The 8u401, 20.3.13, 21.3.9, 11.0.23, 17.0.11, 21.0.3, 22, and perf versions of Java installed on the remote host are affected by multiple vulnerabilities as referenced in the April 2024 CPU advisory.

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: JavaFX (WebKitGTK)). Supported versions that are affected are Oracle Java SE: 8u401; Oracle     GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated     attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise     Edition. Successful attacks require human interaction from a person other than the attacker. Successful     attacks of this vulnerability can result in takeover of Oracle Java SE, Oracle GraalVM Enterprise     Edition.(CVE-2023-41993)

  - Vulnerability in the Oracle GraalVM for JDK product of Oracle Java SE (component: Node (Node.js)). Supported     versions that are affected are Oracle GraalVM for JDK: 17.0.10, 21.0.2 and 22. Difficult to exploit vulnerability     allows low privileged attacker with logon to the infrastructure where Oracle GraalVM for JDK executes to     compromise Oracle GraalVM for JDK. While the vulnerability is in Oracle GraalVM for JDK, attacks may significantly     impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized     creation, deletion or modification access to critical data or all Oracle GraalVM for JDK accessible data as well     as unauthorized access to critical data or complete access to all Oracle GraalVM for JDK accessible data.
    (CVE-2024-21892)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of     Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf,     11.0.23, 17.0.11, 21.0.3, 22; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22; Oracle GraalVM Enterprise Edition:     20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access     via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.     Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of     service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.     (CVE-2024-21011)


Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Oracle Java (Apr 2024 CPU)

critical Nessus Plugin ID 193574

Version 1.1

Version 1.0

Version 1.1 Apr 20, 2024, 5:07 PM CISA reference CVSS metrics ("CVSSv2 score" set to 10.0) CVSS metrics ("CVSSv2 vector" set to "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C") CVSS metrics ("CVSSv3 score" set to 9.8) CVSS metrics ("CVSSv3 vector" set to "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H") CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:F/RL:OF/RC:C") CVSS temporal metrics ("CVSSv3 temporal vector" set to "CVSS:3.0/E:F/RL:O/RC:C") Exploit attributes ("Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Plugin Feed: 202404201707
Version 1.0 Apr 19, 2024, 4:41 PM New Plugin Feed: 202404191641