CVE-2022-21618 An unpatched vulnerability in Oracle Java SE could affect Oracle GraalVM Enterprise Edition 19, 21.3.3, and 22.2.0. This vulnerability could be exploited to gain access to sensitive information.

Exploitation of this vulnerability requires that a user is logged in with administrative privileges. 1.2 Vulnerabilities in the Java SE component. The following vulnerabilities were found in the Oracle Java SE component: CVE-2018-3999 A use-after-free vulnerability exists in the way that the Hotspot component handles objects in privileged code. An attacker can exploit this vulnerability by running untrusted Java code in privileged codes. CVE-2018-4003 A security bypass vulnerability exists in the Networking component due to incorrect handling of SSL/TLS connections. An attacker can exploit this vulnerability by sending malicious packets to an application via an SSL/TLS connection, resulting in a connection being established without validation of the received data. CVE-2018-4005 A denial of service vulnerability exists in the way that the SSL/TLS protocol handles INT/UINT types within a signed/unsigned size field in a DTLS handshake. An attacker can exploit this vulnerability by sending a crafted DTLS handshake to an application via an SSL/TLS connection, resulting in an application crash. CVE-2018-4006 A buffer overflow vulnerability exists in the Skia component when parsing glyphs in some SVG files. An attacker can exploit this vulnerability by sending a crafted SVG file via an SSL/TLS connection, resulting in a connection being established without validation of the received data

Vulnerabilities in the Java SE Embedded component

. The following vulnerabilities were found in the Oracle Java SE Embedded component: CVE-2016-5199 A stack overflow vulnerability exists in the way that the JAXP component handles XML Signature Transformations. An attacker can exploit this vulnerability by creating a crafted XML document and sending it to an application via an SSL/TLS connection, resulting in a connection being established without validation of the received data. 1.3 Vulnerabilities in the Java Runtime Environment component. The following vulnerabilities were found in the Oracle Java Runtime Environment component: CVE-2018-3148 A security bypass vulnerability exists when ASN.1 DER encoding rules are not correctly enforced by the Bouncy Castle cryptographic library. An attacker can exploit this vulnerability by physically proximate to a computer with a Bouncy Castle cryptographic library installed to execute untrusted code, resulting in a denial of service condition.

Timeline

Published on: 10/18/2022 21:15:00 UTC
Last modified on: 10/18/2022 21:18:00 UTC

References