OpenJDK Vulnerability Advisory: 2022/01/18

The following vulnerabilities in OpenJDK source code were fixed in this release. The affected versions are 17.0.1, 15.0.5, 13.0.9, 11.0.13, 8u312, 7u321, and earlier. Please note that defense-in-depth issues are not assigned CVEs. We recommend that you upgrade as soon as possible.

The current and previous advisories are available for reference.

OpenJDK Risk matrix

Affects ...
CVE ID Component CVSSv3.1
Vector		 7 8 11 13 15 17
CVE-2022-21341 core-libs/
java.io:serialization		 5.3
NLNNUNNL
CVE-2022-21365 client-libs/
javax.imageio		 5.3
NLNNUNNL
CVE-2022-21282 xml/
jaxp		 5.3
NLNNULNN
CVE-2022-21291 hotspot/
runtime		 5.3
NLNNUNLN
CVE-2022-21277 client-libs/
javax.imageio		 5.3
NLNNUNNL
CVE-2022-21305 hotspot/
compiler		 5.3
NLNNUNLN
CVE-2022-21299 xml/
jaxp		 5.3
NLNNUNNL
CVE-2022-21296 xml/
jaxp		 5.3
NLNNULNN
CVE-2022-21349 client-libs/
2d		 5.3
NLNNUNNL
CVE-2022-21283 core-libs/
java.util		 5.3
NLNNUNNL
CVE-2022-21340 security-libs/
java.security		 5.3
NLNNUNNL
CVE-2022-21293 core-libs/
java.lang		 5.3
NLNNUNNL
CVE-2022-21294 core-libs/
java.util		 5.3
NLNNUNNL
CVE-2022-21360 client-libs/
javax.imageio		 5.3
NLNNUNNL
CVE-2022-21366 client-libs/
javax.imageio		 5.3
NLNNUNNL
CVE-2022-21248 core-libs/
java.io:serialization		 3.7
NHNNUNLN

OpenJFX Risk matrix

Affects ...
CVE ID Component CVSSv3.1
Vector		 7 8 11 13 15 17
None

Acknowledgements

We acknowledge the following parties for their reports and contributions: Fabian Meumertzheim, Dan Rabe, John Jiang, Jonni Passki, Markus Loewe, Robin Textor, and Zhiqiang Zang

We also thank the Leads of the JDK 7 Updates, JDK 8 Updates, JDK 11 Updates, JDK 13 Updates, JDK 15 Updates, and OpenJFX Projects for providing the risk-matrix information for their releases.

How to report a vulnerability

Please see the reporting instructions for information about how to report a vulnerability.

Last update: 2022/01/18 17:44 UTC