Oracle Java SE and GraalVM JSSE Component Partial Denial-of-Service Vulnerability

A vulnerability exists in multiple Oracle Java SE and GraalVM products, specifically within the JSSE component. Affected versions include Oracle Java SE 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, and 26; as well as Oracle GraalVM for JDK versions 17.0.18 and 21.0.10, and Oracle GraalVM Enterprise Edition 21.3.17. This vulnerability allows an unauthenticated attacker with network access via HTTPS to cause a partial denial-of-service, disrupting the availability of the affected Java environment. The issue can be exploited through APIs in the JSSE component, such as those used by web services that handle untrusted data. Additionally, this vulnerability impacts Java deployments that run sandboxed Java Web Start applications or applets, which load untrusted code from the internet and depend on the Java sandbox for security.

Impact

Exploitation of this vulnerability leads to a partial denial-of-service, causing disruptions in the availability of the affected Java environment.