CVE-2022-21449 - Psychic Signatures in Java

[raunokulla]

https://nvd.nist.gov/vuln/detail/CVE-2022-21449

Is restheart or its core plugins impacted by this vulnerability?

[ujibang]

After analysis we think that RESTHeart is not affected by CVE-2022-21449

the vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

RESTHeart does not use Java Web Start and Java Applets (!) and it doesn't load untrusted code; it only loads plugins that are deployed as described in https://restheart.org/docs/plugins/deploy.

Also our docker images don't use the JVMs that are reported to be affected in the CVE (Oracle Java SE: 17.0.2 and 18; Oracle GraalVM Enterprise Edition: 21.3.1 and 22.0.0.2). We use eclipse-temurin:17-jre and GraalVM Community.

We also use Sonatype Lift to check for threads and we have 0 threats found! See report at https://sbom.lift.sonatype.com/report/T1-a0368c8f29fdaa555824-5fd315625ad1b2-1650549347-13bd15118d6c45c6a55efaabaf96eca8