CVE-2023-22045: 
Java vulnerability analysis and mitigation

CVE-2023-22045 is a vulnerability discovered in Oracle Java SE, Oracle GraalVM Enterprise Edition, and Oracle GraalVM for JDK. The vulnerability was disclosed in July 2023 and affects multiple versions including Oracle Java SE (8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1), Oracle GraalVM Enterprise Edition (20.3.10, 21.3.6, 22.3.2), and Oracle GraalVM for JDK (17.0.7, 20.0.1). This vulnerability was identified by Zhiqiang Zang of University of Texas at Austin (Oracle Advisory).

The vulnerability is characterized as an array indexing integer overflow issue (reference #8304468). It has been assigned a CVSS 3.1 base score of 3.7 (LOW) with the following vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N. This indicates that the vulnerability is network accessible, requires high attack complexity, needs no privileges, requires no user interaction, has unchanged scope, and can only impact confidentiality at a low level (NVD).

If successfully exploited, this vulnerability could allow an unauthenticated attacker with network access via multiple protocols to gain unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, and Oracle GraalVM for JDK accessible data. The vulnerability can be exploited through APIs in the specified Component, particularly through web services that supply data to the APIs (NVD).

Oracle has released patches to address this vulnerability in their July 2023 Critical Patch Update. Users are strongly recommended to update to the fixed versions. For Java SE users running with a browser, the latest release can be downloaded from java.com. Users on Windows and Mac OS X platforms can also use automatic updates to get the latest release (Oracle Advisory).