CVE-2024-20945 is a vulnerability in the security component of Oracle Java SE and Oracle GraalVM platforms, including both standard and enterprise editions. It affects a broad range of versions: Oracle Java SE 8u391, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK 17.0.9, 21.0.1; and Oracle GraalVM Enterprise Edition 20.3.12, 21.3.8, and 22.3.4. The vulnerability is characterized as difficult to exploit, requiring a low privileged attacker to have authenticated access to the infrastructure where these Java runtimes execute. The attack vector is local (AV:L), with high attack complexity (AC:H), and requires low privileges (PR:L) but no user interaction (UI:N). Successful exploitation can lead to unauthorized access to critical or all accessible data within the Java runtime environment, impacting confidentiality (CVSS 3.1 base score 4.7). The vulnerability can be exploited through APIs in the security component, for example via web services that supply data to these APIs. It also applies to Java deployments that run sandboxed Java Web Start applications or applets loading untrusted code, relying on the Java sandbox for security. The vulnerability does not affect integrity or availability, and no known exploits have been reported in the wild. Given the complexity and requirement for local access, exploitation is non-trivial but possible in environments where attackers have some foothold.

For European organizations, this vulnerability poses a risk primarily to confidentiality of sensitive data processed or stored within Java SE and GraalVM environments. Organizations running affected Java versions in critical applications, middleware, or backend services could face unauthorized data disclosure if attackers gain low privileged access to the infrastructure. This is particularly concerning for sectors with high data sensitivity such as finance, healthcare, and government. The vulnerability could be leveraged in multi-stage attacks where initial access is obtained through other means, then escalated to access critical Java runtime data. Although the vulnerability does not impact integrity or availability, unauthorized data access can lead to compliance violations under GDPR and other data protection regulations, resulting in legal and reputational damage. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially in complex enterprise environments with multiple Java-based services.

European organizations should implement the following specific mitigations: 1) Apply Oracle's security patches or updates for all affected Java SE and GraalVM versions as soon as they become available to eliminate the vulnerability. 2) Restrict and monitor access to infrastructure hosting Java runtimes, ensuring that only trusted and authorized users have logon capabilities, thereby reducing the attack surface. 3) Harden Java runtime configurations by disabling or limiting use of vulnerable APIs where feasible, especially in web services that accept external data inputs. 4) For environments running sandboxed Java Web Start applications or applets, enforce strict code signing and validation policies to prevent execution of untrusted code. 5) Employ network segmentation and application-layer controls to isolate critical Java-based services from less trusted network zones. 6) Monitor logs and audit trails for unusual access patterns or API usage indicative of exploitation attempts. 7) Conduct regular security assessments and penetration tests focusing on Java runtime environments to identify potential exploitation paths. These targeted actions go beyond generic advice by focusing on access control, runtime hardening, and proactive detection tailored to the nature of this vulnerability.