CVE-2024-20945: 
Java vulnerability analysis and mitigation

A security vulnerability identified as CVE-2024-20945 affects Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition products. The vulnerability was discovered and disclosed in January 2024, impacting multiple versions including Oracle Java SE (8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1), Oracle GraalVM for JDK (17.0.9, 21.0.1), and Oracle GraalVM Enterprise Edition (20.3.12, 21.3.8, 22.3.4). This vulnerability involves logging of digital signature private keys in the Security component (Oracle Advisory, Red Hat Advisory).

The vulnerability is classified as difficult to exploit and requires a low-privileged attacker with logon access to the infrastructure where the affected products execute. It has received a CVSS 3.1 Base Score of 4.7, indicating medium severity, with the following vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N. The vulnerability specifically affects the Security component and can be exploited through APIs, particularly through web services that supply data to these APIs (Oracle Advisory).

If successfully exploited, this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition accessible data. The vulnerability primarily impacts confidentiality, with no direct effect on integrity or availability of the system (Oracle Advisory).

Oracle has released security patches as part of its January 2024 Critical Patch Update to address this vulnerability. Users are strongly advised to update to the patched versions of the affected products. This vulnerability applies to Java deployments that rely on the Java sandbox for security, particularly those running sandboxed Java Web Start applications or sandboxed Java applets (Oracle Advisory).