OpenJDK Vulnerability Advisory: 2022/04/19
The following vulnerabilities in OpenJDK source code were fixed in this release. The affected versions are 18, 17.0.2, 15.0.6, 13.0.10, 11.0.14, 8u322, 7u331, and earlier. Please note that defense-in-depth issues are not assigned CVEs. We recommend that you upgrade as soon as possible.
The current and previous advisories are available for reference.
OpenJDK Risk matrix
| Affects ... | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| CVE ID | Component | CVSSv3.1 Vector |
7 | 8 | 11 | 13 | 15 | 17 | 18 |
| CVE-2022-21476 | security-libs/ java.security |
7.5 NLNNUHNN |
• | • | • | • | • | • | |
| CVE-2022-21449 | security-libs/ java.security |
7.5 NLNNUNHN |
• | • | • | ||||
| CVE-2022-21496 | core-libs/ javax.naming |
5.3 NLNNUNLN |
• | • | • | • | • | • | • |
| CVE-2022-21434 | core-libs/ java.lang |
5.3 NLNNUNLN |
• | • | • | • | • | • | • |
| CVE-2022-21426 | xml/ jaxp |
5.3 NLNNUNNL |
• | • | • | • | • | • | • |
| CVE-2022-21443 | security-libs/ java.security |
3.7 NHNNUNNL |
• | • | • | • | • | • | • |
OpenJFX Risk matrix
| Affects ... | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| CVE ID | Component | CVSSv3.1 Vector |
7 | 8 | 11 | 13 | 15 | 17 | 18 |
| None | |||||||||
Acknowledgements
We acknowledge the following parties for their reports and contributions: Anthony Weems, Charles Korn, John Jiang, Karan Lyons, Markus Loewe, Neil Madden, Tugay Aslan, and Zhzhdoai.
We also thank the Leads of the JDK 7 Updates, JDK 8 Updates, JDK 11 Updates, JDK 13 Updates, JDK 15 Updates, JDK 17 Updates, and OpenJFX Projects for providing the risk-matrix information for their releases.
How to report a vulnerability
Please see the reporting instructions for information about how to report a vulnerability.
