CVE-2024-21094: Vulnerability in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition Products

A recently discovered vulnerability, CVE-2024-21094, affects multiple Oracle Java products, including Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. This vulnerability can lead to unauthorized data manipulation, which could have severe consequences for anyone using the affected versions of these products. This blog post will provide a comprehensive overview of the CVE-2024-21094 vulnerability, including details about the affected products, some sample code snippets to understand the problem better, and relevant links to the original references and exploit details.

Affected Products

The vulnerability CVE-2024-21094 affects the following Oracle Java products and their supported versions:

Exploit Details

This vulnerability is considered difficult to exploit and requires an unauthenticated attacker with network access via multiple protocols to gain unauthorized access to Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition products. Successful attacks can lead to unauthorized update, insert, or delete access to some accessible data in the affected products.

The vulnerability can be exploited using APIs in the specified Component, such as through a web service that supplies data to the APIs. The vulnerability also applies to Java deployments where clients run sandboxed Java Web Start applications or sandboxed Java applets, load and run untrusted code (e.g., code from the internet), and rely on the Java sandbox for security.

Code Snippet (example)

The following code snippet demonstrates a simple Java application that could be vulnerable to CVE-2024-21094:

public class VulnerableApp {
    public static void main(String[] args) {
        // Fetch data from an untrusted source
        String untrustedData = getDataFromUntrustedSource();

        // Process data using an affected Oracle Java SE, Oracle GraalVM for JDK, 
        // or Oracle GraalVM Enterprise Edition version
        processData(untrustedData);
    }

    private static String getDataFromUntrustedSource() {
        // Fetch data from an external source, e.g., web service, internet, etc.
        return "untrusted-data";
    }

    private static void processData(String data) {
        // Perform some operations on the untrusted data
        System.out.println("Processing data: " + data);
    }
}

If the VulnerableApp relies on affected product versions and runs with the Java sandbox, it could potentially be exploited by an attacker using network access to manipulate the data.

CVSS 3.1 Base Score and Vector

The CVSS 3.1 Base Score for this vulnerability is 3.7, which indicates an Integrity impact. The CVSS vector for this issue is: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N.

Original References

For more information about the CVE-2024-21094 vulnerability, refer to the following original references:
- Oracle Security Alert for CVE-2024-21094: https://www.oracle.com/security-alerts/alert-CVE-2024-21094.html
- CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21094

Conclusion

We strongly recommend that users of Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition products update their systems to the latest version as soon as possible to avoid potential exploitation of the CVE-2024-21094 vulnerability.

Timeline

Published on: 04/16/2024 22:15:29 UTC
Last modified on: 04/26/2024 09:15:11 UTC