CVE-2024-20945 - Vulnerability in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition Results in Unauthorized Access to Critical Data

A recent vulnerability, assigned CVE-2024-20945, has been discovered in Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. This security flaw, which is hard to exploit, allows a low privileged attacker with access to the infrastructure where these Oracle products are being executed to compromise them, potentially leading to unauthorized access to critical data or even complete access to all the accessible data.

Affected Versions

This vulnerability affects the following versions of the Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition:

Exploit Details

To exploit this vulnerability, an attacker must use APIs (Application Programming Interfaces) within the Security component of the affected Oracle products. This can be done, for example, through a web service that supplies data to the APIs.

Furthermore, the vulnerability also applies to Java deployments that typically run sandboxed Java Web Start applications or sandboxed Java applets. These deployments load and run untrusted code (such as code originating from the internet) and rely on the Java sandbox for security.

CVSS 3.1 Base Score and Vector

The Common Vulnerability Scoring System (CVSS) 3.1 Base Score for CVE-2024-20945 is 4.7, with Confidentiality impacts being a significant concern. The CVSS Vector for this vulnerability is (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N).

Original References

If you're using any of the affected versions mentioned above, it is essential to stay informed about this vulnerability and be prepared to take necessary action if required. For more information about CVE-2024-20945 and potential remediation steps, please visit the following official Oracle resources:

1. Oracle Security Alert Advisory - CVE-2024-20945: https://www.oracle.com/security-alerts/alerts-20945.html
2. Oracle Critical Patch Update Advisory - CVE-2024-20945: https://www.oracle.com/security-alerts/alerts-cpu20945.html

Conclusion

CVE-2024-20945 is a critical vulnerability that affects several Oracle products, including Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. Users of these products need to be vigilant, remain up-to-date with Oracle's security advisories, and ensure the necessary precautions are taken to protect their respective systems and data.

Timeline

Published on: 02/17/2024 02:15:48 UTC
Last modified on: 02/20/2024 19:51:05 UTC