Oracle Java SE and GraalVM JSSE Vulnerability Allowing Unauthorized Data Access and Modification

A vulnerability exists in Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition, specifically within the JSSE component. Affected versions include Oracle Java SE 8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, and 24; Oracle GraalVM for JDK 17.0.14, 21.0.6, and 24; and Oracle GraalVM Enterprise Edition 20.3.17 and 21.3.13. This vulnerability is difficult to exploit but allows an unauthenticated attacker with network access via multiple protocols to compromise the affected Java environments. Successful exploitation could lead to unauthorized creation, deletion, or modification of critical data, or all data accessible within the Oracle Java SE, GraalVM for JDK, or GraalVM Enterprise Edition environments. The vulnerability can be exploited through APIs in the JSSE component, such as via a web service that provides data to these APIs. It also affects Java deployments in clients running sandboxed Java Web Start applications or applets that load untrusted code from the internet and depend on the Java sandbox for security.

Impact

Exploitation allows unauthorized access to critical data or complete access to all data accessible within the affected Java environment, along with the ability to unauthorizedly create, delete, or modify critical data.