Oracle GraalVM Enterprise Edition 19.3.2/20.1.0 Java Remote Code Execution

Summaryinfo

A vulnerability marked as critical has been reported in Oracle GraalVM Enterprise Edition 19.3.2/20.1.0. Affected by this vulnerability is an unknown functionality of the component Java. This manipulation causes Remote Code Execution. This vulnerability appears as CVE-2020-14583. The attack may be initiated remotely. There is no available exploit. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability has been found in Oracle GraalVM Enterprise Edition 19.3.2/20.1.0 and classified as critical. Affected by this vulnerability is an unknown code of the component Java. The manipulation with an unknown input leads to a remote code execution vulnerability. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

The weakness was presented 07/15/2020 as Oracle Critical Patch Update Advisory - July 2020 as confirmed advisory (Website). It is possible to read the advisory at oracle.com. This vulnerability is known as CVE-2020-14583. The exploitation appears to be difficult. The attack can be launched remotely. The exploitation doesn't need any form of authentication. It demands that the victim is doing some kind of user interaction. The technical details are unknown and an exploit is not publicly available.

The vulnerability scanner Nessus provides a plugin with the ID 208630 (CentOS 6 : java-1.7.1-ibm (RHSA-2020:3387)), which helps to determine the existence of the flaw in a target environment.

Upgrading eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.

The vulnerability is also documented in the vulnerability database at Tenable (208630). See VDB-158073, VDB-158074, VDB-158075 and VDB-158076 for similar entries. Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Vendor

• Oracle

Name

• GraalVM Enterprise Edition

Version

• 19.3.2
• 20.1.0

License

• commercial

Website

• Vendor: https://www.oracle.com

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion