CVE-2022-39399 — Authentication Bypass by Spoofing in Corporation Java SE JDK AND JRE

CWE-290 — Authentication Bypass by Spoofing8 documents8 sources

Severity

3.7LOWNVD

EPSS

0.3%

top 47.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Netapp E-series Santricity OS Controller Oracle Corporation Java SE JDK AND JRE Azul Zulu +4 more

Timeline

PublishedOct 18

Latest updateNov 9

Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized updat…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 2.2 | Impact: 1.4

Affected Packages6 packages

▶CVEListV5oracle_corporation/java_se_jdk_and_jre6 versions+5

▶NVDoracle/graalvm20.3.7, 21.3.3, 22.2.0+2

▶NVDoracle/jdk11.0.16.1, 17.0.4.1, 19+2

▶NVDoracle/jre11.0.16.1, 17.0.4.1, 19+2

▶NVDnetapp/e-series_santricity_os_controller11.0 — 11.70.2

Also affects: Fedora 35, 36

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-pvgf-45fp-3xpp: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking)↗2022-10-19

▶

CVEList

CVE-2022-39399: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking)↗2022-10-18

▶

OSV

CVE-2022-39399: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking)↗2022-10-18

▶

📋Vendor Advisories

Ubuntu

OpenJDK vulnerabilities↗2022-11-09

▶

Red Hat

OpenJDK: missing SNI caching in HTTP/2 (Networking, 8289366)↗2022-10-18

▶

Oracle

Oracle Oracle Java SE Risk Matrix: Networking — CVE-2022-39399↗2022-10-15

▶

Debian

CVE-2022-39399: openjdk-11 - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product o...↗2022

▶