We recently came across a vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition components, specifically in the Hotspot component. The affected versions include Oracle Java SE (versions 8u401-perf, 11..22, 17..10, 21..2, 22), Oracle GraalVM for JDK (versions 17..10, 21..2, and 22), and Oracle GraalVM Enterprise Edition (version 21.3.9).
Exploit Details
This vulnerability (CVE-2024-21068) is described as difficult to exploit and could potentially allow an unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful exploitation can result in unauthorized update, insert, or delete access to some of the Oracle Java SE, Oracle Graal VM for JDK, and Oracle GraalVM Enterprise Edition accessible data.
It is noteworthy that the vulnerability can be exploited by using APIs in the specified components, for example, through a web service that supplies data to the APIs. The vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.
The CVSS 3.1 Base Score for this vulnerability is 3.7 (Integrity impacts) with a CVSS Vector of (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
Code Snippet
Please be aware that the below code snippet is only for illustrative purposes of the vulnerability and not for nefarious use.
public class CVE_2024_21068_Exploit {
public static void main(String[] args) {
// ...
// Instantiate vulnerable classes and call vulnerable methods
// ...
}
}
You can find more information about this vulnerability by visiting the following links
1. Oracle Critical Patch Update Advisory
2. CVE-2024-21068 Vulnerability Details on NIST
3. Oracle Java SE Security
Mitigation Steps
We highly recommend updating your Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition products to their latest versions, following Oracle's guidelines for patching. Also, ensure ongoing security best practices, including proper network segmentation, access control, and secure development practices.
In conclusion, while the CVE-2024-21068 vulnerability is relatively hard to exploit, it should not be ignored. Ensure that you're using the latest patched versions of Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition to safeguard your systems and the integrity of your data.
Timeline
Published on: 04/16/2024 22:15:25 UTC
Last modified on: 07/05/2024 12:44:00 UTC