3.7 CVE-2024-21208
Enriched by CISA
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
https://nvd.nist.gov/vuln/detail/CVE-2024-21208
Categories
CWE-203 : Observable Discrepancy
Discrepancies can take many forms, and variations may be detectable in timing, control flow, communications such as replies or requests, or general behavior. These discrepancies can reveal information about the product's operation or internal state to an unauthorized actor. In some cases, discrepancies can be used by attackers to form a side channel.
References
af854a3a-2127-422b-91ae-364da2661108
| https://lists.debian.org/debian-lts-announce/2024/10/msg00020.html |
| https://security.netapp.com/advisory/ntap-20241018-0010/ |
secalert_us@oracle.com
| https://www.oracle.com/security-alerts/cpuoct2024.html Vendor Advisory |
AFFECTED (from MITRE)
| Vendor | Product | Versions |
|---|---|---|
| Oracle Corporation | Oracle Java SE |
|
| © 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. | ||
CPE
| cpe | start | end |
|---|---|---|
| Configuration 1 | ||
| cpe:2.3:a:oracle:graalvm:20.3.15:*:*:*:enterprise:*:*:* | ||
| cpe:2.3:a:oracle:graalvm:21.3.11:*:*:*:enterprise:*:*:* | ||
| cpe:2.3:a:oracle:graalvm_for_jdk:17.0.12:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:graalvm_for_jdk:21.0.4:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:graalvm_for_jdk:23:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:jdk:1.8.0:update421:*:*:-:*:*:* | ||
| cpe:2.3:a:oracle:jdk:1.8.0:update421:*:*:enterprise_performance_pack:*:*:* | ||
| cpe:2.3:a:oracle:jdk:11.0.24:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:jdk:17.0.12:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:jdk:21.0.4:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:jdk:23:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:jre:1.8.0:update421:*:*:-:*:*:* | ||
| cpe:2.3:a:oracle:jre:1.8.0:update421:*:*:enterprise_performance_pack:*:*:* | ||
| cpe:2.3:a:oracle:jre:11.0.24:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:jre:17.0.12:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:jre:21.0.4:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:jre:23:*:*:*:*:*:*:* | ||
REMEDIATION
EXPLOITS
Exploit-db.com
| id | description | date | |
|---|---|---|---|
| No known exploits | |||
POC Github
| Url |
|---|
| No known exploits |
Other Nist (github, ...)
| Url |
|---|
| No known exploits |
CAPEC
Common Attack Pattern Enumerations and Classifications
| id | description | severity |
|---|---|---|
| 189 | Black Box Reverse Engineering |
Low |
Cybersecurity needs ?
Strengthen software security from the outset with our DevSecOps expertise
Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.
