CVE-2023-21937: Low severity Oracle GraalVM vulnerability

Q: What is the severity of CVE-2023-21937?

The severity of CVE-2023-21937 is low, with a severity value of 3.7.

Q: Which versions of Oracle Java SE and Oracle GraalVM Enterprise Edition are affected by CVE-2023-21937?

Oracle Java SE versions 8u361, 11.0.18, 17.0.6, and 20, as well as Oracle GraalVM Enterprise Edition versions 20.3.9, 21.3.5, and 22.3.1 are affected by CVE-2023-21937.

Q: What component of Oracle Java SE is affected by CVE-2023-21937?

The Networking component of Oracle Java SE is affected by CVE-2023-21937.

Q: How can I fix CVE-2023-21937?

To fix CVE-2023-21937, it is recommended to update to the latest available versions of Oracle Java SE or Oracle GraalVM Enterprise Edition.

Q: Are there any references related to CVE-2023-21937?

Yes, you can find more information about CVE-2023-21937 in the following references: [Link 1](https://github.com/openjdk/jdk8u/commit/a02c2bfb23dec01c987af1859654f0e4b44d70c6), [Link 2](https://github.com/openjdk/jdk8u/commit/2a54b080ed565c1d1ddadad27d2e4b77058ef2c7), [Link 3](https://github.com/openjdk/jdk8u/commit/17ba2dfb47f22a6a89609c94be50cabc6df5c8c9).

Published Apr 18, 2023

Updated

A flaw was found in various components of OpenJDK in the way strings containing NULL characters were used. A specially-crafted input could lead a Java application to truncate strings incorrectly and misbehave, possibly impacting the integrity of the application.

