CVE-2023-21930: 
Java vulnerability analysis and mitigation

CVE-2023-21930 is a vulnerability affecting Oracle Java SE and Oracle GraalVM Enterprise Edition. The vulnerability was discovered by Ben Smyth and disclosed in April 2023. It affects multiple versions including Oracle Java SE (8u361, 8u361-perf, 11.0.18, 17.0.6, 20) and Oracle GraalVM Enterprise Edition (20.3.9, 21.3.5, 22.3.1). This vulnerability specifically impacts the JSSE (Java Secure Socket Extension) component (Oracle CPU).

The vulnerability is characterized as difficult to exploit but allows unauthenticated attackers with network access via TLS to compromise Oracle Java SE and Oracle GraalVM Enterprise Edition. It has been assigned a CVSS 3.1 Base Score of 7.4 (High) with the vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N. The vulnerability involves improper connection handling during TLS handshake (NVD, RedHat).

Successful exploitation of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE and Oracle GraalVM Enterprise Edition accessible data, as well as unauthorized access to critical data or complete access to all accessible data. This vulnerability particularly affects Java deployments that load and run untrusted code and rely on the Java sandbox for security (NVD).

Oracle has released patches to address this vulnerability in their April 2023 Critical Patch Update. Users are strongly recommended to update to the fixed versions. For Java SE, this includes updating to version 11.0.19, 17.0.7, or newer versions depending on the product line being used (Oracle CPU, RedHat).