Vulnerability Detected on DLP servers re. Adopt OpenJDK Vulnerability Advisory:2022-04-19:QID:376757
search cancel

Vulnerability Detected on DLP servers re. Adopt OpenJDK Vulnerability Advisory:2022-04-19:QID:376757

book

Article ID: 260891

calendar_today

Updated On:

Products

Data Loss Prevention

Issue/Introduction

A security scan of the DLP servers shows the servers are vulnerable to "Adopt OpenJDK Vulnerability Advisory:2022-04-19:QID:376757".

Resolution

Regarding Adopt OpenJDK Vulnerability Advisory:2022-04-19:QID:376757 and its associated CVEs.
OpenJDK Vulnerability Advisory: 2022/04/19

Since DLP uses OpenJRE 1.8.0_XXX (8uXXX), these are the only associated CREs:

CVE-2022-21476:
Defective secure validation in Apache Santuario
No impact on DLP.
DLP does not use Apache Santuario and hence is not impacted.

CVE-2022-21496:
URI parsing inconsistencies
No impact on DLP.
DLP does not handle untrusted URIs' via java.net.URI and hence is not impacted.

CVE-2022-21434:
Improper object-to-string conversion in AnnotationInvocationHandler
No impact on DLP.
Careful analysis revealed this bug cannot be triggered, and hence DLP is not impacted.

CVE-2022-21426:
Unbounded memory allocation with crafted XPath expression
No impact on DLP.
DLP does not process untrusted XPath expressions and hence is not impacted

CVE-2022-21443:
This vulnerability applies to Oracle Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.
Ensure the database has at least the 19c CPU2022APR patch installed.
We recommend that you install the latest available Oracle CPU.
DLP does not use Oracle Java or use sandboxing for java web start applications and hence is not impacted. 

 

If there is any concern, update the JRE to the latest supported version.
At the time of this writing, 28 Feb. 2023, the latest supported version of OpenJRE is 1.8.0_352.
And the latest available Oracle CPU for 19c Standard is CPU2022OCT.
For 19c Enterprise, your DBA can update to the latest version available from Oracle.