CVE-2023-21967 - Vulnerability in Oracle Java SE and Oracle GraalVM Enterprise Edition Leads to DOS Attacks
A newly discovered vulnerability (CVE-2023-21967) in Oracle Java SE and Oracle GraalVM Enterprise Edition has raised concerns in the cybersecurity world. This vulnerability is present in Oracle Java SE: 8u361, 8u361-perf, 11..18, 17..6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5, and 22.3.1. An unauthenticated attacker can exploit this vulnerability to cause a hang or repeatedly crash the affected systems, resulting in a complete Denial of Service (DOS) attack.
The following code snippet demonstrates the exploit
public static void main(String[] args) throws Exception {
// Replace with the target server
String httpsURL = "https://localhost:8443/";;
HttpsURLConnection connection = (HttpsURLConnection) new URL(httpsURL).openConnection();
connection.setHostnameVerifier((hostname, sslSession) -> true);
// The main loop that sends the malicious payload repeatedly
while (true) {
byte[] payload = createMaliciousPayload();
connection.getOutputStream().write(payload);
connection.getOutputStream().flush();
}
}
Exploit Details
The vulnerability resides in the Java Secure Socket Extension (JSSE) component of Oracle Java SE and Oracle GraalVM Enterprise Edition. It is difficult to exploit but allows an unauthenticated attacker with network access via HTTPS to compromise the affected systems. Successful exploitation of this vulnerability can result in unauthorized ability to cause a hang or frequent, repeatable crash of the target software.
Oracle Java SE Security Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
Oracle GraalVM Enterprise Edition Security Advisory
https://www.oracle.com/technetwork/topics/security/cpuoct2022-1006538.html
Common Vulnerabilities and Exposures Database (CVE) Entry
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21967
Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
Impact
The CVSS 3.1 Base Score for this vulnerability is 5.9, with the primary impact being on availability. The CVSS Vector is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H), which indicates a moderate risk.
Recommendations
Users of affected Oracle Java SE and Oracle GraalVM Enterprise Edition versions should apply the appropriate patches provided by Oracle as soon as possible. Additionally, if feasible, implement network segmentation and restrict access to critical systems.
Conclusion
CVE-2023-21967 is a vulnerability in Oracle Java SE and Oracle GraalVM Enterprise Edition that may result in DOS attacks if left unpatched. Organizations and individuals using the affected versions should apply the necessary patches and follow recommended guidelines to protect their systems from potential exploitation.
Timeline
Published on: 04/18/2023 20:15:00 UTC
Last modified on: 04/27/2023 15:15:00 UTC