CVE-2023-22044: 
Java vulnerability analysis and mitigation

A vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition, and Oracle GraalVM for JDK was discovered and disclosed in July 2023. The vulnerability (CVE-2023-22044) affects multiple versions including Oracle Java SE versions 8u371-perf, 17.0.7, and 20.0.1; Oracle GraalVM Enterprise Edition versions 21.3.6 and 22.3.2; and Oracle GraalVM for JDK versions 17.0.7 and 20.0.1. This vulnerability is related to a modulo operator array indexing issue (Oracle CPUJul2023).

The vulnerability is classified as difficult to exploit and requires network access via multiple protocols. It has been assigned a CVSS v3.1 base score of 3.7 (Low severity) with the following vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability can be exploited through APIs in the specified Component, particularly through web services which supply data to the APIs (NVD).

Successful exploitation of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, and Oracle GraalVM for JDK accessible data. The vulnerability particularly affects Java deployments that load and run untrusted code, such as sandboxed Java Web Start applications or sandboxed Java applets (NVD).

Oracle has released patches to address this vulnerability in their July 2023 Critical Patch Update. The fix is available for affected versions of Oracle Java SE, Oracle GraalVM Enterprise Edition, and Oracle GraalVM for JDK. Users are strongly recommended to apply these security patches as soon as possible (Oracle CPUJul2023, NetApp Advisory).

Multiple organizations and vendors have responded to this vulnerability by issuing advisories and patches. NetApp has released an advisory detailing the impact on their products and providing mitigation guidance. Red Hat has also included fixes for this vulnerability in their security updates (NetApp Advisory, Red Hat Advisory).