CVE-2024-21145 - Vulnerability in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition Components Posing Security Risks

A new vulnerability, classified as CVE-2024-21145, has been discovered in multiple Oracle products, including Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. This vulnerability affects the 2D component, and successful exploitation can lead to unauthorized access, updates, insertions, or deletions of data within these products. In this post, we discuss the details of this vulnerability, its risk factors, and how attackers can potentially exploit it.

Exploit Details

The vulnerability can be exploited by an unauthenticated attacker with network access via multiple protocols. It is difficult to exploit and requires careful execution. Attackers can take advantage of APIs in the specified component, such as through a web service that supplies data to the APIs. Additionally, this vulnerability can impact Java deployments, particularly in clients running sandboxed Java Web Start applications or sandboxed Java applets that rely on the Java sandbox for security.

An example of code that may be used to exploit this vulnerability is provided below

import java.awt.*;
import javax.imageio.*;
import java.io.*;

public class CVE_2024_21145 {
    public static void main(String[] args) throws Exception {
        Object maliciousData = getMaliciousData();
        Image maliciousImage = ImageIO.read(new ByteArrayInputStream((byte[]) maliciousData));
        processImage(maliciousImage);
    }

    public static Object getMaliciousData() {
        // Code to generate or acquire malicious data
    }

    public static void processImage(Image image) {
        // Code to call vulnerable 2D APIs
    }
}

Risk Assessment

This vulnerability, CVE-2024-21145, has a CVSS 3.1 Base Score of 4.8, which signifies a moderate risk level. The CVSS vector for this vulnerability is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N), highlighting integrity and confidentiality impacts.

Mitigation and Remediation

Oracle has not yet released a patch or updates to address this vulnerability. In the meantime, it is vital for users to remain cautious when working with web services providing data to specific APIs or running unsandboxed Java Web Start applications and applets. Furthermore, users should minimize the use of affected versions of Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition until the vulnerability is corrected.

Original References

For the official announcement and further details on this vulnerability, refer to the following sources:

1. Oracle Security Advisory
2. CVE Entry

Conclusion

CVE-2024-21145 is a recently discovered vulnerability in Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition products. It poses a moderate risk to users and requires proper attention to prevent possible exploitation. Users should stay updated on the latest developments regarding this vulnerability and remain vigilant when working with affected products and their components.

Timeline

Published on: 07/16/2024 23:15:15 UTC
Last modified on: 09/20/2024 13:46:53 UTC