OpenJDK Vulnerability Advisory: 2022/07/19
The following vulnerabilities in OpenJDK source code were fixed in this release. The affected versions are 18.0.1, 17.0.3, 15.0.7, 13.0.11, 11.0.15, 8u332, 7u341, and earlier. Please note that defense-in-depth issues are not assigned CVEs. We recommend that you upgrade as soon as possible.
The current and previous advisories are available for reference.
OpenJDK Risk matrix
| Affects ... | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| CVE ID | Component | CVSSv3.1 Vector | 7 | 8 | 11 | 13 | 15 | 17 | 18 | 
| CVE-2022-34169 | xml/ jaxp | 7.5 NLNNUNHN | • | • | • | • | • | • | • | 
| CVE-2022-21541 | hotspot/ runtime | 5.9 NHNNUNHN | • | • | • | • | • | • | • | 
| CVE-2022-21549 | core-libs/ java.util | 5.3 NLNNUNLN | • | ||||||
| CVE-2022-21540 | hotspot/ compiler | 5.3 NLNNULNN | • | • | • | • | • | • | • | 
OpenJFX Risk matrix
| Affects ... | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| CVE ID | Component | CVSSv3.1 Vector | 7 | 8 | 11 | 13 | 15 | 17 | 18 | 
| None | |||||||||
Acknowledgements
We acknowledge the following parties for their reports and contributions: 1900017783, Cheng Xu , Dennis Katz, Felix Wilhelm, Jeff Dileo, John Jackson, Kelly Kaoudis, Markus Loewe, Nick Sahler, Sick Codes, Stuart Monteith, and Victor Viale.
We also thank the Leads of the JDK 7 Updates, JDK 8 Updates, JDK 11 Updates, JDK 13 Updates, JDK 15 Updates, JDK 17 Updates, and OpenJFX Projects for providing the risk-matrix information for their releases.
How to report a vulnerability
Please see the reporting instructions for information about how to report a vulnerability.