Oracle Java SE and GraalVM Vulnerability Allowing Unauthorized Data Modification

A vulnerability has been identified in Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition, specifically within the Security component. Affected versions include Oracle Java SE 8u461, 8u461-perf, 11.0.28, 17.0.16, 21.0.8, and 25; Oracle GraalVM for JDK 17.0.16 and 21.0.8; and Oracle GraalVM Enterprise Edition 21.3.15. This vulnerability, which is difficult to exploit, allows an unauthenticated attacker with network access via multiple protocols to compromise the affected Java environments. Successful exploitation could lead to unauthorized creation, deletion, or modification of critical data, or all data accessible within the affected Java environment. The vulnerability can be exploited through APIs in the Security component, such as via a web service that provides data to these APIs. It also affects Java deployments in clients running sandboxed Java Web Start applications or applets that load untrusted code from the internet and depend on the Java sandbox for security.

Impact

Exploitation of this vulnerability could result in unauthorized changes to critical data or all data accessible within the affected Java environment.