CVE-2021-35556 in Java SEinfo

Summary

by MITRE • 10/20/2021

Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 05/15/2025

This vulnerability resides within the Java Swing component of Oracle Java SE and GraalVM Enterprise Edition, representing a significant security weakness that affects multiple version streams including Java 7u311, 8u301, 11.0.12, and 17, alongside GraalVM versions 20.3.3 and 21.2.0. The flaw manifests as an easily exploitable issue that requires no authentication and can be triggered through network-based attacks across multiple protocols. The vulnerability's classification under CVSS 3.1 with a base score of 5.3 indicates a moderate severity level, specifically targeting availability impacts with a local attack vector and low complexity requirements. This weakness falls under the CWE category of improper neutralization of special elements used in an OS command, though it more precisely aligns with CWE-121 for buffer overflow conditions or CWE-122 for buffer overflow in heap-based data structures, which are common in GUI component implementations.

The operational impact of this vulnerability extends primarily to client-side Java deployments where sandboxed applications execute untrusted code from potentially malicious sources, particularly affecting Java Web Start applications and applets that rely on the Java sandbox for security isolation. Attackers can exploit this weakness to achieve partial denial of service conditions, disrupting the normal operation of affected Java applications while maintaining the system's overall functionality. The vulnerability's applicability is specifically limited to environments where untrusted code execution occurs within sandboxed contexts, making server-side deployments that run only trusted administrator-installed code immune to this particular threat. This distinction aligns with ATT&CK framework technique T1059.007 for application deployment, where adversaries leverage legitimate system tools to execute malicious code within constrained environments.

The technical exploitation of this vulnerability typically involves crafting malicious input that triggers memory corruption or resource exhaustion within the Swing component's rendering or event handling mechanisms. This can occur when untrusted code attempts to manipulate GUI elements or process events in ways that exceed normal operational boundaries, leading to resource exhaustion or partial system instability. The attack surface is particularly broad given that Java Web Start applications and applets are commonly deployed in enterprise environments where users may encounter untrusted content from external sources. Organizations should implement comprehensive network segmentation to limit exposure, disable unnecessary Java Web Start functionality, and ensure that users do not execute untrusted code in sandboxed environments. Regular patch management protocols should be prioritized to address this vulnerability, with particular attention to deployments where user interaction with external content is expected, as these environments represent the primary attack vectors for this class of vulnerability.

Responsible

Oracle

Reservation

06/28/2021

Disclosure

10/20/2021

Moderation

accepted

CPE

ready

EPSS

0.07819

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!