CVE-2023-21930:Vulnerability in Oracle Java SE and GraalVM Enterprise Edition's JSSE component allowing unauthenticated attackers with network access via TLS to compromise systems.

splash
Back

Description Preview

CVE-2023-21930 affects Oracle Java SE versions 8u361, 8u361-perf, 11.0.18, 17.0.6, 20, and Oracle GraalVM Enterprise Edition versions 20.3.9, 21.3.5, and 22.3.1. This vulnerability in the Java Secure Socket Extension (JSSE) component allows unauthenticated attackers with network access via TLS to potentially gain unauthorized access to critical data or modify/delete data. The vulnerability is difficult to exploit but could result in significant confidentiality and integrity impacts, with a CVSS 3.1 Base Score of 7.4.

Overview

This vulnerability primarily affects Java deployments that load and run untrusted code, such as sandboxed Java Web Start applications or Java applets, and rely on the Java sandbox for security. The vulnerability can also be exploited through APIs in the JSSE component, for example through web services that supply data to these APIs. While difficult to exploit, successful attacks could result in unauthorized access to critical data or allow attackers to create, modify, or delete important information. The vulnerability has high confidentiality and integrity impacts but does not affect availability.

Remediation

Organizations should update to the latest versions of Oracle Java SE and Oracle GraalVM Enterprise Edition as provided in Oracle's April 2023 Critical Patch Update. Specific remediation steps include:

  1. Update Oracle Java SE to versions newer than those listed as vulnerable
  2. Update Oracle GraalVM Enterprise Edition to versions newer than those listed as vulnerable
  3. If immediate patching is not possible, consider implementing network-level controls to restrict TLS access to trusted sources
  4. Review and limit the execution of untrusted Java code in your environment
  5. Monitor for suspicious TLS connection attempts to Java applications

References

  1. Oracle Critical Patch Update Advisory - April 2023: https://www.oracle.com/security-alerts/cpuapr2023.html
  2. Debian Security Advisory DSA-5430: https://www.debian.org/security/2023/dsa-5430
  3. Debian Security Advisory DSA-5478: https://www.debian.org/security/2023/dsa-5478
  4. Debian LTS Announcement: https://lists.debian.org/debian-lts-announce/2023/09/msg00018.html
  5. NetApp Security Advisory NTAP-20230427-0008: https://security.netapp.com/advisory/ntap-20230427-0008/
  6. NetApp Security Advisory NTAP-20240621-0006: https://security.netapp.com/advisory/ntap-20240621-0006/
  7. Couchbase Security Alerts: https://www.couchbase.com/alerts/

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing
    Manufacturing
  2. Health Care & Social Assistance
    Health Care & Social Assistance
  3. Public Administration
    Public Administration
  4. Finance and Insurance
    Finance and Insurance
  5. Transportation & Warehousing
    Transportation & Warehousing
  6. Educational Services
    Educational Services
  7. Professional, Scientific, & Technical Services
    Professional, Scientific, & Technical Services
  8. Other Services (except Public Administration)
    Other Services (except Public Administration)
  9. Utilities
    Utilities
  10. Retail Trade
    Retail Trade
  11. Arts, Entertainment & Recreation
    Arts, Entertainment & Recreation
  12. Information
    Information
  13. Management of Companies & Enterprises
    Management of Companies & Enterprises
  14. Accommodation & Food Services
    Accommodation & Food Services
  15. Agriculture, Forestry Fishing & Hunting
    Agriculture, Forestry Fishing & Hunting
  16. Mining
    Mining
  17. Real Estate Rental & Leasing
    Real Estate Rental & Leasing
  18. Construction
    Construction
  19. Wholesale Trade
    Wholesale Trade
  20. Administrative, Support, Waste Management & Remediation Services
    Administrative, Support, Waste Management & Remediation Services

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background
Armis Vulnerability Intelligence Database