Common Vulnerabilities and Exposures Fixes for January 2024

Table of Contents

January 2024 CVE Fix
In-Depth Non-CVE Security Fixes

Need help?

Schedule a consultation with an Azul performance expert.

The following Azul Platform Prime releases contain the January 2024 CPU release of OpenJDK:

CPU	PSU
23.08.300.0	24.01.0.0
23.02.700.0	23.08.400.0

CPU

PSU

23.08.300.0

24.01.0.0

23.02.700.0

23.08.400.0

The following table lists the latest CVE fixes added in the Azul Platform Prime CPU release. The CVE IDs in the table apply to JDK 8, JDK 11, and JDK 17 unless noted otherwise.

January 2024 CVE Fix

CVSS VERSION 3.1 RISK

CVE #	Component	Protocol	Remote Exploit w/o Auth.	Base Score	Attack Vector	Attack Complex	Privileges Req’d	User Interact	Scope	Confiden-tiality	Integrity	Availability	Versions Affected	Notes
CVE-2024-20932	Security	Multiple	Yes	7.5	Network	Low	None	None	Unchanged	None	High	None	17	Note 1
CVE-2024-20952	Security	Multiple	Yes	7.4	Network	High	None	None	Unchanged	High	High	None	21, 17, 11, 8	Note 1
CVE-2024-20919	Hotspot	Multiple	Yes	5.9	Network	High	None	None	Unchanged	None	High	None	21, 17, 11, 8	Note 3
CVE-2024-20926	Scripting	Multiple	Yes	5.9	Network	High	None	None	Unchanged	High	None	None	11, 8	Note 2
CVE-2024-20945	Security	None	No	4.7	Local	High	Low	None	Unchanged	High	None	None	21, 17, 11, 8	Note 1
CVE-2024-20923	JavaFX	Multiple	Yes	3.1	Network	High	None	Required	Unchanged	Low	None	None	21, 17, 11, 8	Note 1
CVE-2024-20925	JavaFX	Multiple	Yes	3.1	Network	High	None	Required	Unchanged	None	Low	None	21, 17, 11, 8	Note 1
CVE-2024-20922	JavaFX	None	No	2.5	Local	High	None	Required	Unchanged	None	Low	None	21, 17, 11, 8	Note 1
CVE-2023-44487 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Oracle GraalVM for JDK: Node (Node.js)	HTTP	Yes	7.5	Network	Low	None	None	Unchanged	None	None	High	None
CVE-2023-5072 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Tools (JSON-java)	Multiple	Yes	7.5	Network	Low	None	None	Unchanged	None	None	High	None
CVE-2024-20918 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Hotspot	Multiple	Yes	7.4	Network	High	None	None	Unchanged	High	High	None	None	Note 2
CVE-2024-20921 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Hotspot	Multiple	Yes	5.9	Network	High	None	None	Unchanged	High	None	None	None	Note 2
CVE-2024-20955 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Compiler	Multiple	Yes	3.7	Network	High	None	None	Unchanged	Low	None	None	None

CVE #

Component

Protocol

Remote Exploit w/o Auth.

Base Score

Attack Vector

Attack Complex

Privileges Req’d

User Interact

Scope

Confiden-tiality

Integrity

Availability

Versions Affected

Notes

CVE-2024-20932

Security

Multiple

Yes

7.5

Network

Low

None

Unchanged

None

High

None

Note 1

CVE-2024-20952

Security

Multiple

Yes

7.4

Network

High

None

Unchanged

High

None

21, 17, 11, 8

Note 1

CVE-2024-20919

Hotspot

Multiple

Yes

5.9

Network

High

None

Unchanged

None

High

None

21, 17, 11, 8

Note 3

CVE-2024-20926

Scripting

Multiple

Yes

5.9

Network

High

None

Unchanged

High

None

11, 8

Note 2

CVE-2024-20945

Security

None

4.7

Local

High

Low

None

Unchanged

High

None

21, 17, 11, 8

Note 1

CVE-2024-20923

JavaFX

Multiple

Yes

3.1

Network

High

None

Required

Unchanged

Low

None

21, 17, 11, 8

Note 1

CVE-2024-20925

JavaFX

Multiple

Yes

3.1

Network

High

None

Required

Unchanged

None

Low

None

21, 17, 11, 8

Note 1

CVE-2024-20922

JavaFX

None

2.5

Local

High

None

Required

Unchanged

None

Low

None

21, 17, 11, 8

Note 1

CVE-2023-44487 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK: Node (Node.js)

HTTP

Yes

7.5

Network

Low

None

Unchanged

None

High

None

CVE-2023-5072 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Tools (JSON-java)

Multiple

Yes

7.5

Network

Low

None

Unchanged

None

High

None

CVE-2024-20918 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

7.4

Network

High

None

Unchanged

High

None

Note 2

CVE-2024-20921 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

5.9

Network

High

None

Unchanged

High

None

Note 2

CVE-2024-20955 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Compiler

Multiple

Yes

3.7

Network

High

None

Unchanged

Low

None

Notes:

ID	Notes
1	This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
2	This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.
3	This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted applications, such as through a web service.

Base and Impact Metric:

Metrics	Values
Attack Vector	Network (N), Adjacent (A), Local (L), and Physical (P)
Attack Complexity	Low (L) and High (H)
Privileges Required	None (N), Low (L), and High (H)
User Interaction	None (N) and Required (R)
Scope	Unchanged (U) and Changed (C)
Confidentiality Impact	High (H), Low (L), and None (N)
Integrity Impact	High (H), Low (L), and None (N)
Availability Impact	High (H), Low (L), and None (N)

Metrics

Values

Attack Vector

Network (N), Adjacent (A), Local (L), and Physical (P)

Attack Complexity

Low (L) and High (H)

Privileges Required

None (N), Low (L), and High (H)

User Interaction

None (N) and Required (R)

Scope

Unchanged (U) and Changed (C)

Confidentiality Impact

High (H), Low (L), and None (N)

Integrity Impact

High (H), Low (L), and None (N)

Availability Impact

High (H), Low (L), and None (N)

In-Depth Non-CVE Security Fixes

The following table lists the in-depth non-CVE security fixes implemented specifically for Azul Platform Prime.

January 2024 Non-CVE Security Fix

OpenJDK Patch ID	Azul Prime Version	Synopsis	CPU/PSUCPU fixes are included in both CPU and PSU bundles. PSU fixes are included in the PSU bundles only.
JDK-8308204	8, 11, 17	Enhanced certificate processing	CPU,PSU

OpenJDK Patch ID

Azul Prime Version

Synopsis

JDK-8308204

8, 11, 17

Enhanced certificate processing

CPU,PSU