CVE-2024-21147 - Critical Vulnerability in Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition

A critical vulnerability, dubbed as CVE-2024-21147, has been discovered in Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition products. The affected component is Hotspot and the vulnerability allows an unauthenticated attacker to compromise these Oracle products through unauthorized access and modifications of critical data. This blog post will delve into the details of the vulnerability, its impact, and ways to mitigate it.

Exploit Details

The CVE-2024-21147 vulnerability is difficult to exploit and requires an attacker to have access via multiple protocols. Once exploited, the attacker will have unauthorized creation, deletion, or modification access to critical data or all accessible data within Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition.

This vulnerability can be exploited by using APIs in the specified Component (Hotspot), e.g., through a web service which supplies data to the APIs. It also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code coming from the internet) and rely on the Java sandbox for security.

Severity and Impact

The CVE-2024-21147 vulnerability poses a significant risk, as it can lead to unauthorized access to critical data or complete access to all accessible data within the affected Oracle products. CVSS 3.1 has given it a base score of 7.4, indicating high impact on confidentiality and integrity. The CVSS Vector is described as (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

Mitigation

Oracle has already released patches addressing the CVE-2024-21147 vulnerability. Users are advised to install the latest available updates for Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition.

Conclusion

CVE-2024-21147 is a critical vulnerability affecting Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition products. Though the vulnerability is difficult to exploit, successful attacks can result in unauthorized access and modifications to critical data. To protect your systems and applications, ensure that you apply the latest Oracle patches and follow good security practices.

References

1. Oracle Security Alert for CVE-2024-21147: https://www.oracle.com/security-alerts/alert-CVE-2024-21147.html
2. CVE-2024-21147 Detail: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21147
3. Oracle Critical Patch Update Advisory: https://www.oracle.com/security-alerts/cpu.html

Timeline

Published on: 07/16/2024 23:15:16 UTC
Last modified on: 07/19/2024 14:15:05 UTC