CVE-2025-21502 - Critical Vulnerability in Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition: Hotspot Component

A critical vulnerability has been discovered in the Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition products, specifically in the Hotspot component. This vulnerability has been assigned the identifier CVE-2025-21502. The impacted versions of these products are as follows:

Oracle GraalVM Enterprise Edition: 20.3.16, 21.3.12

This difficult-to-exploit vulnerability can allow an unauthenticated attacker with network access through multiple protocols to compromise the affected products. Successful attacks involving this vulnerability can grant unauthorized access to update, insert, or delete certain accessible data, as well as unauthorized read access to a subset of accessible data.

Exploit Details

This vulnerability can be exploited using APIs in the specified Hotspot component by, for example, leveraging a web service which supplies data to the APIs. This vulnerability is also applicable to Java deployments, which typically include clients running sandboxed Java Web Start applications or sandboxed Java applets. These deployments load and run untrusted code (such as code from the internet) and rely on the Java sandbox for security.

The security implications of this vulnerability are noted with a CVSS 3.1 Base Score of 4.8, which mainly affects Confidentiality and Integrity (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

Mitigation

To protect your system from this vulnerability, it is recommended to update your Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition to the latest supported versions. You can find these updates and specific instructions for applying them at the following official Oracle links:

1. Oracle Java SE updates: https://www.oracle.com/java/technologies/javase-downloads.html
2. Oracle GraalVM for JDK updates: https://www.oracle.com/graalvm/downloads
3. Oracle GraalVM Enterprise Edition updates: https://www.oracle.com/graalvm/enterprise-edition

Additionally, it is crucial to monitor your environment for any signs of unauthorized access to your system's data, as well as any indications of potential exploitation of the vulnerability.

Conclusion

CVE-2025-21502 presents a significant risk to organizations using the affected Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition products. It is strongly advised that users update these products to the latest supported versions and remain aware of any potential threats associated with this vulnerability.

Timeline

Published on: 01/21/2025 21:15:15 UTC
Last modified on: 01/31/2025 16:15:35 UTC