Common Vulnerabilities and Exposures Fixes for January 2024
The following Azul Platform Prime releases contain the January 2024 CPU release of OpenJDK:
CPU | PSU |
---|---|
23.08.300.0 |
24.01.0.0 |
23.02.700.0 |
23.08.400.0 |
The following table lists the latest CVE fixes added in the Azul Platform Prime CPU release. The CVE IDs in the table apply to JDK 8, JDK 11, and JDK 17 unless noted otherwise.
January 2024 CVE Fix
CVSS VERSION 3.1 RISK
CVE # | Component | Protocol | Remote Exploit w/o Auth. | Base Score | Attack Vector | Attack Complex | Privileges Req’d | User Interact | Scope | Confiden-tiality | Integrity | Availability | Versions Affected | Notes |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Security |
Multiple |
Yes |
7.5 |
Network |
Low |
None |
None |
Unchanged |
None |
High |
None |
17 |
Note 1 |
|
Security |
Multiple |
Yes |
7.4 |
Network |
High |
None |
None |
Unchanged |
High |
High |
None |
21, 17, 11, 8 |
Note 1 |
|
Hotspot |
Multiple |
Yes |
5.9 |
Network |
High |
None |
None |
Unchanged |
None |
High |
None |
21, 17, 11, 8 |
Note 3 |
|
Scripting |
Multiple |
Yes |
5.9 |
Network |
High |
None |
None |
Unchanged |
High |
None |
None |
11, 8 |
Note 2 |
|
Security |
None |
No |
4.7 |
Local |
High |
Low |
None |
Unchanged |
High |
None |
None |
21, 17, 11, 8 |
Note 1 |
|
JavaFX |
Multiple |
Yes |
3.1 |
Network |
High |
None |
Required |
Unchanged |
Low |
None |
None |
21, 17, 11, 8 |
Note 1 |
|
JavaFX |
Multiple |
Yes |
3.1 |
Network |
High |
None |
Required |
Unchanged |
None |
Low |
None |
21, 17, 11, 8 |
Note 1 |
|
JavaFX |
None |
No |
2.5 |
Local |
High |
None |
Required |
Unchanged |
None |
Low |
None |
21, 17, 11, 8 |
Note 1 |
|
CVE-2023-44487 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK: Node (Node.js) |
HTTP |
Yes |
7.5 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
High |
None |
|
CVE-2023-5072 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Tools (JSON-java) |
Multiple |
Yes |
7.5 |
Network |
Low |
None |
None |
Unchanged |
None |
None |
High |
None |
|
CVE-2024-20918 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
7.4 |
Network |
High |
None |
None |
Unchanged |
High |
High |
None |
None |
Note 2 |
CVE-2024-20921 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Hotspot |
Multiple |
Yes |
5.9 |
Network |
High |
None |
None |
Unchanged |
High |
None |
None |
None |
Note 2 |
CVE-2024-20955 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE. |
Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Compiler |
Multiple |
Yes |
3.7 |
Network |
High |
None |
None |
Unchanged |
Low |
None |
None |
None |
|
Notes:
ID | Notes |
---|---|
1 |
This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). |
2 |
This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. |
3 |
This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted applications, such as through a web service. |
Base and Impact Metric:
Metrics | Values |
---|---|
Attack Vector |
Network (N), Adjacent (A), Local (L), and Physical (P) |
Attack Complexity |
Low (L) and High (H) |
Privileges Required |
None (N), Low (L), and High (H) |
User Interaction |
None (N) and Required (R) |
Scope |
Unchanged (U) and Changed (C) |
Confidentiality Impact |
High (H), Low (L), and None (N) |
Integrity Impact |
High (H), Low (L), and None (N) |
Availability Impact |
High (H), Low (L), and None (N) |
In-Depth Non-CVE Security Fixes
The following table lists the in-depth non-CVE security fixes implemented specifically for Azul Platform Prime.
January 2024 Non-CVE Security Fix
OpenJDK Patch ID | Azul Prime Version | Synopsis | CPU/PSUCPU fixes are included in both CPU and PSU bundles. PSU fixes are included in the PSU bundles only. |
---|---|---|---|
8, 11, 17 |
Enhanced certificate processing |
CPU,PSU |