Bug 1218912 (CVE-2024-20955)

Summary: VUL-0: CVE-2024-20955: Vulnerability in the Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Compiler)
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Fridrich Strba <fstrba>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: thomas.leroy
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/391480/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-20955:3.7:(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-01-17 12:25:35 UTC 
Vulnerability in the Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Compiler).  Supported versions that are affected are Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 21.3.8 and  22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. CVSS 3.1 Base Score 3.7 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-20955
https://www.cve.org/CVERecord?id=CVE-2024-20955
https://www.oracle.com/security-alerts/cpujan2024.html
Comment 1 Fridrich Strba 2024-01-19 17:34:37 UTC 
Vulnerability in Oracle-only module not affecting OpenJDK
Comment 2 Thomas Leroy 2024-01-22 08:21:56 UTC 
(In reply to Fridrich Strba from comment #1)
> Vulnerability in Oracle-only module not affecting OpenJDK

Thanks Fridrich. Closing