Bug 1220074 (CVE-2024-20903)

Summary: VUL-0: CVE-2024-20903: java-11-openjdk,java-17-openjdk,java-1_8_0-ibm,java-1_8_0-openjdk: Vulnerability in the Java VM component of Oracle Database Server
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Fridrich Strba <fstrba>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: pmonrealgonzalez, thomas.leroy
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/394406/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-20903:6.5:(AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-02-19 12:30:03 UTC 
Vulnerability in the Java VM component of Oracle Database Server.  Supported versions that are affected are 19.3-19.21 and  21.3-21.12. Easily exploitable vulnerability allows low privileged attacker having Create Session, Create Procedure privilege with network access via Oracle Net to compromise Java VM.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Java VM accessible data. CVSS 3.1 Base Score 6.5 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-20903
https://www.cve.org/CVERecord?id=CVE-2024-20903
https://www.oracle.com/security-alerts/cpujan2024.html
Comment 1 Pedro Monreal Gonzalez 2024-02-19 15:09:49 UTC 
Hello, @security-team.

This CVE is not mentioned in the IBM advisories, see [0]. Note that, it might be added in a future version release. I'll keep an eye if it needs to be referenced. 

TIA

[0] https://www.ibm.com/support/pages/java-sdk-security-vulnerabilities
Comment 2 Fridrich Strba 2024-03-07 13:29:34 UTC 
Vulnerability not affecting OpenJDK. It is proprietary to Oracle.
Comment 3 Fridrich Strba 2024-03-07 13:30:25 UTC 
closing