Oracle Java SE and GraalVM Networking Component Vulnerability Allowing Unauthorized Data Access

A vulnerability has been identified in the Networking component of Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. Affected versions include Oracle Java SE 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, and 25.0.1, as well as Oracle GraalVM for JDK versions 17.0.17 and 21.0.9, and Oracle GraalVM Enterprise Edition 21.3.16. This vulnerability allows an unauthenticated attacker with network access via multiple protocols to compromise the affected Java environments. Exploitation requires human interaction from a third party. While the vulnerability exists within the Java environments, successful attacks could significantly impact other products. The vulnerability can be exploited through APIs in the Networking component, such as via a web service that provides data to these APIs. It also affects Java deployments in clients running sandboxed Java Web Start applications or applets that load untrusted code from the internet and depend on the Java sandbox for security.

Impact

Exploitation of this vulnerability could lead to unauthorized access allowing updates, inserts, or deletions of certain accessible data within the affected Java environments. Additionally, it could permit unauthorized read access to a subset of accessible data.