CVE-2024-20918: 
Amazon Corretto JDK vulnerability analysis and mitigation

A vulnerability was discovered in Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition products (CVE-2024-20918). The affected versions include Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; and Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8, and 22.3.4. This vulnerability was disclosed in January 2024 as part of Oracle's Critical Patch Update (Oracle CPU).

The vulnerability is characterized as difficult to exploit and involves an array out-of-bounds access due to missing range check in C1 compiler. It has been assigned a CVSS 3.1 Base Score of 7.4 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating network vector attack with high complexity, requiring no privileges or user interaction (NVD).

Successful exploitation of this vulnerability can result in unauthorized creation, deletion or modification access to critical data, as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition accessible data. The vulnerability can be exploited through APIs in the specified Component, such as through web services which supply data to the APIs (Oracle CPU).

Oracle has released patches to address this vulnerability in their January 2024 Critical Patch Update. Users are strongly recommended to update to the patched versions. For specific products like NetApp, fixes have been released for various affected products including SANtricity Storage Plugin for vCenter, Data Infrastructure Insights Acquisition Unit, and other components (NetApp Advisory).