CVE-2023-21967: 
Java vulnerability analysis and mitigation

CVE-2023-21967 is a vulnerability affecting Oracle Java SE and Oracle GraalVM Enterprise Edition. The vulnerability was discovered by Jonathan Looney of Netflix and disclosed in April 2023. It affects multiple versions of Oracle Java SE (8u361, 8u361-perf, 11.0.18, 17.0.6, 20) and Oracle GraalVM Enterprise Edition (20.3.9, 21.3.5, 22.3.1). This vulnerability specifically impacts Java deployments that load and run untrusted code, such as sandboxed Java Web Start applications or sandboxed Java applets (Oracle Advisory).

The vulnerability is classified as difficult to exploit but allows unauthenticated attackers with network access via HTTPS to compromise affected systems. It has been assigned a CVSS 3.1 Base Score of 5.9 (Medium) with the vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability specifically affects the JSSE (Java Secure Socket Extension) component (NVD).

Successful exploitation of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash, leading to a complete denial of service (DoS) of Oracle Java SE and Oracle GraalVM Enterprise Edition. The vulnerability can be exploited through APIs in the specified Component, such as through a web service which supplies data to the APIs (Oracle Advisory).

Oracle has released patches to address this vulnerability in their April 2023 Critical Patch Update. Users are advised to update to the fixed versions: Java SE versions 8u361, 11.0.18, 17.0.6, and 20, and GraalVM Enterprise Edition versions 20.3.9, 21.3.5, and 22.3.1. Various Linux distributions have also released security updates, including Debian which has fixed the issue in openjdk-17 version 17.0.7+7-1~deb11u1 for oldstable and 17.0.7+7-1~deb12u1 for stable distributions (Debian Advisory).