CVE-2024-21012 - Vulnerability in Oracle Java SE, GraalVM for JDK, and GraalVM Enterprise Edition Networking Component

A recent vulnerability, CVE-2024-21012, has been discovered in the Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition products of Oracle Java SE - specifically the Networking component. The supported versions affected include Oracle Java SE: 11..22, 17..10, 21..2, 22; Oracle GraalVM for JDK: 17..10, 21..2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9.

This vulnerability makes it difficult to exploit and allows an unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert, or delete access to some of the accessible data in Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition.

It's important to note that this vulnerability applies to Java deployments, primarily in clients running sandboxed Java Web Start applications or sandboxed Java applets, which load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

The CVSS 3.1 Base Score for this vulnerability is 3.7, with the scope being integrity impacts. The CVSS Vector is as follows: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Code Snippet

An example of a connection in a sandboxed Java Web Start application or sandboxed Java applet can be found below:

try {
    URL url = new URL("http://example.com";);
    URLConnection connection = url.openConnection();
    InputStream inputStream = connection.getInputStream();
    // process or manipulate the input stream
} catch (IOException e) {
    e.printStackTrace();
}

This code demonstrates connecting to a URL and obtaining an input stream for that connection. However, if the code in the try block executes and connects to a malicious URL, it could potentially lead to an unauthorized update, insert, or delete access in the affected system.

Exploit Details

No known exploits are available yet for CVE-2024-21012, as this vulnerability has only recently been discovered. Also, given the difficulty of exploiting this vulnerability, it is not expected that a working exploit would be widely available in the near future. Still, keeping track of security updates and patches from Oracle is crucial for ensuring that your Java environments are safe and secure.

Original References

1. Oracle Security Advisory for CVE-2024-21012: https://www.oracle.com/security-alerts/alert-CVE-2024-21012.html

2. CVE-2024-21012 Vulnerability Details: https://nvd.nist.gov/vuln/detail/CVE-2024-21012

3. Oracle GraalVM for JDK: https://www.graalvm.org/

4. Oracle Java SE: https://www.oracle.com/java/technologies/javase-downloads.html

5. Oracle GraalVM Enterprise Edition: https://www.oracle.com/graalvm/graalvm-ee/

Conclusion

It is essential to be aware of vulnerabilities like CVE-2024-21012 within Oracle Java SE and GraalVM products. Although, as of now, there is minimal risk associated with this CVE, organizations should not become complacent in monitoring and applying updates and patches as they become available. By being vigilant and proactive in your security posture, you can help prevent unauthorized access and maintain the integrity and confidentiality of your systems and data.

Timeline

Published on: 04/16/2024 22:15:15 UTC
Last modified on: 04/26/2024 09:15:10 UTC