The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is affected by multiple vulnerabilities as referenced in the January 2024 CPU advisory:

  - Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of     Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u391,     8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise     Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker     with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle     GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation,     deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle     GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete     access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.     (CVE-2024-20918)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product     of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u391,     8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise     Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker     with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle     GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access     to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM     Enterprise Edition accessible data. (CVE-2024-20921)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of     Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 17.0.9;     Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 21.3.8 and 22.3.4. Easily exploitable     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this     vulnerability can result in unauthorized creation, deletion or modification access to critical data or     all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.     (CVE-2024-20932)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Detections

Analytics

Oracle Java SE Multiple Vulnerabilities (January 2024 CPU)

high Nessus Plugin ID 189116

Version 1.3

Version 1.2

Version 1.1

Version 1.0

Version 1.3 Apr 19, 2024, 11:43 AM IAVM reference Plugin Feed: 202404191143
Version 1.2 Jan 19, 2024, 2:06 PM STIG Severity (set to "I") IAVM reference Plugin Feed: 202401191406
Version 1.1 Jan 18, 2024, 8:01 PM CVSS metrics ("CVSSv2 score" set to 7.8. "CVSSv2 vector" set to "CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N") CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:U/RL:OF/RC:C". "CVSSv3 temporal vector" set to "CVSS:3.0/E:U/RL:O/RC:C") CVSSv2 severity (based on CVE-2024-20932, severity increased from "Medium" to "High") Exploit attributes ("Exploit available" set to "False". "Exploitability ease" set to "No known exploits are available") Plugin Feed: 202401182001
Version 1.0 Jan 17, 2024, 5:08 PM New Plugin Feed: 202401171708