by using the XML parsing APIs, or by sending specially crafted requests. The attacker must host the code on an insecure web server, or provide a link to the code. Access to these APIs can be disabled by setting the graal.serialization.enabled property to false. [CVE-2018-13087] - Improper Initialization of the Graal Compiler Service. [CVE-2018-13088] - Improper Restriction of the Permissions of the Graal Native Code Generator. - Data Injection Vulnerability in the Oracle JDK. [CVE-2018-13089] - Improper Restriction of the Permissions of the Graal Native Code Generator. - Unrestricted Upload of Code via the Java Web Console. - Unrestricted Upload of Code via the Java Debugger. - Incorrect Access Control for User-Defined Classes and Packages. - Improper Restriction of the Permissions of the Graal Native Code Generator. - Data Injection Vulnerability in the Oracle JDK. [CVE-2018-13090] - Improper Restriction of the Permissions of the Graal Native Code Generator. - Unrestricted Upload of Code via the Java Web Console. - Unrestricted Upload of Code via the Java Debugger. - Incorrect Access Control for User-Defined Classes and Packages. Oracle has provided a security release to address these vulnerabilities. Interested parties can find information about the security release at: https://blogs.oracle.

What is Oracle Graal?

Oracle Graal is an implementation of the Java Virtual Machine that can be used as a compiler, just like the JDK. Oracle’s goal is to enable developers to use Java features without having to compile their code themselves. In addition, Oracle hopes that by providing a more feature-rich java compiler they will be able to build a developer product that will replace the paid version of Oracle JDK.

Timeline

Published on: 01/19/2022 12:15:00 UTC
Last modified on: 05/13/2022 15:14:00 UTC

References