The German Federal Office for Information Security (BSI) has issued an update regarding a critical security vulnerability affecting Oracle Java SE. The vulnerability, discovered on October 15, 2024, contains multiple weaknesses that could be exploited by remote attackers to compromise confidentiality, integrity, and availability.
The vulnerability affects various operating systems including Linux, UNIX, and Windows, as well as numerous products like IBM Java, Debian Linux, IBM WebSphere Service Registry and Repository, IBM Tivoli Monitoring, Amazon Linux 2, IBM InfoSphere Information Server, Open Source OpenJDK, Red Hat Enterprise Linux, IBM WebSphere Application Server, Ubuntu Linux, SUSE Linux, Oracle Linux, Gentoo Linux, SUSE openSUSE, Azul Zulu, Oracle Java SE, IBM QRadar SIEM, Hitachi Command Suite, Hitachi Ops Center, Hitachi Configuration Manager, Dell NetWorker, IBM App Connect Enterprise, IBM Sterling Connect:Direct, and Amazon Corretto.
The BSI has assigned a CVSS Base Score of 8.1, classifying the vulnerability as "high" in severity. The CVSS Temporal Score is 7.1.
The vulnerability is tracked by the following CVE identifiers: CVE-2023-42950, CVE-2024-21208, CVE-2024-21210, CVE-2024-21211, CVE-2024-21217, CVE-2024-21235, CVE-2024-25062, and CVE-2024-36138.
Users are advised to refer to the latest manufacturer recommendations for updates, workarounds, and security patches, which can be found in the IBM Security Bulletin 7182775.