classes and Packages. Oracle has provided a security release to address these vulnerabilities. Interested parties can find information about the security release at: https://blogs.oracle.
What is Oracle Graal?
Oracle Graal is an implementation of the Java Virtual Machine that can be used as a compiler, just like the JDK. Oracle’s goal is to enable developers to use Java features without having to compile their code themselves. In addition, Oracle hopes that by providing a more feature-rich java compiler they will be able to build a developer product that will replace the paid version of Oracle JDK.
Timeline
Published on: 01/19/2022 12:15:00 UTC
Last modified on: 05/13/2022 15:14:00 UTC
References
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://security.netapp.com/advisory/ntap-20220121-0007/
- https://www.debian.org/security/2022/dsa-5057
- https://www.debian.org/security/2022/dsa-5058
- https://lists.debian.org/debian-lts-announce/2022/02/msg00011.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KPIWQ6DL5IPOT54UBWTISG5T24FQJ7MN/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4J2N4FNXW6JKJBWUZH6SNI2UHCZXQXCY/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2DIN3L6L3SVZK75CKW2GPSU4HIGZR7XG/
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21248