CVE-2023-21930 - Vulnerability in Oracle Java SE and Oracle GraalVM Enterprise Edition JSSE Component Exploited Over TLS Connection

A vulnerability has been discovered in Oracle Java SE and Oracle GraalVM Enterprise Edition (GEE). The vulnerability is found in the Java Secure Socket Extension (JSSE) component and affects supported versions Oracle Java SE: 8u361, 8u361-perf, 11..18, 17..6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and  22.3.1. The vulnerability can be exploited over a TLS (Transport Layer Security) connection by an unauthenticated attacker with network access.

Exploit Details

The vulnerability in the JSSE component is categorized as a difficult-to-exploit vulnerability that can lead to unauthorized creation, deletion, modification, and access to critical data of Oracle Java SE and Oracle GraalVM Enterprise Edition. The attacker can compromise and gain complete access to all data accessible by Oracle Java SE and Oracle GraalVM Enterprise Edition.

Affected Deployments

The vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets. These deployments load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. Additionally, this vulnerability can be exploited by using APIs in the specified component, for example, through a web service that supplies data to the APIs.

CVSS 3.1 Base Score and Vector

The Common Vulnerability Scoring System (CVSS) 3.1 Base Score for this vulnerability is 7.4, which indicates a potential for high impact on the Confidentiality and Integrity of the affected systems. The CVSS Vector associated with this vulnerability is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

Code Snippet

While no specific code snippet is provided for this vulnerability, developers and system administrators should be cautious about using any API in the JSSE component that interacts with untrusted data, and monitor any web services that supply data to the APIs for any potential exploit attempts.

Original References

1. Oracle Security Alert Advisory - CVE-2023-21930: https://www.oracle.com/security-alerts/alert-cve-2023-21930.html
2. CVSS 3.1 Specification: https://www.first.org/cvss/specification-document

Mitigation

As a temporary measure, developers and system administrators should restrict the use of the JSSE component, particularly in situations where untrusted code is loaded and executed, and disable any associated web services as appropriate. Users and administrators are encouraged to monitor any announcements and software updates from Oracle to address this vulnerability.

Timeline

Published on: 04/18/2023 20:15:00 UTC
Last modified on: 04/18/2023 20:37:00 UTC