cnvd - cnvd-2024-44547

cnvd-2024-44547

Vulnerability from cnvd

Title: Oracle Java SE存在未明漏洞（CNVD-2024-44547）

Description:

Oracle GraalVM是一套使用Java语言编写的即时编译器。该产品支持多种编程语言和执行模式。GraalVM Enterprise Edition是GraalVM的企业版。Oracle GraalVM是一套使用Java语言编写的即时编译器。该产品支持多种编程语言和执行模式。Oracle Java SE是一款用于开发和部署桌面、服务器以及嵌入设备和实时环境中的Java应用程序。

Oracle Java SE的Oracle Java SE、Oracle GraalVM for JDK和Oracle GraalVM Enterprise Edition存在安全漏洞，攻击者可利用该漏洞导致系统拒绝服务。

Severity: 低

Patch Name: Oracle Java SE存在未明漏洞（CNVD-2024-44547）的补丁

Patch Description:

Oracle Java SE的Oracle Java SE、Oracle GraalVM for JDK和Oracle GraalVM Enterprise Edition存在安全漏洞，攻击者可利用该漏洞导致系统拒绝服务。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://www.oracle.com/security-alerts/cpuoct2024.html

Reference: https://www.oracle.com/security-alerts/cpuoct2024.html

Impacted products

Name
['Oracle Java SE 23', 'Oracle graalvm for jdk 17.0.12', 'Oracle graalvm for jdk 21.0.4', 'Oracle graalvm for jdk 23', 'Oracle GraalVM Enterprise Edition 20.3.15', 'Oracle GraalVM Enterprise Edition 21.3.11', 'Oracle Java SE 8u421', 'Oracle Java SE 8u421-perf', 'Oracle Java SE 11.0.24', 'Oracle Java SE 17.0.12', 'Oracle Java SE 21.0.4']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-21208",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-21208"
    }
  },
  "description": "Oracle GraalVM\u662f\u4e00\u5957\u4f7f\u7528Java\u8bed\u8a00\u7f16\u5199\u7684\u5373\u65f6\u7f16\u8bd1\u5668\u3002\u8be5\u4ea7\u54c1\u652f\u6301\u591a\u79cd\u7f16\u7a0b\u8bed\u8a00\u548c\u6267\u884c\u6a21\u5f0f\u3002GraalVM Enterprise Edition\u662fGraalVM\u7684\u4f01\u4e1a\u7248\u3002Oracle GraalVM\u662f\u4e00\u5957\u4f7f\u7528Java\u8bed\u8a00\u7f16\u5199\u7684\u5373\u65f6\u7f16\u8bd1\u5668\u3002\u8be5\u4ea7\u54c1\u652f\u6301\u591a\u79cd\u7f16\u7a0b\u8bed\u8a00\u548c\u6267\u884c\u6a21\u5f0f\u3002Oracle Java SE\u662f\u4e00\u6b3e\u7528\u4e8e\u5f00\u53d1\u548c\u90e8\u7f72\u684c\u9762\u3001\u670d\u52a1\u5668\u4ee5\u53ca\u5d4c\u5165\u8bbe\u5907\u548c\u5b9e\u65f6\u73af\u5883\u4e2d\u7684Java\u5e94\u7528\u7a0b\u5e8f\u3002 \n\nOracle Java SE\u7684Oracle Java SE\u3001Oracle GraalVM for JDK\u548cOracle GraalVM Enterprise Edition\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u7cfb\u7edf\u62d2\u7edd\u670d\u52a1\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.oracle.com/security-alerts/cpuoct2024.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-44547",
  "openTime": "2024-11-15",
  "patchDescription": "Oracle GraalVM\u662f\u4e00\u5957\u4f7f\u7528Java\u8bed\u8a00\u7f16\u5199\u7684\u5373\u65f6\u7f16\u8bd1\u5668\u3002\u8be5\u4ea7\u54c1\u652f\u6301\u591a\u79cd\u7f16\u7a0b\u8bed\u8a00\u548c\u6267\u884c\u6a21\u5f0f\u3002GraalVM Enterprise Edition\u662fGraalVM\u7684\u4f01\u4e1a\u7248\u3002Oracle GraalVM\u662f\u4e00\u5957\u4f7f\u7528Java\u8bed\u8a00\u7f16\u5199\u7684\u5373\u65f6\u7f16\u8bd1\u5668\u3002\u8be5\u4ea7\u54c1\u652f\u6301\u591a\u79cd\u7f16\u7a0b\u8bed\u8a00\u548c\u6267\u884c\u6a21\u5f0f\u3002Oracle Java SE\u662f\u4e00\u6b3e\u7528\u4e8e\u5f00\u53d1\u548c\u90e8\u7f72\u684c\u9762\u3001\u670d\u52a1\u5668\u4ee5\u53ca\u5d4c\u5165\u8bbe\u5907\u548c\u5b9e\u65f6\u73af\u5883\u4e2d\u7684Java\u5e94\u7528\u7a0b\u5e8f\u3002 \r\n\r\nOracle Java SE\u7684Oracle Java SE\u3001Oracle GraalVM for JDK\u548cOracle GraalVM Enterprise Edition\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u7cfb\u7edf\u62d2\u7edd\u670d\u52a1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Oracle Java SE\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2024-44547\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Oracle Java SE 23",
      "Oracle graalvm for jdk 17.0.12",
      "Oracle graalvm for jdk 21.0.4",
      "Oracle graalvm for jdk 23",
      "Oracle GraalVM Enterprise Edition 20.3.15",
      "Oracle GraalVM Enterprise Edition 21.3.11",
      "Oracle Java SE 8u421",
      "Oracle Java SE 8u421-perf",
      "Oracle Java SE 11.0.24",
      "Oracle Java SE 17.0.12",
      "Oracle Java SE 21.0.4"
    ]
  },
  "referenceLink": "https://www.oracle.com/security-alerts/cpuoct2024.html",
  "serverity": "\u4f4e",
  "submitTime": "2024-10-23",
  "title": "Oracle Java SE\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2024-44547\uff09"
}

