CVE-2023-22036 - Vulnerability Details

- OpenJDK: ZIP file parsing infinite loop (8302483)

Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Utility). Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Published: 2023-07-18

Score: 3.7 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Java SE JDK and JRE

affected

Version	Status	Constraints
`Oracle Java SE:11.0.19`	affected	—
`Oracle Java SE:17.0.7`	affected	—
`Oracle Java SE:20.0.1`	affected	—
`Oracle GraalVM Enterprise Edition:20.3.10`	affected	—
`Oracle GraalVM Enterprise Edition:21.3.6`	affected	—
`Oracle GraalVM Enterprise Edition:22.3.2`	affected	—
`Oracle GraalVM for JDK:17.0.7`	affected	—
`Oracle GraalVM for JDK:20.0.1`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:oracle:graalvm:20.3.10::::enterprise:::
	cpe:2.3:a:oracle:graalvm:21.3.6::::enterprise:::
	cpe:2.3:a:oracle:graalvm:22.3.2::::enterprise:::
	cpe:2.3:a:oracle:graalvm_for_jdk:17.0.7:::::::*
	cpe:2.3:a:oracle:graalvm_for_jdk:20.0.1:::::::*
	cpe:2.3:a:oracle:jdk:11.0.19:::::::*
	cpe:2.3:a:oracle:jdk:17.0.7:::::::*
	cpe:2.3:a:oracle:jdk:20.0.1:::::::*
	cpe:2.3:a:oracle:jre:11.0.19:::::::*
	cpe:2.3:a:oracle:jre:17.0.7:::::::*
	cpe:2.3:a:oracle:jre:20.0.1:::::::*

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*
	cpe:2.3:o:debian:debian_linux:12.0:::::::*

Configuration 3 [-]

OR	cpe:2.3:a:netapp:7-mode_transition_tool:-:::::::*
	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows::
	cpe:2.3:a:netapp:cloud_insights_acquisition_unit:-:::::::*
	cpe:2.3:a:netapp:cloud_insights_storage_workload_security_agent:-:::::::*
	cpe:2.3:a:netapp:oncommand_insight:-:::::::*

