CVE-2024-20952

Published: 16 January 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

Priority

Cvss 3 Severity Score

7.4

Score breakdown

Status

Package	Release	Status
openjdk-13 Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Ignored (superseded by openjdk-17)
	jammy	Does not exist
	lunar	Does not exist
	mantic	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist
openjdk-16 Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Ignored (superseded by openjdk-17)
	jammy	Does not exist
	lunar	Does not exist
	mantic	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist
openjdk-17 Launchpad, Ubuntu, Debian	bionic	Released (17.0.10+7-1~18.04.1) Available with Ubuntu Pro
	focal	Released (17.0.10+7-1~20.04.1)
	jammy	Released (17.0.10+7-1~22.04.1)
	lunar	Ignored (end of life, was needs-triage)
	mantic	Released (17.0.10+7-1~23.10.1)
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist
	Patches: upstream: https://github.com/openjdk/jdk17u/commit/a0b9d41079bc7b0beb3852e2c3af3416f32dcb0a
openjdk-18 Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Does not exist
	jammy	Ignored (superseded by openjdk-19)
	lunar	Ignored (superseded by openjdk-19)
	mantic	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist
openjdk-19 Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Does not exist
	jammy	Ignored (no longer supported by upstream)
	lunar	Ignored (superseded by openjdk-20)
	mantic	Ignored (superseded by openjdk-20)
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist
openjdk-20 Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Does not exist
	jammy	Does not exist
	lunar	Ignored (superseded by openjdk-21)
	mantic	Ignored (superseded by openjdk-21)
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist
openjdk-21 Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Released (21.0.2+13-1~20.04.1)
	jammy	Released (21.0.2+13-1~22.04.1)
	lunar	Ignored (end of life, was needs-triage)
	mantic	Released (21.0.2+13-1~23.10.1)
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist
	Patches: upsteam: https://github.com/openjdk/jdk21u/commit/e831175ecf54edab00820e9a10e134ca96b7b9df
openjdk-22 Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Does not exist
	jammy	Does not exist
	lunar	Does not exist
	mantic	Needed
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist
	Patches: upstream: https://github.com/openjdk/jdk22/commit/c7f1c97312f94b6dd6398a5e98dd0c8b63db4c9b
openjdk-8 Launchpad, Ubuntu, Debian	bionic	Released (8u402-ga-2ubuntu1~18.04) Available with Ubuntu Pro
	focal	Released (8u402-ga-2ubuntu1~20.04)
	jammy	Released (8u402-ga-2ubuntu1~22.04)
	lunar	Ignored (end of life, was needs-triage)
	mantic	Released (8u402-ga-2ubuntu1~23.10.1)
	trusty	Does not exist
	upstream	Needs triage
	xenial	Needed
	Patches: upstream: https://github.com/openjdk/jdk8u/commit/d4b472ff937883b62f26a39c9ddf72f07f9dfff8
openjdk-9 Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Does not exist
	jammy	Does not exist
	lunar	Does not exist
	mantic	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Ignored (no longer supported by upstream)
openjdk-lts Launchpad, Ubuntu, Debian	bionic	Released (11.0.22+7-0ubuntu2~18.04.1) Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
	focal	Released (11.0.22+7-0ubuntu2~20.04.1)
	jammy	Released (11.0.22+7-0ubuntu2~22.04.1)
	lunar	Ignored (end of life, was needs-triage)
	mantic	Released (11.0.22+7-0ubuntu2~23.10.1)
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist
	Patches: upstream: https://github.com/openjdk/jdk11u/commit/a9145c7a192568d82f766e43459ec813eabf0045

Severity score breakdown

Parameter	Value
Base score	7.4
Attack vector	Network
Attack complexity	High
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	None
Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›