CVE-2024-21144: Vulnerability in Oracle Java SE and Oracle GraalVM Enterprise Edition Concurrency Component Leads to Partial Denial of Service

A new vulnerability, identified as CVE-2024-21144, has been discovered in Oracle Java SE and Oracle GraalVM Enterprise Edition, specifically in the Concurrency component of the products. The affected versions are Oracle Java SE: 8u411, 8u411-perf, 11..23; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. This vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Oracle Java SE and Oracle GraalVM Enterprise Edition.

Exploit Details

The vulnerability is difficult to exploit and can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE and Oracle GraalVM Enterprise Edition. The vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code, such as code installed by an administrator.

The CVSS 3.1 Base Score for this vulnerability is 3.7 and mainly impacts availability. The CVSS Vector is: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Below is an example of a potentially vulnerable Java Web Start application

public class ExampleWebStartApp {
    public static void main(String[] args) {
        // Loading and running untrusted code from the internet
        URLClassLoader urlClassLoader = new URLClassLoader(new URL[]{new URL("http://example.com/untrusted.jar";)});
        Class<?> loadedClass = urlClassLoader.loadClass("com.example.UntrustedClass");
        Method mainMethod = loadedClass.getMethod("main", String[].class);
        mainMethod.invoke(null, (Object) new String[]);
    }
}

If the untrusted code being loaded and run in this example exploits the CVE-2024-21144 vulnerability, the end result can be an impact on the application's availability, leading to a partial DOS.

Original References

1. Oracle Critical Patch Update Advisory: https://www.oracle.com/security-alerts/cpuapr2024.html
2. CVE-2024-21144 NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2024-21144
3. Oracle Java SE Downloads: https://www.oracle.com/java/technologies/javase-downloads.html
4. Oracle GraalVM Enterprise Edition Downloads: https://www.oracle.com/graalvm/downloads/

Conclusion

It is essential for organizations relying on Oracle Java SE and Oracle GraalVM Enterprise Edition to keep their software up-to-date and apply the necessary patches to mitigate this vulnerability. As always, avoid running untrusted code, especially from unknown sources on the internet, and consider implementing additional layers of security to protect your applications and infrastructure from potential exploits.

Timeline

Published on: 07/16/2024 23:15:15 UTC
Last modified on: 07/19/2024 14:15:05 UTC