So i had some few more minutes left and checked this on my own without waiting for the review of the responsible team.
It seems this is/was originating from a typo on the Oracle Advisory itself which has:
Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01;
while the versioning scheme of 17.x is actually 17.0.6 and similar. As 17.0.6 is < 17.01 the vulnerability report has been seen on all 17.x instances.
The version check was now updated to not use wrong 17.01 from the advisory but the more correct 17.0.1 and these changes should arrive in the feed the next few days.
Unfortunately this shows again that automated vulnerability scanning (especially if version based) is only as good as the source of the version info (in this case the vendor advisory) is.
As the CVE descriptions itself like e.g. https://www.cve.org/CVERecord?id=CVE-2022-21291 currently also containing the malformed version “17.01” i have contacted Oracle (as the assigning CNA) to correct the CVE descriptions as well as the advisory.
Let’s see if these resources are getting corrected to avoid further confusions / misunderstandings in the future.