Other sources

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Affected Software

96 affected componentsFixes available

debian/openjdk-11<=11.0.16+8-1~deb10u1

11.0.21+9-1~deb10u111.0.20+8-1~deb11u111.0.21+9-1~deb11u111.0.22~6ea-1

debian/openjdk-17

17.0.7+7-1~deb11u117.0.9+9-1~deb11u117.0.9+9-1~deb12u117.0.10~6ea-1

debian/openjdk-20

20.0.2+9-1

debian/openjdk-8

8u392-ga-1

Oracle GraalVM=20.3.9

Oracle GraalVM=21.3.5

Oracle GraalVM=22.3.1

Oracle JDK=1.8.0-update361

Oracle JDK=11.0.18

Oracle JDK=17.0.6

Oracle JDK=20

Oracle JRE=1.8.0-update361

Oracle JRE=11.0.18

Oracle JRE=17.0.6

Oracle JRE=20

NetApp 7-Mode Transition Tool

NetApp Brocade San Navigator

NetApp Cloud Insights Acquisition Unit

NetApp Cloud Insights Storage Workload Security Agent

NetApp OnCommand Insight

Debian Debian Linux=10.0

Debian Debian Linux=11.0

Debian Debian Linux=12.0

Oracle OpenJDK<8

Oracle OpenJDK>=11<=11.0.18

Oracle OpenJDK>=17<=17.0.6

Oracle OpenJDK=8

Oracle OpenJDK=8-milestone1

Oracle OpenJDK=8-milestone2

Oracle OpenJDK=8-milestone3

Oracle OpenJDK=8-milestone4

Oracle OpenJDK=8-milestone5

Oracle OpenJDK=8-milestone6

Oracle OpenJDK=8-milestone7

Oracle OpenJDK=8-milestone8

Oracle OpenJDK=8-milestone9

Oracle OpenJDK=8-update101

Oracle OpenJDK=8-update102

Oracle OpenJDK=8-update11

Oracle OpenJDK=8-update111

Oracle OpenJDK=8-update112

Oracle OpenJDK=8-update121

Oracle OpenJDK=8-update131

Oracle OpenJDK=8-update141

Oracle OpenJDK=8-update151

Oracle OpenJDK=8-update152

Oracle OpenJDK=8-update161

Oracle OpenJDK=8-update162

Oracle OpenJDK=8-update171

Oracle OpenJDK=8-update172

Oracle OpenJDK=8-update181

Oracle OpenJDK=8-update191

Oracle OpenJDK=8-update192

Oracle OpenJDK=8-update20

Oracle OpenJDK=8-update201

Oracle OpenJDK=8-update202

Oracle OpenJDK=8-update211

Oracle OpenJDK=8-update212

Oracle OpenJDK=8-update221

Oracle OpenJDK=8-update222

Oracle OpenJDK=8-update231

Oracle OpenJDK=8-update232

Oracle OpenJDK=8-update241

Oracle OpenJDK=8-update242

Oracle OpenJDK=8-update25

Oracle OpenJDK=8-update252

Oracle OpenJDK=8-update262

Oracle OpenJDK=8-update271

Oracle OpenJDK=8-update281

Oracle OpenJDK=8-update282

Oracle OpenJDK=8-update291

Oracle OpenJDK=8-update301

Oracle OpenJDK=8-update302

Oracle OpenJDK=8-update31

Oracle OpenJDK=8-update312

Oracle OpenJDK=8-update322

Oracle OpenJDK=8-update332

Oracle OpenJDK=8-update342

Oracle OpenJDK=8-update352

Oracle OpenJDK=8-update362

Oracle OpenJDK=8-update40

Oracle OpenJDK=8-update45

Oracle OpenJDK=8-update5

Oracle OpenJDK=8-update51

Oracle OpenJDK=8-update60

Oracle OpenJDK=8-update65

Oracle OpenJDK=8-update66

Oracle OpenJDK=8-update71

Oracle OpenJDK=8-update72

Oracle OpenJDK=8-update73

Oracle OpenJDK=8-update74

Oracle OpenJDK=8-update77

Oracle OpenJDK=8-update91

Oracle OpenJDK=8-update92

Oracle OpenJDK=20

IBM DB2 Recovery Expert for LUW<=5.5 IF 2

Event History

Apr 18, 2023

Data Sourced

via Red Hat·04:56 PM

DescriptionSeverityAffected Software

CVE Published

via MITRE·07:54 PM

Data Sourced

via MITRE·07:54 PM

DescriptionSeverity

Feb 5, 2026

Data Sourced

via IBM·12:00 AM

DescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

IBM-7259901

Frequently Asked Questions

What is the severity of CVE-2023-21937?

The severity of CVE-2023-21937 is low, with a severity value of 3.7.

Which versions of Oracle Java SE and Oracle GraalVM Enterprise Edition are affected by CVE-2023-21937?

Oracle Java SE versions 8u361, 11.0.18, 17.0.6, and 20, as well as Oracle GraalVM Enterprise Edition versions 20.3.9, 21.3.5, and 22.3.1 are affected by CVE-2023-21937.

What component of Oracle Java SE is affected by CVE-2023-21937?

The Networking component of Oracle Java SE is affected by CVE-2023-21937.

How can I fix CVE-2023-21937?

To fix CVE-2023-21937, it is recommended to update to the latest available versions of Oracle Java SE or Oracle GraalVM Enterprise Edition.

Are there any references related to CVE-2023-21937?

Yes, you can find more information about CVE-2023-21937 in the following references: [Link 1](https://github.com/openjdk/jdk8u/commit/a02c2bfb23dec01c987af1859654f0e4b44d70c6), [Link 2](https://github.com/openjdk/jdk8u/commit/2a54b080ed565c1d1ddadad27d2e4b77058ef2c7), [Link 3](https://github.com/openjdk/jdk8u/commit/17ba2dfb47f22a6a89609c94be50cabc6df5c8c9).

CVE-2023-21937: Low severity Oracle GraalVM vulnerability

Other sources

Affected Software

Event History

Parent advisories

Don't miss critical vulnerabilities

Frequently Asked Questions

What is the severity of CVE-2023-21937?

Which versions of Oracle Java SE and Oracle GraalVM Enterprise Edition are affected by CVE-2023-21937?

What component of Oracle Java SE is affected by CVE-2023-21937?

How can I fix CVE-2023-21937?

Are there any references related to CVE-2023-21937?

Company

Resources

Contact