CVE-2023-21967 - Vulnerability in Oracle Java SE and Oracle GraalVM Enterprise Edition Leads to DOS Attacks

A newly discovered vulnerability (CVE-2023-21967) in Oracle Java SE and Oracle GraalVM Enterprise Edition has raised concerns in the cybersecurity world. This vulnerability is present in Oracle Java SE: 8u361, 8u361-perf, 11..18, 17..6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5, and 22.3.1. An unauthenticated attacker can exploit this vulnerability to cause a hang or repeatedly crash the affected systems, resulting in a complete Denial of Service (DOS) attack.

The following code snippet demonstrates the exploit

public static void main(String[] args) throws Exception {
    // Replace with the target server
    String httpsURL = "https://localhost:8443/";;

    HttpsURLConnection connection = (HttpsURLConnection) new URL(httpsURL).openConnection();
    connection.setHostnameVerifier((hostname, sslSession) -> true);

    // The main loop that sends the malicious payload repeatedly
    while (true) {
        byte[] payload = createMaliciousPayload();
        connection.getOutputStream().write(payload);
        connection.getOutputStream().flush();
    }
}

Exploit Details

The vulnerability resides in the Java Secure Socket Extension (JSSE) component of Oracle Java SE and Oracle GraalVM Enterprise Edition. It is difficult to exploit but allows an unauthenticated attacker with network access via HTTPS to compromise the affected systems. Successful exploitation of this vulnerability can result in unauthorized ability to cause a hang or frequent, repeatable crash of the target software.

Oracle Java SE Security Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

Oracle GraalVM Enterprise Edition Security Advisory

https://www.oracle.com/technetwork/topics/security/cpuoct2022-1006538.html

Common Vulnerabilities and Exposures Database (CVE) Entry

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21967

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.

Impact

The CVSS 3.1 Base Score for this vulnerability is 5.9, with the primary impact being on availability. The CVSS Vector is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H), which indicates a moderate risk.

Recommendations

Users of affected Oracle Java SE and Oracle GraalVM Enterprise Edition versions should apply the appropriate patches provided by Oracle as soon as possible. Additionally, if feasible, implement network segmentation and restrict access to critical systems.

Conclusion

CVE-2023-21967 is a vulnerability in Oracle Java SE and Oracle GraalVM Enterprise Edition that may result in DOS attacks if left unpatched. Organizations and individuals using the affected versions should apply the necessary patches and follow recommended guidelines to protect their systems from potential exploitation.

Timeline

Published on: 04/18/2023 20:15:00 UTC
Last modified on: 04/27/2023 15:15:00 UTC