Oracle Java SE and GraalVM 2D Component Vulnerability Allowing Unauthorized Data Access and Partial Denial-of-Service

A vulnerability has been identified in Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition, specifically within the 2D component. The affected versions include Oracle Java SE 8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, and 24; Oracle GraalVM for JDK 17.0.14, 21.0.6, and 24; and Oracle GraalVM Enterprise Edition 20.3.17 and 21.3.13. This vulnerability, which is difficult to exploit, allows an unauthenticated attacker with network access via multiple protocols to compromise the affected Java environments. Successful exploitation could lead to unauthorized access allowing updates, inserts, or deletions of certain accessible data, as well as unauthorized read access to a subset of data. Additionally, it could enable an attacker to cause a partial denial-of-service on the affected Java environment. This vulnerability is relevant to Java deployments in client environments that run untrusted code through Java Web Start applications or applets, relying on the Java sandbox for security. It does not affect server deployments that only run trusted code.

Impact

Exploitation of this vulnerability could result in unauthorized access allowing modification or deletion of certain accessible data, unauthorized read access to a subset of data, and the ability to cause a partial denial-of-service on the affected Java environment.