CVE-2023-22036 - Vulnerability Details

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Utility). Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Netapp	7-mode Transition Tool Active Iq Unified Manager Cloud Insights Acquisition Unit Cloud Insights Storage Workload Security Agent Oncommand Insight
Oracle	Graalvm Graalvm For Jdk Jdk Jre
Redhat	Enterprise Linux Openjdk Rhel Aus Rhel E4s Rhel Eus Rhel Tus

Configuration 1 [-]

OR	cpe:2.3:a:oracle:graalvm:20.3.10::::enterprise:::
	cpe:2.3:a:oracle:graalvm:21.3.6::::enterprise:::
	cpe:2.3:a:oracle:graalvm:22.3.2::::enterprise:::
	cpe:2.3:a:oracle:graalvm_for_jdk:17.0.7:::::::*
	cpe:2.3:a:oracle:graalvm_for_jdk:20.0.1:::::::*
	cpe:2.3:a:oracle:jdk:11.0.19:::::::*
	cpe:2.3:a:oracle:jdk:17.0.7:::::::*
	cpe:2.3:a:oracle:jdk:20.0.1:::::::*
	cpe:2.3:a:oracle:jre:11.0.19:::::::*
	cpe:2.3:a:oracle:jre:17.0.7:::::::*
	cpe:2.3:a:oracle:jre:20.0.1:::::::*

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*
	cpe:2.3:o:debian:debian_linux:12.0:::::::*

Configuration 3 [-]

OR	cpe:2.3:a:netapp:7-mode_transition_tool:-:::::::*
	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows::
	cpe:2.3:a:netapp:cloud_insights_acquisition_unit:-:::::::*
	cpe:2.3:a:netapp:cloud_insights_storage_workload_security_agent:-:::::::*
	cpe:2.3:a:netapp:oncommand_insight:-:::::::*

Package	CPE	Advisory	Released Date
Red Hat Build of OpenJDK 11.0.20
Linux	cpe:/a:redhat:openjdk:11	RHSA-2023:4208	2023-07-20T00:00:00Z
Windows	cpe:/a:redhat:openjdk:11::windows	RHSA-2023:4161	2023-07-20T00:00:00Z
Red Hat Build of OpenJDK 17.0.8
Linux	cpe:/a:redhat:openjdk:17	RHSA-2023:4210	2023-07-20T00:00:00Z
Windows	cpe:/a:redhat:openjdk:17::windows	RHSA-2023:4211	2023-07-20T00:00:00Z
Red Hat Enterprise Linux 7
java-11-openjdk-1:11.0.20.0.8-1.el7_9	cpe:/o:redhat:enterprise_linux:7	RHSA-2023:4233	2023-07-21T00:00:00Z
Red Hat Enterprise Linux 8
java-17-openjdk-1:17.0.8.0.7-2.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2023:4159	2023-07-20T00:00:00Z
java-11-openjdk-1:11.0.20.0.8-2.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2023:4175	2023-07-20T00:00:00Z
Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions
java-11-openjdk-1:11.0.20.0.8-1.el8_1	cpe:/a:redhat:rhel_e4s:8.1	RHSA-2023:4165	2023-07-19T00:00:00Z
Red Hat Enterprise Linux 8.2 Advanced Update Support
java-11-openjdk-1:11.0.20.0.8-1.el8_2	cpe:/a:redhat:rhel_aus:8.2	RHSA-2023:4162	2023-07-19T00:00:00Z
Red Hat Enterprise Linux 8.2 Telecommunications Update Service
java-11-openjdk-1:11.0.20.0.8-1.el8_2	cpe:/a:redhat:rhel_tus:8.2	RHSA-2023:4162	2023-07-19T00:00:00Z
Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
java-11-openjdk-1:11.0.20.0.8-1.el8_2	cpe:/a:redhat:rhel_e4s:8.2	RHSA-2023:4162	2023-07-19T00:00:00Z
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
java-11-openjdk-1:11.0.20.0.8-1.el8_4	cpe:/a:redhat:rhel_aus:8.4	RHSA-2023:4163	2023-07-19T00:00:00Z
java-17-openjdk-1:17.0.8.0.7-1.el8_4	cpe:/a:redhat:rhel_aus:8.4	RHSA-2023:4171	2023-07-19T00:00:00Z
Red Hat Enterprise Linux 8.4 Telecommunications Update Service
java-11-openjdk-1:11.0.20.0.8-1.el8_4	cpe:/a:redhat:rhel_tus:8.4	RHSA-2023:4163	2023-07-19T00:00:00Z
java-17-openjdk-1:17.0.8.0.7-1.el8_4	cpe:/a:redhat:rhel_tus:8.4	RHSA-2023:4171	2023-07-19T00:00:00Z
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
java-11-openjdk-1:11.0.20.0.8-1.el8_4	cpe:/a:redhat:rhel_e4s:8.4	RHSA-2023:4163	2023-07-19T00:00:00Z
java-17-openjdk-1:17.0.8.0.7-1.el8_4	cpe:/a:redhat:rhel_e4s:8.4	RHSA-2023:4171	2023-07-19T00:00:00Z
Red Hat Enterprise Linux 8.6 Extended Update Support
java-11-openjdk-1:11.0.20.0.8-1.el8_6	cpe:/a:redhat:rhel_eus:8.6	RHSA-2023:4164	2023-07-19T00:00:00Z
java-17-openjdk-1:17.0.8.0.7-1.el8_6	cpe:/a:redhat:rhel_eus:8.6	RHSA-2023:4170	2023-07-19T00:00:00Z
Red Hat Enterprise Linux 9
java-11-openjdk-1:11.0.20.0.8-2.el9	cpe:/a:redhat:enterprise_linux:9	RHSA-2023:4158	2023-07-20T00:00:00Z
java-17-openjdk-1:17.0.8.0.7-2.el9	cpe:/a:redhat:enterprise_linux:9	RHSA-2023:4177	2023-07-20T00:00:00Z
Red Hat Enterprise Linux 9.0 Extended Update Support
java-11-openjdk-1:11.0.20.0.8-1.el9_0	cpe:/a:redhat:rhel_eus:9.0	RHSA-2023:4157	2023-07-19T00:00:00Z
java-17-openjdk-1:17.0.8.0.7-1.el9_0	cpe:/a:redhat:rhel_eus:9.0	RHSA-2023:4169	2023-07-19T00:00:00Z

References

Link	Providers
https://lists.debian.org/debian-lts-announce/2023/09/msg00018.html
https://nvd.nist.gov/vuln/detail/CVE-2023-22036
https://security.netapp.com/advisory/ntap-20230725-0006/
https://www.cve.org/CVERecord?id=CVE-2023-22036
https://www.debian.org/security/2023/dsa-5458
https://www.debian.org/security/2023/dsa-5478
https://www.oracle.com/security-alerts/cpujul2023.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2023-07-18T20:18:20.850Z

Updated: 2025-02-13T16:43:28.142Z

Reserved: 2022-12-17T19:26:00.753Z

Link: CVE-2023-22036

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-07-18T21:15:13.587

Modified: 2024-11-21T07:44:08.970

Link: CVE-2023-22036

Redhat

Severity : Moderate

Publid Date: 2023-07-18T20:00:00Z

Links: CVE-2023-22036 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object