Oracle Java SE and GraalVM 2D Component Vulnerability Allowing Takeover

A vulnerability has been identified in Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition, specifically within the 2D component. Affected versions include Oracle Java SE 8u451, 8u451-perf, 11.0.27, 17.0.15, 21.0.7, and 24.0.1, as well as Oracle GraalVM for JDK 17.0.15, 21.0.7, and 24.0.1. This vulnerability is difficult to exploit but allows an unauthenticated attacker with network access via multiple protocols to compromise the affected Java environments. Successful exploitation can lead to a complete takeover of the Java SE or GraalVM deployment. The vulnerability can be exploited through APIs in the 2D component, potentially via a web service that provides data to these APIs. It also affects Java deployments in clients running sandboxed Java Web Start applications or applets that load untrusted code from the internet and depend on the Java sandbox for security.

Impact

Exploitation of this vulnerability can result in a complete takeover of the affected Oracle Java SE or GraalVM environment.