Oracle Java SE and GraalVM Security Vulnerability Allowing Unauthorized Data Access

A vulnerability has been identified in Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition, specifically within the Security component. Affected versions include Oracle Java SE 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, and 26; as well as Oracle GraalVM for JDK versions 17.0.18 and 21.0.10, and Oracle GraalVM Enterprise Edition 21.3.17. This vulnerability, which is difficult to exploit, allows an unauthenticated attacker with access to the infrastructure where these Java products are executed to compromise them. Successful exploitation could lead to unauthorized read access of certain data within Oracle Java SE, Oracle GraalVM for JDK, or Oracle GraalVM Enterprise Edition. The vulnerability can be exploited through APIs in the Security component, such as via a web service that provides data to these APIs. It also affects Java deployments in clients running sandboxed Java Web Start applications or applets that load untrusted code from the internet and depend on the Java sandbox for security.

Impact

Exploitation of this vulnerability could result in unauthorized read access to some data within the affected Java environment.