Lucene search

Kaspersky LabKLA63108

HistoryJan 16, 2024 - 12:00 a.m.

KLA63108 Multiple vulnerabilities in Oracle Java SE and GraalVM

2024-01-1600:00:00

Kaspersky Lab

threats.kaspersky.com

oracle

java

graalvm

vulnerability

denial of service

sensitive information

arbitrary code

public exploits

jdk 17.0.9

jdk 21.0.1

enterprise edition

20.3.12

21.3.8

22.3.4

11.0.21

17.0.9

21.0.1

8u391

8u391-perf

update

ace impact

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

9.5

Confidence

High

EPSS

0.816

Percentile

98.4%

JSON

Multiple vulnerabilities were found in Oracle Java. Malicious users can exploit these vulnerabilities to cause denial of service, obtain sensitive information, execute arbitrary code.

Below is a complete list of vulnerabilities:

A denial of service vulnerability in HTTP/2 protocol can be exploited remotely to cause denial of service.
A denial of service vulnerability in JSON-Java can be exploited remotely to cause denial of service.
Information disclosure vulnerability can be exploited to obtain sensitive information.
Code execution vulnerability in JavaFX can be exploited to execute arbitrary code.
Code execution vulnerability in Security can be exploited to execute arbitrary code.
Code execution vulnerability can be exploited to execute arbitrary code.
Code execution vulnerability in Hotspot can be exploited to execute arbitrary code and obtain sensitive information.
Information disclosure vulnerability in Compiler can be exploited to obtain sensitive information.
Information disclosure vulnerability in Scripting can be exploited to obtain sensitive information.
Code execution vulnerability in Security can be exploited to execute arbitrary code and obtain sensitive information.

Original advisories

Oracle Critical Patch Update Advisory – January 2024

Exploitation

Public exploits exist for this vulnerability.

Malware exists for this vulnerability. Usually such malware is classified as Exploit. More details.

Related products

Oracle-Java-JRE-1.8.x

CVE list

CVE-2023-44487 critical

CVE-2023-5072 critical

CVE-2024-20921 high

CVE-2024-20922 warning

CVE-2024-20932 critical

CVE-2024-20945 warning

CVE-2024-20923 warning

CVE-2024-20919 high

CVE-2024-20918 high

CVE-2024-20925 warning

CVE-2024-20955 warning

CVE-2024-20926 high

CVE-2024-20952 high

Solution

Update to the latest version

Download Java

Impacts

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.

Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

Affected Products

Oracle GraalVM for JDK 17.0.9, 21.0.1Oracle GraalVM Enterprise Edition 20.3.12, 21.3.8, 22.3.4Oracle Java SE 11.0.21, 17.0.9, 21.0.1, 8u391, 8u391-perf