CVE-2023-22044

OpenJDK: modulo operator array indexing issue (8304460)

Severity Score

3.7

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u371-perf, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

The OpenJDK 17 packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit. This release of the Red Hat build of OpenJDK 17 for portable Linux serves as a replacement for the Red Hat build of OpenJDK 17 and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section. Issues addressed include denial of service and integer overflow vulnerabilities.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

High

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2022-12-17 CVE Reserved
2023-07-18 CVE Published
2025-02-13 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-125: Out-of-bounds Read

CAPEC

References (5)

URL	Tag	Source
https://security.netapp.com/advisory/ntap-20230725-0006	Third Party Advisory
https://www.debian.org/security/2023/dsa-5458	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://www.oracle.com/security-alerts/cpujul2023.html	2023-07-27

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-22044	2023-07-20
https://bugzilla.redhat.com/show_bug.cgi?id=2221642	2023-07-20

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Oracle Search vendor "Oracle"		Graalvm Search vendor "Oracle" for product "Graalvm"				21.3.6 Search vendor "Oracle" for product "Graalvm" and version "21.3.6"		enterprise		Affected
Oracle Search vendor "Oracle"		Graalvm Search vendor "Oracle" for product "Graalvm"				22.3.2 Search vendor "Oracle" for product "Graalvm" and version "22.3.2"		enterprise		Affected
Oracle Search vendor "Oracle"		Graalvm For Jdk Search vendor "Oracle" for product "Graalvm For Jdk"				17.0.7 Search vendor "Oracle" for product "Graalvm For Jdk" and version "17.0.7"		-		Affected
Oracle Search vendor "Oracle"		Graalvm For Jdk Search vendor "Oracle" for product "Graalvm For Jdk"				20.0.1 Search vendor "Oracle" for product "Graalvm For Jdk" and version "20.0.1"		-		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.8.0 Search vendor "Oracle" for product "Jdk" and version "1.8.0"		update371, enterprise_performance_pack		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				17.0.7 Search vendor "Oracle" for product "Jdk" and version "17.0.7"		-		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				20.0.1 Search vendor "Oracle" for product "Jdk" and version "20.0.1"		-		Affected
Oracle Search vendor "Oracle"		Jre Search vendor "Oracle" for product "Jre"				1.8.0 Search vendor "Oracle" for product "Jre" and version "1.8.0"		update371, enterprise_performance_pack		Affected
Oracle Search vendor "Oracle"		Jre Search vendor "Oracle" for product "Jre"				17.0.7 Search vendor "Oracle" for product "Jre" and version "17.0.7"		-		Affected
Oracle Search vendor "Oracle"		Jre Search vendor "Oracle" for product "Jre"				20.0.1 Search vendor "Oracle" for product "Jre" and version "20.0.1"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				12.0 Search vendor "Debian" for product "Debian Linux" and version "12.0"		-		Affected