CVE-2023-22067 in Java SEinfo

Summary

by MITRE • 10/25/2023

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: CORBA). Supported versions that are affected are Oracle Java SE: 8u381, 8u381-perf; Oracle GraalVM Enterprise Edition: 20.3.11 and 21.3.7. Easily exploitable vulnerability allows unauthenticated attacker with network access via CORBA to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 06/12/2025

The vulnerability identified as CVE-2023-22067 represents a critical integrity flaw within the CORBA component of Oracle Java SE and Oracle GraalVM Enterprise Edition. This weakness exists in specific version ranges including Java SE 8u381 and 8u381-perf, alongside GraalVM Enterprise Edition versions 20.3.11 and 21.3.7. The vulnerability operates at the core of the Common Object Request Broker Architecture which serves as a middleware framework enabling communication between distributed objects. The flaw manifests as an insufficient input validation mechanism within the CORBA subsystem that fails to properly sanitize incoming data streams, creating an attack surface that can be exploited by remote unauthenticated adversaries.

The technical exploitation of this vulnerability occurs through network-based attacks targeting the CORBA component without requiring any authentication credentials or privileged access. Attackers can leverage this weakness by crafting malicious data payloads that are processed by the affected APIs within the CORBA framework. The CVSS 3.1 scoring system assigns this vulnerability a base score of 5.3, reflecting the integrity impact category with a low attack complexity and no privilege requirements. The attack vector is classified as network accessible, meaning the vulnerability can be triggered from external network locations without requiring physical access to the target system. The vulnerability's impact scope is rated as unscoped, indicating that while the attack may affect data integrity, it does not directly compromise availability or confidentiality of the affected systems.

The operational consequences of successful exploitation include unauthorized modification of data within the affected Oracle Java SE and GraalVM Enterprise Edition environments. Attackers can potentially insert, update, or delete data within the accessible data stores of these applications, creating potential for data corruption or manipulation. This vulnerability specifically targets the integrity aspects of the system rather than confidentiality or availability, making it particularly dangerous for applications that rely on maintaining data consistency and accuracy. The attack scenario requires that data be supplied through the affected APIs without utilizing Java Web Start applications or applets, meaning the exploitation must occur through direct API calls or web service interactions.

Organizations utilizing affected versions of Oracle Java SE or GraalVM Enterprise Edition should prioritize immediate remediation efforts to address this vulnerability. The recommended mitigation strategy involves upgrading to patched versions of the affected software components, as Oracle typically provides security updates through their regular release cycles. System administrators should also implement network segmentation and access controls to limit exposure of CORBA services to trusted networks only. Monitoring network traffic for unusual API call patterns or malformed data submissions can help detect potential exploitation attempts. The vulnerability aligns with CWE-20, which describes improper input validation, and represents a potential pathway for attackers following the MITRE ATT&CK framework's technique for data manipulation within application environments. Organizations should also consider implementing additional security controls such as intrusion detection systems and regular security assessments to identify and remediate similar vulnerabilities across their software infrastructure.

Responsible

Oracle

Reservation

12/17/2022

Disclosure

10/25/2023

Moderation

accepted

CPE

ready

EPSS

0.00888

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!