Bugzilla – Bug 1220074
VUL-0: CVE-2024-20903: java-11-openjdk,java-17-openjdk,java-1_8_0-ibm,java-1_8_0-openjdk: Vulnerability in the Java VM component of Oracle Database Server
Last modified: 2024-03-07 13:30:25 UTC
Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.21 and 21.3-21.12. Easily exploitable vulnerability allows low privileged attacker having Create Session, Create Procedure privilege with network access via Oracle Net to compromise Java VM. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java VM accessible data. CVSS 3.1 Base Score 6.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N). References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-20903 https://www.cve.org/CVERecord?id=CVE-2024-20903 https://www.oracle.com/security-alerts/cpujan2024.html
Hello, @security-team. This CVE is not mentioned in the IBM advisories, see [0]. Note that, it might be added in a future version release. I'll keep an eye if it needs to be referenced. TIA [0] https://www.ibm.com/support/pages/java-sdk-security-vulnerabilities
Vulnerability not affecting OpenJDK. It is proprietary to Oracle.
closing