CVE-2023-22041: 
Java vulnerability analysis and mitigation

A vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition, and Oracle GraalVM for JDK was discovered (CVE-2023-22041). The vulnerability affects multiple versions including Oracle Java SE (8u371-perf, 11.0.19, 17.0.7, 20.0.1), Oracle GraalVM Enterprise Edition (20.3.10, 21.3.6, 22.3.2), and Oracle GraalVM for JDK (17.0.7 and 20.0.1). This vulnerability specifically applies to Java deployments that load and run untrusted code, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (Oracle CPU).

The vulnerability is characterized as difficult to exploit and requires an unauthenticated attacker with logon access to the infrastructure where the affected software executes. It has been assigned a CVSS 3.1 Base Score of 5.1 (Medium) with the vector string: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability represents a weakness in the AES implementation that could potentially compromise the confidentiality of data (NVD).

Successful exploitation of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition, and Oracle GraalVM for JDK accessible data. The vulnerability primarily affects confidentiality, with no direct impact on integrity or availability (Oracle CPU).

Oracle has released patches to address this vulnerability in their July 2023 Critical Patch Update. Users are advised to upgrade to the fixed versions. For Debian systems, fixes have been released in version 11.0.20+8-1~deb10u1 for Debian 10, version 11.0.20+8-1~deb11u1 for Debian 11 (bullseye), and version 17.0.8+7-1~deb12u1 for Debian 12 (bookworm) (Debian Security, Debian LTS).