CVE-2023-22081: 
Amazon Corretto JDK vulnerability analysis and mitigation

CVE-2023-22081 is a vulnerability in Oracle Java SE's JSSE (Java Secure Socket Extension) component. The vulnerability was disclosed in October 2023 and affects multiple versions of Oracle Java SE (8u381, 8u381-perf, 11.0.20, 17.0.8, 21), Oracle GraalVM for JDK (17.0.8, 21), and Oracle GraalVM Enterprise Edition (20.3.11, 21.3.7, 22.3.3). This vulnerability is related to certificate path validation issues during client authentication (Oracle Advisory).

The vulnerability is easily exploitable by an unauthenticated attacker with network access via HTTPS. It has been assigned a CVSS 3.1 Base Score of 5.3 (Medium) with the vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. The vulnerability specifically affects Java deployments that load and run untrusted code, such as sandboxed Java Web Start applications or sandboxed Java applets (NVD).

Successful exploitation of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of affected Oracle Java SE products. The vulnerability primarily impacts availability, with no direct effect on confidentiality or integrity. It specifically affects Java deployments that rely on the Java sandbox for security when loading and running untrusted code from the internet (Oracle Advisory).

Oracle has released patches for affected versions in their October 2023 Critical Patch Update. Various Linux distributions have also released fixes, including Red Hat Enterprise Linux (version 11.0.21.0.9-1), Debian (version 11.0.21+9-1~deb10u1 for Debian 10 buster), and others. Users are strongly recommended to upgrade to the patched versions (Red Hat Advisory, Debian Advisory).