CVE-2023-22036

moderate-risk
Published 2023-07-18

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Utility). Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Do I need to act?

-
0.10% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.7/10 Low
NETWORK / HIGH complexity

Affected Products (20)

Jdk
Jdk
Jdk
Jre
Jre
Jre

Affected Vendors

Debian Oracle Netapp

References (10)

Mailing List https://lists.debian.org/debian-lts-announce/2023/09/msg00018.html
Third Party Advisory https://security.netapp.com/advisory/ntap-20230725-0006/
Third Party Advisory https://www.debian.org/security/2023/dsa-5458
Third Party Advisory https://www.debian.org/security/2023/dsa-5478
Patch https://www.oracle.com/security-alerts/cpujul2023.html
Mailing List https://lists.debian.org/debian-lts-announce/2023/09/msg00018.html
Third Party Advisory https://security.netapp.com/advisory/ntap-20230725-0006/
Third Party Advisory https://www.debian.org/security/2023/dsa-5458
Third Party Advisory https://www.debian.org/security/2023/dsa-5478
Patch https://www.oracle.com/security-alerts/cpujul2023.html
33
/ 100
moderate-risk
Severity 13/34 · Low
Exploitability 0/34 · Minimal
Exposure 20/34 · Moderate