Security (SCA): Critical/High/Medium CVEs detected in redhat.java (Language Support for Java™ by Red Hat) — remediation required

[scottyuancoc]

Summary

ReversingLabs (secure.software) reports multiple fixable vulnerabilities in the recent VS Code extension package Language Support for Java™ by Red Hat (redhat.java) releases. The vulnerability list includes 1 Critical, 1 High, and 3 Medium severity CVEs (per CVSS), each marked with Fix Available (and one marked Exploits Exist). [secure.software]

Source report: secure.software — redhat/java vulnerabilities
Last refreshed (per report): 2026-03-14 [secure.software]

Findings (Critical / High / Medium only)

The secure.software report lists the following CVEs:

Critical

• CVE-2017-1000487 — CVSS 9.8 (Critical) — Fix Available — “Vulnerability Triaged” [secure.software]

High

• CVE-2022-4244 — CVSS 7.5 (High) — Fix Available — “Vulnerability Triaged” [secure.software]

Medium

• CVE-2022-36033 — CVSS 6.1 (Medium) — Exploits Exist, Fix Available [secure.software]
• CVE-2022-4245 — CVSS 4.3 (Medium) — Fix Available — “Vulnerability Triaged” [secure.software]
• CVE-2024-47554 — CVSS 4.3 (Medium) — Fix Available [secure.software]

The report indicates: “All detected vulnerabilities are fixable” and recommends running update/upgrade actions to resolve them. [secure.software]

Why This Matters

Although these vulnerabilities originate in third‑party libraries, if left unpatched they may introduce avoidable security risks to developer environments and create barriers to RedHat VSCode Java extension adoption within enterprise environments.

Recommended remediation approach

1. Dependency trace / SBOM: Identify which direct/transitive libraries in the VSIX map to each CVE and confirm the impacted versions.
2. Upgrade / patch: Update affected dependencies to versions that address: CVE‑2017‑1000487; CVE‑2022‑4244; CVE‑2022‑36033; CVE‑2022‑4245; CVE‑2024‑47554 [secure.software]
3. Rebuild & validate: Rebuild the extension artifact and re-scan to confirm Critical/High/Medium findings are cleared.

References: ReversingLabs secure.software report: Language Support for Java™ by Red Hat — Vulnerabilities

[fbricon]

Just looking at GHSA-8vhq-qq4p-grq3, it says this is fixed by plexus-utils-3.0.16.jar, but the latest vscode-java release (1.53) embeds plexus-utils-3.6.0.jar, so I'm a bit confused.
What version have you tested? Can you provide a detailed report listing all the offending jars?

[scottyuancoc]

Hi Fred,

Thank you for looking into this. The original report is publicly available at
https://secure.software/vscode/packages/redhat/java/vulnerabilities.

The report flags vulnerabilities affecting the 1.54 nightly builds, version 1.53, and multiple releases prior to these versions.

Scott.