CVE-2023-21930

7.4 HIGH

📋 TL;DR

This vulnerability in Oracle Java SE and GraalVM Enterprise Edition's JSSE component allows attackers to compromise confidentiality and integrity of data via TLS connections. It affects Java deployments running sandboxed applications that load untrusted code from the internet. The vulnerability is difficult to exploit but could lead to unauthorized data access or modification.

💻 Affected Systems

Products:

Oracle Java SE
Oracle GraalVM Enterprise Edition

Versions: Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5, 22.3.1

Operating Systems: All platforms running affected Java versions

Default Config Vulnerable: ⚠️ Yes

Notes: Primarily affects deployments running sandboxed Java Web Start applications or sandboxed Java applets that load untrusted code from the internet.

📦 What is this software?

7 Mode Transition Tool by Netapp

View all CVEs affecting 7 Mode Transition Tool →

Brocade San Navigator by Netapp

View all CVEs affecting Brocade San Navigator →

Cloud Insights Acquisition Unit by Netapp

View all CVEs affecting Cloud Insights Acquisition Unit →

Cloud Insights Storage Workload Security Agent by Netapp

View all CVEs affecting Cloud Insights Storage Workload Security Agent →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Graalvm by Oracle

View all CVEs affecting Graalvm →

Graalvm by Oracle

View all CVEs affecting Graalvm →

Graalvm by Oracle

View all CVEs affecting Graalvm →

Jdk by Oracle

View all CVEs affecting Jdk →

Jdk by Oracle

View all CVEs affecting Jdk →

Jdk by Oracle

View all CVEs affecting Jdk →

Jdk by Oracle

View all CVEs affecting Jdk →

Jre by Oracle

View all CVEs affecting Jre →

Jre by Oracle

View all CVEs affecting Jre →

Jre by Oracle

View all CVEs affecting Jre →

Jre by Oracle

View all CVEs affecting Jre →

Oncommand Insight by Netapp

View all CVEs affecting Oncommand Insight →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Java application data including unauthorized creation, deletion, or modification of critical data, potentially leading to data breach or system takeover.

🟠

Likely Case

Unauthorized access to sensitive data processed by vulnerable Java applications, particularly in web services or client applications loading untrusted code.

🟢

If Mitigated

Limited impact if applications don't process sensitive data or have additional security controls beyond Java sandbox.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: HIGH

Vulnerability is difficult to exploit and requires network access via TLS. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply latest Critical Patch Update (CPU) for Java SE and GraalVM Enterprise Edition

Vendor Advisory: https://www.oracle.com/security-alerts/cpuapr2023.html

Restart Required: Yes

Instructions:

1. Download latest Java SE or GraalVM Enterprise Edition patches from Oracle. 2. Apply patches according to Oracle documentation. 3. Restart affected Java applications and services. 4. Verify patch installation.

🔧 Temporary Workarounds

Disable Java Web Start and Applets

all

Prevent execution of sandboxed Java applications that load untrusted code

For browsers: Disable Java plugin
For systems: Remove or disable Java Web Start

Network Segmentation

all

Restrict network access to Java applications processing sensitive data

Configure firewall rules to limit TLS connections to trusted sources only

🧯 If You Can't Patch

Implement strict network controls to limit TLS access to Java applications
Disable Java features that load untrusted code from the internet

🔍 How to Verify

Check if Vulnerable:

Check Java version with 'java -version' and compare against affected versions

Check Version:

java -version

Verify Fix Applied:

Verify Java version is updated beyond affected versions and check patch installation logs

📡 Detection & Monitoring

Log Indicators:

Unusual TLS connection patterns to Java applications
Unexpected Java process behavior or crashes

Network Indicators:

Suspicious TLS traffic to Java application ports
Anomalous data exfiltration patterns

SIEM Query:

source="java.log" AND (error OR exception) AND (TLS OR SSL) AND version IN ("8u361", "11.0.18", "17.0.6", "20")

📊 Metadata

CVE ID: CVE-2023-21930

CVSS v3 Score: 7.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Published: April 18, 2023

Last Updated: November 21, 2024

🔗 References

https://lists.debian.org/debian-lts-announce/2023/09/msg00018.html Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20230427-0008/ Third Party Advisory
https://security.netapp.com/advisory/ntap-20240621-0006/
https://www.couchbase.com/alerts/ Third Party Advisory
https://www.debian.org/security/2023/dsa-5430 Third Party Advisory
https://www.debian.org/security/2023/dsa-5478 Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2023.html Patch,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/09/msg00018.html Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20230427-0008/ Third Party Advisory
https://security.netapp.com/advisory/ntap-20240621-0006/
https://www.couchbase.com/alerts/ Third Party Advisory
https://www.debian.org/security/2023/dsa-5430 Third Party Advisory
https://www.debian.org/security/2023/dsa-5478 Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2023.html Patch,Vendor Advisory