Visit Azul.com Support

Common Vulnerabilities and Exposures Fixes for January 2024

Table of Contents
Need help?
Schedule a consultation with an Azul performance expert.
Contact Us
Looking for Zing?
The Azul Zing Virtual Machine is now Azul Zulu Prime Builds of OpenJDK and part of Azul Platform Prime.
Learn more

The following Azul Platform Prime releases contain the January 2024 CPU release of OpenJDK:

CPU PSU

23.08.300.0

24.01.0.0

23.02.700.0

23.08.400.0

The following table lists the latest CVE fixes added in the Azul Platform Prime CPU release. The CVE IDs in the table apply to JDK 8, JDK 11, and JDK 17 unless noted otherwise.

January 2024 CVE Fix

CVSS VERSION 3.1 RISK

CVE # Component Protocol Remote Exploit w/o Auth. Base Score Attack Vector Attack Complex Privileges Req’d User Interact Scope Confiden-tiality Integrity Availability Versions Affected Notes

CVE-2024-20932

Security

Multiple

Yes

7.5

Network

Low

None

None

Unchanged

None

High

None

17

Note 1

CVE-2024-20952

Security

Multiple

Yes

7.4

Network

High

None

None

Unchanged

High

High

None

21, 17, 11, 8

Note 1

CVE-2024-20919

Hotspot

Multiple

Yes

5.9

Network

High

None

None

Unchanged

None

High

None

21, 17, 11, 8

Note 3

CVE-2024-20926

Scripting

Multiple

Yes

5.9

Network

High

None

None

Unchanged

High

None

None

11, 8

Note 2

CVE-2024-20945

Security

None

No

4.7

Local

High

Low

None

Unchanged

High

None

None

21, 17, 11, 8

Note 1

CVE-2024-20923

JavaFX

Multiple

Yes

3.1

Network

High

None

Required

Unchanged

Low

None

None

21, 17, 11, 8

Note 1

CVE-2024-20925

JavaFX

Multiple

Yes

3.1

Network

High

None

Required

Unchanged

None

Low

None

21, 17, 11, 8

Note 1

CVE-2024-20922

JavaFX

None

No

2.5

Local

High

None

Required

Unchanged

None

Low

None

21, 17, 11, 8

Note 1

CVE-2023-44487 This CVE is not applicable to Azul Prime Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK: Node (Node.js)

HTTP

Yes

7.5

Network

Low

None

None

Unchanged

None

None

High

None

CVE-2023-5072 This CVE is not applicable to Azul Prime Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Tools (JSON-java)

Multiple

Yes

7.5

Network

Low

None

None

Unchanged

None

None

High

None

CVE-2024-20918 This CVE is not applicable to Azul Prime Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

7.4

Network

High

None

None

Unchanged

High

High

None

None

Note 2

CVE-2024-20921 This CVE is not applicable to Azul Prime Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

Multiple

Yes

5.9

Network

High

None

None

Unchanged

High

None

None

None

Note 2

CVE-2024-20955 This CVE is not applicable to Azul Prime Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition: Compiler

Multiple

Yes

3.7

Network

High

None

None

Unchanged

Low

None

None

None

Notes:

ID Notes

1

This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

2

This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

3

This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted applications, such as through a web service.

Base and Impact Metric:

Metrics Values

Attack Vector

Network (N), Adjacent (A), Local (L), and Physical (P)

Attack Complexity

Low (L) and High (H)

Privileges Required

None (N), Low (L), and High (H)

User Interaction

None (N) and Required (R)

Scope

Unchanged (U) and Changed (C)

Confidentiality Impact

High (H), Low (L), and None (N)

Integrity Impact

High (H), Low (L), and None (N)

Availability Impact

High (H), Low (L), and None (N)

In-Depth Non-CVE Security Fixes

The following table lists the in-depth non-CVE security fixes implemented specifically for Azul Platform Prime.

January 2024 Non-CVE Security Fix

OpenJDK Patch ID Azul Prime Version Synopsis CPU/PSUCPU fixes are included in both CPU and PSU bundles. PSU fixes are included in the PSU bundles only.

JDK-8308204

8, 11, 17

Enhanced certificate processing

CPU,PSU