Oracle Java SE and GraalVM RMI Vulnerability Allowing Unauthorized Data Access and Modification

A vulnerability has been identified in Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition, specifically within the RMI component. Affected versions include Oracle Java SE 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, and 25.0.1, as well as Oracle GraalVM for JDK versions 17.0.17 and 21.0.9, and Oracle GraalVM Enterprise Edition 21.3.16. This vulnerability, which is difficult to exploit, allows an unauthenticated attacker with network access via multiple protocols to compromise the affected Java environments. Exploitation can lead to unauthorized access to modify, delete, or insert data, as well as unauthorized read access to certain data within these Java environments. The vulnerability can be exploited through APIs in the RMI component, potentially via a web service that interacts with these APIs. It also affects Java deployments that use sandboxed Java Web Start applications or applets, which load untrusted code from the internet and depend on the Java sandbox for security.

Impact

Successful exploitation allows unauthorized modification, deletion, or insertion of accessible data, as well as unauthorized read access to a subset of accessible data within the affected Java environments.