Ongoing investigation into Java CVE-2022-21449 & CVE-2022-21476 vulnerabilities and mitigation actions for Objective products

Mitigation actions for Objective products

Last updated: Thu 29 April 2022, 4:30pm AEST

Vulnerabilities have been discovered in Java JDK/JRE which affects any Java application running on unpatched versions of Java 7 through to 18.

The version and maintenance of JDK/JRE running on a customer site is the responsibility of the customer. 

More details on the issues are available through CVE-2022-21449 & CVE-2022-21476, but in summary the vulnerabilities enables possible:

CVE-2022-21449

  • Man in the middle attack: Forgery of an SSL certificates and the Java web client fails to reject it.
  • Authentication bypass: Authentication tokens signed using ECDSA or DSA (JWTs, SAML assertions, OIDC id tokens etc) could be forged potentially allowing impersonation.

CVE-2022-21476

  • XML Security: Usage of XPath Transform to access local ‘.xml’ files remotely.

Please return to this blog post for updates from the Objective Team.

Are my Objective solutions affected?

Since the issue was initially identified, the Objective Product Development Team has been actively investigating the impact of the vulnerability across the entire range of Objective solutions. Each product has been updated with a status, denoting the current state of the investigation and the next steps to be taken.

The following table will be updated as the status of each investigation is updated:

  • Not Affected: Vulnerability does not affect this product
  • Mitigated: Security configuration put in place whilst awaiting Patch
  • Mitigation Available: A Security configuration is available to be applied
  • Patch Pending: Investigation complete. Mitigation in progress
  • Patch Applied: Patch has been applied by the Objective Team
  • Patch Available: Patch available for customers to install. Contact Objective Support for details

Content Solutions

Product

Status CVE-2022-21449

Status CVE-2022-21476

Objective ECM 11.1

Not Affected

Not Affected*

Objective ECM 11.0.x

Not Affected

Not Affected*

Objective ECM 10.x

Not Affected

Not Affected*

Objective Connect

Not Affected

Not Affected

Objective Connect Link (on-premise)

Not Affected

Not Affected*

Objective Connect Link (cloud)

Not Affected

Not Affected

Objective Gov365 (on-premise)

Not Affected

Not Affected

Objective Gov365 (Cloud)

Not Affected

Not Affected

Objective Redact

Not Affected

Not Affected

Objective Ministerials

Not Affected

As per ECM

Objective OpenGov

Not Affected

As per ECM

RegTech

Product

Status CVE-2022-21449

Status CVE-2022-21476

Objective RegWorks (cloud)

Not Affected

Not Affected

Objective Regworks Mobile

Not Affected

Not Affected

Objective Regworks (on-prem)

Not Affected

Not Affected

Objective Regworks Mobile (on-prem)

Not Affected

Not Affected

Objective Reach

Not Affected

Not Affected

Keystone

Product

Status CVE-2022-21449

Status CVE-2022-21476

Objective Keystone

Not Affected

Not Affected

Planning and Building

Product

Status CVE-2022-21449

Status CVE-2022-21476

Objective Trapeze

Not Affected

Not Affected

AlphaOne

Not Affected

Not Affected

GoGet

Not Affected

Not Affected



Footnotes:

*A Java Bug exists in the latest JDK 11.0.15, 11.0.16 and JDK 8 u331 that introduces a start-up issue for the Wildfly Application server within the ECM environment