Oracle Java SE < 11.0.21 — DoS
An unauthenticated attacker can crash Java applications using TLS/SSL by sending a malformed TLS handshake. Apply the October 2023 Critical Patch Update — affects any server-side Java application accepting TLS connections.
An unauthenticated attacker who can reach a Java HTTPS endpoint can cause repeated denial of service by sending malformed TLS records. This is particularly impactful for high-availability services where crashing the JVM causes automatic failover cascades.
Java's built-in TLS implementation (JSSE) fails to properly handle certain malformed TLS handshake messages, causing the JVM to throw an uncaught exception and crash. Any Java application that accepts TLS connections using the built-in JSSE library is affected — including HTTPS servers, secure database connections, and message brokers.
Probably yes if any of these apply:
Affected OS versions
A financial services firm runs a Java-based trading API that accepts TLS connections. An attacker sends a flood of malformed TLS ClientHello messages, causing the Java process to crash repeatedly. The auto-restart loop causes cascading delays in trade execution. The October 2023 CPU update patches the JSSE parser.
Manual remediation steps
⏱ 30 minutesCheck Java Version
java -version 2>&1
Apply October 2023 CPU
Verify
java -version 2>&1
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.
References