Oracle Java SE and GraalVM 2D Component Vulnerability Allowing Takeover via Network Access

A vulnerability has been identified in the 2D component of Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. Affected versions include Oracle Java SE 8u451, 8u451-perf, 11.0.27, 17.0.15, 21.0.7, and 24.0.1; Oracle GraalVM for JDK 17.0.15, 21.0.7, and 24.0.1; and Oracle GraalVM Enterprise Edition 21.3.14. This vulnerability is difficult to exploit and allows an unauthenticated attacker with network access via multiple protocols to compromise the affected Java environments. Successful exploitation can lead to a complete takeover of the Java SE or GraalVM installation. The vulnerability is relevant in scenarios where untrusted code is executed, such as in sandboxed Java Web Start applications or applets, and does not affect deployments that only run trusted code.

Impact

Exploitation of this vulnerability can result in a complete takeover of the affected Oracle Java SE or GraalVM installation.