Package	CPE	Advisory	Released Date
Red Hat Build of OpenJDK 11.0.20
Linux	cpe:/a:redhat:openjdk:11	RHSA-2023:4208	2023-07-20T00:00:00Z
Windows	cpe:/a:redhat:openjdk:11::windows	RHSA-2023:4161	2023-07-20T00:00:00Z
Red Hat Build of OpenJDK 17.0.8
Linux	cpe:/a:redhat:openjdk:17	RHSA-2023:4210	2023-07-20T00:00:00Z
Windows	cpe:/a:redhat:openjdk:17::windows	RHSA-2023:4211	2023-07-20T00:00:00Z
Red Hat Enterprise Linux 7
java-11-openjdk-1:11.0.20.0.8-1.el7_9	cpe:/o:redhat:enterprise_linux:7	RHSA-2023:4233	2023-07-21T00:00:00Z
Red Hat Enterprise Linux 8
java-17-openjdk-1:17.0.8.0.7-2.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2023:4159	2023-07-20T00:00:00Z
java-11-openjdk-1:11.0.20.0.8-2.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2023:4175	2023-07-20T00:00:00Z
Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions
java-11-openjdk-1:11.0.20.0.8-1.el8_1	cpe:/a:redhat:rhel_e4s:8.1	RHSA-2023:4165	2023-07-19T00:00:00Z
Red Hat Enterprise Linux 8.2 Advanced Update Support
java-11-openjdk-1:11.0.20.0.8-1.el8_2	cpe:/a:redhat:rhel_aus:8.2	RHSA-2023:4162	2023-07-19T00:00:00Z
Red Hat Enterprise Linux 8.2 Telecommunications Update Service
java-11-openjdk-1:11.0.20.0.8-1.el8_2	cpe:/a:redhat:rhel_tus:8.2	RHSA-2023:4162	2023-07-19T00:00:00Z
Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
java-11-openjdk-1:11.0.20.0.8-1.el8_2	cpe:/a:redhat:rhel_e4s:8.2	RHSA-2023:4162	2023-07-19T00:00:00Z
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
java-11-openjdk-1:11.0.20.0.8-1.el8_4	cpe:/a:redhat:rhel_aus:8.4	RHSA-2023:4163	2023-07-19T00:00:00Z
java-17-openjdk-1:17.0.8.0.7-1.el8_4	cpe:/a:redhat:rhel_aus:8.4	RHSA-2023:4171	2023-07-19T00:00:00Z
Red Hat Enterprise Linux 8.4 Telecommunications Update Service
java-11-openjdk-1:11.0.20.0.8-1.el8_4	cpe:/a:redhat:rhel_tus:8.4	RHSA-2023:4163	2023-07-19T00:00:00Z
java-17-openjdk-1:17.0.8.0.7-1.el8_4	cpe:/a:redhat:rhel_tus:8.4	RHSA-2023:4171	2023-07-19T00:00:00Z
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
java-11-openjdk-1:11.0.20.0.8-1.el8_4	cpe:/a:redhat:rhel_e4s:8.4	RHSA-2023:4163	2023-07-19T00:00:00Z
java-17-openjdk-1:17.0.8.0.7-1.el8_4	cpe:/a:redhat:rhel_e4s:8.4	RHSA-2023:4171	2023-07-19T00:00:00Z
Red Hat Enterprise Linux 8.6 Extended Update Support
java-11-openjdk-1:11.0.20.0.8-1.el8_6	cpe:/a:redhat:rhel_eus:8.6	RHSA-2023:4164	2023-07-19T00:00:00Z
java-17-openjdk-1:17.0.8.0.7-1.el8_6	cpe:/a:redhat:rhel_eus:8.6	RHSA-2023:4170	2023-07-19T00:00:00Z
Red Hat Enterprise Linux 9
java-11-openjdk-1:11.0.20.0.8-2.el9	cpe:/a:redhat:enterprise_linux:9	RHSA-2023:4158	2023-07-20T00:00:00Z
java-17-openjdk-1:17.0.8.0.7-2.el9	cpe:/a:redhat:enterprise_linux:9	RHSA-2023:4177	2023-07-20T00:00:00Z
Red Hat Enterprise Linux 9.0 Extended Update Support
java-11-openjdk-1:11.0.20.0.8-1.el9_0	cpe:/a:redhat:rhel_eus:9.0	RHSA-2023:4157	2023-07-19T00:00:00Z
java-17-openjdk-1:17.0.8.0.7-1.el9_0	cpe:/a:redhat:rhel_eus:9.0	RHSA-2023:4169	2023-07-19T00:00:00Z

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-3571-1	openjdk-11 security update
Debian DSA	DSA-5458-1	openjdk-17 security update
Debian DSA	DSA-5478-1	openjdk-11 security update
EUVD	EUVD-2023-26201	Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Utility). Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
Ubuntu USN	USN-6263-1	OpenJDK vulnerabilities
Ubuntu USN	USN-6272-1	OpenJDK 20 vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00097.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://lists.debian.org/debian-lts-announce/2023/09/msg00018.html
https://nvd.nist.gov/vuln/detail/CVE-2023-22036
https://security.netapp.com/advisory/ntap-20230725-0006/
https://www.cve.org/CVERecord?id=CVE-2023-22036
https://www.debian.org/security/2023/dsa-5458
https://www.debian.org/security/2023/dsa-5478
https://www.oracle.com/security-alerts/cpujul2023.html

History

No history.

Subscriptions

Debian Debian Linux

Netapp 7-mode Transition Tool Active Iq Unified Manager Cloud Insights Acquisition Unit Cloud Insights Storage Workload Security Agent Oncommand Insight

Oracle Graalvm Graalvm For Jdk Jdk Jre

Redhat Enterprise Linux Openjdk Rhel Aus Rhel E4s Rhel Eus Rhel Tus

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2023-07-18T20:18:20.850Z

Updated: 2025-02-13T16:43:28.142Z

Reserved: 2022-12-17T19:26:00.753Z

Link: CVE-2023-22036

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-07-18T21:15:13.587

Modified: 2024-11-21T07:44:08.970

Link: CVE-2023-22036

Redhat

Severity : Moderate

Publid Date: 2023-07-18T20:00:00Z

Links: CVE-2023-22036 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object