Vulnerability DatabaseCVE-2024-20952

CVE-2024-20952:
NixOS vulnerability analysis and mitigation

Overview

A vulnerability in Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition was discovered affecting multiple versions including Java SE 8u391, 11.0.21, 17.0.9, and 21.0.1. This difficult-to-exploit vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise the affected systems (Oracle CPU).

Technical details

The vulnerability is related to RSA padding issues and timing side-channel attacks against TLS. It has been assigned a CVSS 3.1 Base Score of 7.4 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating network vector attack with high complexity, requiring no privileges or user interaction (NVD, NetApp Advisory).

Impact

Successful exploitation can result in unauthorized creation, deletion, or modification access to critical data, as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition accessible data (Oracle CPU).

Mitigation and workarounds

Oracle has released security patches as part of its January 2024 Critical Patch Update. Users are strongly advised to update to the fixed versions: Java SE 8u391, 11.0.22, 17.0.9, and 21.0.1. The vulnerability does not affect Java deployments that load and run only trusted code (Oracle CPU, Red Hat Advisory).

Additional resources

Source: This report was generated using AI

7.4

Score

Published January 16, 2024

Severity HIGH

CNA Score 7.4

Affected Technologies

NixOS
Amazon Corretto JDK

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 42.7

Exploitation Probability (EPSS) 0.2

Sources

AlmaLinux Security Advisory
- AlmaLinux 8 Severity HIGHHas FixAdded at: Jan 21, 2024
- AlmaLinux 9 Severity HIGHHas FixAdded at: Jan 21, 2024
Alpine Security Tracker
- Alpine 3.16, 3.17, 3.18, 3.19, edge Severity HIGHHas FixAdded at: Jan 21, 2024
- Alpine 3.20 Severity HIGHHas FixAdded at: May 26, 2024
- Alpine 3.21 Severity HIGHHas FixAdded at: Dec 08, 2024
- Alpine 3.22 Severity HIGHHas FixAdded at: Jun 01, 2025
Anaconda
- Anaconda Severity HIGHHas FixAdded at: Mar 27, 2025
Chainguard
- Chainguard Has FixAdded at: Nov 11, 2024
Debian Security Tracker
- Debian 10, 11, 12, 13 Severity HIGHHas FixAdded at: Jan 21, 2024
Gentoo Advisory Database
- Gentoo Severity HIGHHas FixAdded at: Dec 08, 2024
Homebrew
- Homebrew Severity HIGHHas FixAdded at: Mar 27, 2025
Nix
- Nix Severity HIGHHas FixAdded at: Mar 27, 2025
Red Hat Errata
- Red Hat 6 Severity HIGHNo FixAdded at: Jan 21, 2024
- Red Hat 7 Severity HIGHHas FixAdded at: Jan 21, 2024
- Red Hat 8 Severity HIGHHas FixAdded at: Jan 21, 2024
- Red Hat 9 Severity HIGHHas FixAdded at: Jan 21, 2024
Ubuntu Security Tracker
- Ubuntu 16.04 Severity MEDIUMHas FixAdded at: Feb 25, 2024
- Ubuntu 18.04, 20.04, 22.04, 23.10 Severity MEDIUMHas FixAdded at: Feb 14, 2024
Wolfi
- Wolfi Has FixAdded at: Nov 11, 2024
NVD
- Linux Severity HIGHHas FixAdded at: Jan 24, 2024
- Windows Severity HIGHHas FixAdded at: Jan 23, 2024