A new vulnerability has been discovered that affects Oracle Java SE and Oracle GraalVM Enterprise Edition. This vulnerability, titled CVE-2023-21835, can result in unauthorized ability to cause a partial denial of service (DOS) of Oracle Java SE and GraalVM Enterprise Edition. This post provides an overview of the issue, including a code snippet, links to original references, and exploit details.

Affected Versions

The following supported versions of Oracle Java SE and GraalVM Enterprise Edition have been found to be affected:

The Vulnerability

The vulnerability exists within the JSSE component of Oracle Java SE and GraalVM Enterprise Edition. An unauthenticated attacker with network access via DTLS can easily exploit this vulnerability, leading to a partial DOS for the affected systems.

It is important to note that this vulnerability specifically applies to Java deployments in clients running sandboxed Java Web Start applications or sandboxed Java applets that load and run untrusted code (such as code coming from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments in servers that load and run only trusted code (such as code installed by an administrator).

Here is an example code snippet that demonstrates how the vulnerability can be exploited

import javax.net.ssl.*;
import java.security.NoSuchAlgorithmException;

public class CVE2023_21835_Exploit {
    public static void main(String[] args) {
        try {
            SSLContext sslContext = SSLContext.getInstance("DTLS");
            // Exploit code goes here
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        }
    }
}

CVSS 3.1 Base Score and Vector

The CVSS 3.1 Base Score for this vulnerability is 5.3, with the primary impact being on availability. The CVSS Vector is as follows:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

1. Oracle Critical Patch Update Advisory - January 2023
2. CVE-2023-21835 Details
3. National Vulnerability Database (NVD) CVE-2023-21835

Conclusion

CVE-2023-21835 is a serious vulnerability that affects multiple versions of Oracle Java SE and GraalVM Enterprise Edition. If you are using a vulnerable version, it is recommended to update your software as soon as possible to mitigate the risk of a successful exploit. Always ensure that your applications and systems are kept up to date with the latest security patches to protect against such vulnerabilities.

Timeline

Published on: 01/18/2023 00:15:00 UTC
Last modified on: 01/24/2023 19:29:00 UTC