SB2023011785 - Multiple vulnerabilities in Oracle GraalVM Enterprise Edition
Published: January 17, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Improper input validation (CVE-ID: CVE-2023-21843)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the Sound component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
2) Improper input validation (CVE-ID: CVE-2023-21830)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the Serialization component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
3) Improper input validation (CVE-ID: CVE-2023-21835)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the JSSE component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
4) Reliance on Reverse DNS Resolution for a Security-Critical Action (CVE-ID: CVE-2022-43548)
The vulnerability allows a remote attacker to perform DNS rebinding attacks.
The vulnerability exists due to improper validation of octal IP address within the Node.js rebinding protector for --inspec. A remote attacker can
resolve the invalid octal address via DNS. When combined with an active
--inspect session, such as when using VSCode, an attacker can perform DNS
rebinding and execute arbitrary code in client's browser.
Remediation
Install update from vendor's website.