Oracle Java SE and GraalVM JSSE Vulnerability Allowing Unauthorized Data Access and Modification via TLS

A vulnerability has been identified in multiple Oracle Java SE and GraalVM products, specifically within the JSSE component. The affected versions include Oracle Java SE 8u451, 8u451-perf, 11.0.27, 17.0.15, 21.0.7, and 24.0.1, as well as Oracle GraalVM for JDK 17.0.15, 21.0.7, and 24.0.1, and Oracle GraalVM Enterprise Edition 21.3.14. This vulnerability, which is difficult to exploit, allows an unauthenticated attacker with network access via TLS to compromise the affected Java environments. Successful exploitation could lead to unauthorized read access to certain data, as well as unauthorized update, insert, or delete access to some accessible data. The vulnerability is relevant in Java deployments that run untrusted code from the internet, such as sandboxed Java Web Start applications or applets, and does not affect server deployments that only run trusted code.

Impact

Exploitation of this vulnerability could result in unauthorized access to read, modify, insert, or delete certain data within the affected Java environment.