CVE-2024-21085 - Vulnerability in Oracle Java SE & GraalVM Enterprise Edition Leads to Partial Denial of Service Risk
A vulnerability, designated as CVE-2024-21085, has been discovered that affects certain Oracle Java SE and Oracle GraalVM Enterprise Edition versions. Exploitation of this vulnerability can lead to a partial denial of service (DOS) of affected products.
Details
The vulnerability lies in the Concurrency component, and it can be exploited by making use of APIs in the specified component, e.g., through a web service that supplies data to the APIs. This vulnerability also applies to Java deployments that run sandboxed Java Web Start applications or sandboxed Java applets, which load and run untrusted code (e.g., code coming from the internet) and rely on the Java sandbox for security.
Here's a snippet of code that demonstrates the use of potentially vulnerable APIs
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
public class VulnerableConcurrencyExample {
public static void main(String[] args) {
ExecutorService executor = Executors.newFixedThreadPool(10);
for (int i = ; i < 500; i++) {
Runnable worker = new WorkerThread("Task " + i);
executor.execute(worker);
}
executor.shutdown();
}
}
This vulnerability is difficult to exploit and requires an unauthenticated attacker to have network access via multiple protocols to compromise the affected systems. Successful exploitation of this vulnerability may result in unauthorized ability to cause a partial denial of service (partial DOS) of affected Oracle Java SE and GraalVM Enterprise Edition products.
CVSS 3.1 Base Score: 3.7 (Availability impacts)
CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
Original References
1. Oracle Critical Patch Update Advisory - January 2024
2. CVE-2024-21085
Exploit Details
There are currently no known exploits publicly available for this vulnerability. However, due to the nature of the vulnerability, caution is advised and ensuring proper security measures are taken is recommendable.
Mitigation Steps
Updating to the latest version of the affected product is highly recommended. Users should apply the appropriate patches provided by Oracle and monitor any related updates and alerts for further information.
Conclusion
CVE-2024-21085 represents a threat to Oracle Java SE and GraalVM Enterprise Edition users. Although it is difficult to exploit, the vulnerability could lead to a partial denial of service in affected products. Users are advised to update their Oracle Java SE and GraalVM implementations promptly and refer to the original references for further context and guidance.
Timeline
Published on: 04/16/2024 22:15:28 UTC
Last modified on: 04/26/2024 09:15:11 UTC