Safeguard
Security

CVE-2023-22081: The Oracle Java JSSE Denial-of-Service Flaw

CVE-2023-22081 is a Java SE and GraalVM vulnerability in the JSSE component that can cause a partial denial of service over HTTPS. Here is what to patch.

Priya Mehta
Security Analyst
5 min read

CVE-2023-22081 is a vulnerability in the JSSE (Java Secure Socket Extension) component of Oracle Java SE and GraalVM that lets an unauthenticated remote attacker cause a partial denial of service to applications using HTTPS. It was disclosed in Oracle's October 2023 Critical Patch Update and carries a CVSS 3.1 base score of 5.3. The fix is to update to the patched Java release for your version line.

This is not a dramatic remote-code-execution bug, but it is broad. Any Java service that terminates TLS itself is a potential target, and "cause the connection to hang or fail" is a real availability problem for internet-facing systems.

What component is affected

The flaw is in JSSE, the part of the JDK that implements TLS/SSL. That places it squarely in the network path of most HTTPS traffic that a Java process handles directly. Per Oracle's advisory and the NVD entry, the vulnerability can be exploited remotely without authentication and without user interaction, over the protocols that JSSE serves.

The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. Reading that vector: network attack vector, low complexity, no privileges, no user interaction, and the only impact is to availability (the A:L at the end). There is no confidentiality or integrity impact, which is why the score lands at 5.3 (medium) rather than higher.

Affected versions

Oracle's October 2023 Critical Patch Update lists the following supported versions as affected:

  • Oracle Java SE: 8u381, 8u381-perf, 11.0.20, 17.0.8, and 21.
  • Oracle GraalVM for JDK: 17.0.8 and 21.
  • Oracle GraalVM Enterprise Edition: 20.3.11, 21.3.7, and 22.3.3.

If you are running one of those exact versions, or an older release on the same line, treat yourself as affected. OpenJDK-derived distributions consumed the same fix through their own October 2023 update cycle, so check your distribution's advisory (Red Hat, Amazon Corretto, Eclipse Temurin, and others tracked this CVE).

What the exploit scenario looks like

Oracle's note describes the classic sandbox-escape framing — clients running sandboxed Web Start apps or applets that load untrusted code. But the more relevant modern reading is simpler: JSSE handles TLS, and a flaw in TLS handling that degrades availability matters to any Java process that speaks HTTPS, including servers.

The practical concern is that an attacker who can reach your TLS endpoint can send traffic that pushes the affected code into a partial denial-of-service state, degrading service for legitimate users. There is no data disclosure, so the risk is availability, not a breach. We are not publishing a payload; the takeaway is that the exposure follows your HTTPS surface.

Remediation

The fix is a runtime update, not a code change. Move to the patched build for your line:

  • On Java 8, 11, 17, or 21, apply the October 2023 CPU release or any later update for that line.
  • On GraalVM, move past the affected versions listed above to a patched release.

Verify what you are actually running, which is often not what a Dockerfile claims:

java -version

In containerized deployments, the JDK ships inside the base image, so remediation means rebuilding on an updated base image and redeploying — not patching a host. Pin your base image to a digest and bump it deliberately:

FROM eclipse-temurin:21.0.5_11-jre

Finding it across a fleet

The hard part of a Java CVE like this is not the fix, it is inventory. You need to know every service, base image, and build artifact that ships an affected JDK. This is where a software bill of materials pays off. Generating an SBOM per build and scanning it against advisory data will flag CVE-2023-22081 wherever the vulnerable runtime is bundled. A software composition analysis workflow that tracks the JDK as a component — not just your application libraries — is what turns "we think we patched it" into "we know these three images still ship it."

For teams standardizing their vulnerability response process, our security vulnerability assessment guide walks through triage and prioritization once a scanner surfaces findings like this one.

FAQ

How severe is CVE-2023-22081?

It has a CVSS 3.1 base score of 5.3, rated medium. The only impact is availability (a partial denial of service); there is no confidentiality or integrity impact.

Does CVE-2023-22081 affect servers or only client applications?

Oracle frames it around sandboxed client code, but because the flaw is in JSSE (TLS handling), any Java deployment that processes HTTPS directly is worth patching. Server operators should not treat it as client-only.

Which Java versions need updating?

Affected versions include Java SE 8u381, 11.0.20, 17.0.8, and 21, plus specific GraalVM releases. Update to the October 2023 Critical Patch Update build for your line or any later release.

Is this a code fix or a runtime update?

A runtime update. You do not change your application; you update the JDK/JRE (or rebuild container images on a patched base) to the fixed version.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.