CVE-2024-20926: 
Java vulnerability analysis and mitigation

A vulnerability has been identified in Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition products, specifically in the Scripting component. The affected versions include Oracle Java SE (8u391, 8u391-perf, 11.0.21), Oracle GraalVM for JDK (17.0.9), and Oracle GraalVM Enterprise Edition (20.3.12, 21.3.8, and 22.3.4). This vulnerability was disclosed in January 2024 and assigned identifier CVE-2024-20926 (NIST).

The vulnerability is classified as difficult to exploit but can be accessed remotely through multiple protocols. It has been assigned a CVSS 3.1 Base Score of 5.9 (Medium severity) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability specifically affects the Scripting component and can be exploited through APIs, particularly through web services that supply data to these APIs (Oracle CPU).

Successful exploitation of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition accessible data. The vulnerability particularly affects Java deployments that load and run untrusted code, such as sandboxed Java Web Start applications or sandboxed Java applets (NIST).

Oracle has released patches to address this vulnerability in their January 2024 Critical Patch Update. Users are strongly advised to update to the latest versions of affected products. For Java SE, this includes updating to version 8u402, 11.0.22, or later versions depending on the product line being used (Red Hat).

Multiple vendors and organizations have responded to this vulnerability by issuing advisories and patches. NetApp has incorporated fixes into various products and continues to update their advisory as additional information becomes available (NetApp Advisory). Debian has also released security updates to address this vulnerability in their systems (Debian Advisory).