CVE-2021-35559 in Java SE
Summary
by MITRE • 10/20/2021
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/15/2025
This vulnerability resides within the Swing component of Oracle Java SE and GraalVM Enterprise Edition, representing a significant security concern for applications that execute untrusted code within sandboxed environments. The flaw affects multiple Java versions including 7u311, 8u301, 11.0.12, and 17, as well as GraalVM Enterprise Edition versions 20.3.3 and 21.2.0, making it particularly widespread across the Java ecosystem. The vulnerability's classification as easily exploitable indicates that attackers can leverage it without requiring specialized skills or access privileges, presenting a substantial risk to organizations relying on Java-based applications.
The technical nature of this vulnerability stems from insufficient validation mechanisms within the Swing component that processes graphical user interface elements. When Java applications execute untrusted code through sandboxed environments such as Java Web Start applications or applets, the system relies on proper sandbox enforcement to prevent malicious activities. However, this vulnerability allows attackers to bypass these security controls, potentially enabling unauthorized actions that can compromise system availability. The CVSS score of 5.3 reflects the moderate severity, with the availability impact being the primary concern, though the vulnerability could also affect system integrity if exploited more broadly.
The operational impact of this vulnerability manifests primarily as partial denial of service conditions, where attackers can disrupt the normal operation of affected Java applications without necessarily gaining complete system control. This type of attack is particularly concerning in enterprise environments where Java applications form the backbone of business-critical systems. The vulnerability's applicability to both client-side applications and web services means that organizations must consider multiple attack vectors, including web-based exploitation through APIs that interface with the affected Swing component. The fact that this affects sandboxed environments specifically highlights the importance of proper code validation and the potential for sandbox escape techniques.
Organizations should implement immediate mitigations including applying the latest security patches from Oracle, which typically address the underlying validation flaws in the Swing component. Network segmentation and firewall rules can help limit exposure by restricting access to affected Java applications, particularly those that process untrusted input. Additionally, organizations should review their Java deployment configurations to ensure that applications running in sandboxed environments properly enforce security boundaries. The vulnerability's alignment with CWE-20 (Improper Input Validation) and its potential mapping to ATT&CK technique T1203 (Exploitation for Client Execution) underscores the need for comprehensive security measures beyond simple patching, including application whitelisting, monitoring for suspicious network activity, and regular security assessments of Java-based applications. Organizations should also consider migrating away from legacy Java versions where possible, as older versions often contain unpatched vulnerabilities that pose greater risks to system security.