摘要:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and 22.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via DTLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
安全等级: Low
公告ID: KylinSec-SA-2025-2334
发布日期: 2025年4月20日
关联CVE: CVE-2023-21835
此易利用漏洞允许未经身份验证的攻击者通过DTLS网络访问入侵Oracle Java SE和Oracle GraalVM Enterprise Edition。成功利用此漏洞可能导致未经授权地造成Oracle Java SE和Oracle GraalVM Enterprise Edition的部分拒绝服务(partial DOS)。
受影响产品
Oracle Java SE 和 Oracle GraalVM Enterprise Edition 产品(组件:JSSE)
受影响版本
Oracle Java SE:
11.0.17
17.0.5
19.0.1
Oracle GraalVM Enterprise Edition:
20.3.8
21.3.4
22.3.0
适用范围说明
注:此漏洞适用于通常运行沙箱化Java Web Start应用程序或沙箱化Java小程序的客户端Java部署,这些部署加载并运行不受信任的代码(例如来自互联网的代码),并依赖Java沙箱来保障安全。此漏洞不适用于通常仅加载和运行受信任代码(例如管理员安装的代码)的服务器端Java部署。
CVSS评分
CVSS 3.1基础评分:5.3(可用性影响)
CVSS向量:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|---|---|---|
| CVE-2023-21835 | KY3.4-5A | openjdk-17 | Unaffected |