CVE-2024-21208 (GCVE-0-2024-21208)

Vulnerability from cvelistv5

Published

2024-10-15 19:52

Modified

2024-10-31 13:06

Severity ?

3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.

Summary

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

References

▼	URL	Tags
	https://www.oracle.com/security-alerts/cpuoct2024.html	vendor-advisory

Impacted products

	Vendor	Product	Version
	Oracle Corporation	Oracle Java SE	Version: Oracle Java SE:8u421 Version: Oracle Java SE:8u421-perf Version: Oracle Java SE:11.0.24 Version: Oracle Java SE:17.0.12 Version: Oracle Java SE:21.0.4 Version: Oracle Java SE:23 Version: Oracle GraalVM for JDK:17.0.12 Version: Oracle GraalVM for JDK:21.0.4 Version: Oracle GraalVM for JDK:23 Version: Oracle GraalVM Enterprise Edition:20.3.15 Version: Oracle GraalVM Enterprise Edition:21.3.11 cpe:2.3:a:oracle:java_se:8u421:::::::* cpe:2.3:a:oracle:java_se:8u421::::enterprise_performance::: cpe:2.3:a:oracle:java_se:11.0.24:::::::* cpe:2.3:a:oracle:java_se:17.0.12:::::::* cpe:2.3:a:oracle:java_se:21.0.4:::::::* cpe:2.3:a:oracle:java_se:23:::::::* cpe:2.3:a:oracle:graalvm_for_jdk:17.0.12:::::::* cpe:2.3:a:oracle:graalvm_for_jdk:21.0.4:::::::* cpe:2.3:a:oracle:graalvm_for_jdk:23:::::::* cpe:2.3:a:oracle:graalvm:20.3.15::::enterprise::: cpe:2.3:a:oracle:graalvm:21.3.11::::enterprise:::

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-21208",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-17T13:27:45.725418Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-203",
                "description": "CWE-203 Observable Discrepancy",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-31T13:06:16.702Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:oracle:java_se:8u421:*:*:*:*:*:*:*",
            "cpe:2.3:a:oracle:java_se:8u421:*:*:*:enterprise_performance:*:*:*",
            "cpe:2.3:a:oracle:java_se:11.0.24:*:*:*:*:*:*:*",
            "cpe:2.3:a:oracle:java_se:17.0.12:*:*:*:*:*:*:*",
            "cpe:2.3:a:oracle:java_se:21.0.4:*:*:*:*:*:*:*",
            "cpe:2.3:a:oracle:java_se:23:*:*:*:*:*:*:*",
            "cpe:2.3:a:oracle:graalvm_for_jdk:17.0.12:*:*:*:*:*:*:*",
            "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.4:*:*:*:*:*:*:*",
            "cpe:2.3:a:oracle:graalvm_for_jdk:23:*:*:*:*:*:*:*",
            "cpe:2.3:a:oracle:graalvm:20.3.15:*:*:*:enterprise:*:*:*",
            "cpe:2.3:a:oracle:graalvm:21.3.11:*:*:*:enterprise:*:*:*"
          ],
          "product": "Oracle Java SE",
          "vendor": "Oracle Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "Oracle Java SE:8u421"
            },
            {
              "status": "affected",
              "version": "Oracle Java SE:8u421-perf"
            },
            {
              "status": "affected",
              "version": "Oracle Java SE:11.0.24"
            },
            {
              "status": "affected",
              "version": "Oracle Java SE:17.0.12"
            },
            {
              "status": "affected",
              "version": "Oracle Java SE:21.0.4"
            },
            {
              "status": "affected",
              "version": "Oracle Java SE:23"
            },
            {
              "status": "affected",
              "version": "Oracle GraalVM for JDK:17.0.12"
            },
            {
              "status": "affected",
              "version": "Oracle GraalVM for JDK:21.0.4"
            },
            {
              "status": "affected",
              "version": "Oracle GraalVM for JDK:23"
            },
            {
              "status": "affected",
              "version": "Oracle GraalVM Enterprise Edition:20.3.15"
            },
            {
              "status": "affected",
              "version": "Oracle GraalVM Enterprise Edition:21.3.11"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and  21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.",
              "lang": "en-US"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-15T19:52:40.907Z",
        "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "shortName": "oracle"
      },
      "references": [
        {
          "name": "Oracle Advisory",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuoct2024.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
    "assignerShortName": "oracle",
    "cveId": "CVE-2024-21208",
    "datePublished": "2024-10-15T19:52:40.907Z",
    "dateReserved": "2023-12-07T22:28:10.690Z",
    "dateUpdated": "2024-10-31T13:06:16.702Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted