A critical vulnerability has been discovered in Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition that, if exploited, can result in a partial denial of service (DoS). The affected versions are Oracle Java SE: 8u401, 8u401-perf, 11..22, 17..10, 21..2, 22; Oracle GraalVM for JDK: 17..10, 21..2, 22; and Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9.
Details
The vulnerability is found in the Hotspot component of Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. It is difficult to exploit, but a successful attack would allow unauthorized attackers with network access via multiple protocols to compromise these products.
Exploiting the vulnerability requires using APIs in the specified component, which can be achieved through a web service that supplies data to the APIs. The vulnerability also affects Java deployments, such as clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code from the internet and rely on the Java sandbox for security.
The Common Vulnerability Scoring System (CVSS) 3.1 Base Score for this vulnerability is 3.7, with availability impacts. The CVSS Vector is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
Here's an example of a vulnerable Java setup
import java.WebService;
import java.APIService;
public class VulnerableJava {
public static void main(String[] args) {
WebService webService = new WebService();
APIService apiService = new APIService(webService);
// Vulnerable API call
apiService.vulnerableMethod();
}
}
Original References
1. Oracle Critical Patch Update Advisory - Link
2. CVE-2024-21011 (National Vulnerability Database) - Link
3. Oracle Java SE - Link
4. Oracle GraalVM for JDK - Link
5. Oracle GraalVM Enterprise Edition - Link
Exploit Details
Although this vulnerability is difficult to exploit due to the high attack complexity, it is essential to patch your systems promptly to prevent any possible exploitation. As there are no known workarounds for this vulnerability, it is crucial to upgrade to the latest versions to ensure protection.
Recommended Action
Users of the affected Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition versions should immediately upgrade to the latest versions and apply the necessary security patches. Additionally, it is essential to follow security best practices, such as running untrusted Java code in a sandboxed environment and monitoring your systems for any unusual activity or patterns.
Stay up-to-date on the latest security advisories and patch information to ensure the continued safety and security of your systems.
Timeline
Published on: 04/16/2024 22:15:15 UTC
Last modified on: 04/26/2024 09:15:10 UTC