CVE-2021-35564 in Java SE
Summary
by MITRE • 10/20/2021
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Keytool). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/15/2025
This vulnerability resides within the keytool component of Oracle Java SE and GraalVM Enterprise Edition, representing a critical integrity flaw that undermines the security of cryptographic operations. The vulnerability affects multiple Java versions including 7u311, 8u301, 11.0.12, and 17, alongside GraalVM versions 20.3.3 and 21.2.0, making it particularly dangerous due to its widespread deployment across enterprise environments. The flaw manifests in the improper handling of certificate data during key management operations, creating a pathway for attackers to manipulate cryptographic materials without authentication. According to CWE-225, this represents a weakness in cryptographic key management where the system fails to properly validate certificate parameters, while the ATT&CK framework categorizes this under T1552.001 - Credentials in Files, as it enables unauthorized modification of security-critical certificate data.
The attack vector for this vulnerability is particularly concerning as it requires only network access without authentication, making it easily exploitable by remote adversaries. The vulnerability can be triggered through multiple protocols, including web services and Java Web Start applications, which means it can be leveraged in various attack scenarios. When exploited, the vulnerability allows attackers to perform unauthorized insert, update, or delete operations on data accessible through the affected Java components, though the CVSS score of 5.3 indicates primarily integrity impacts rather than complete system compromise. The attack scenario typically involves loading untrusted code into sandboxed environments where the Java security model is expected to provide protection, but the vulnerability bypasses these security boundaries.
The operational impact of this vulnerability extends beyond simple data integrity concerns as it compromises the fundamental trust model of Java-based applications. Organizations running affected Java versions face potential certificate forgery, key compromise, and unauthorized cryptographic operations that could lead to broader security breaches. The vulnerability's exploitation is particularly dangerous in environments where Java applets or Web Start applications are still in use, as these deployment models often lack the modern security controls found in contemporary web applications. The CVSS vector analysis reveals that while no user interaction or privileges are required for exploitation, the vulnerability's impact is limited to integrity rather than confidentiality or availability, though this does not diminish its severity in cryptographic contexts. Organizations should prioritize patching affected systems and implementing network segmentation to limit the potential attack surface, while also reviewing their Java deployment practices to reduce reliance on potentially vulnerable sandboxed applications.
The vulnerability demonstrates the ongoing challenges in maintaining secure cryptographic implementations within widely-deployed software platforms. It highlights the importance of proper input validation and parameter handling in security-critical components, as well as the need for comprehensive testing of cryptographic operations. The affected components represent a significant attack surface that requires immediate attention from security teams, particularly those managing legacy Java applications. This vulnerability serves as a reminder of the critical importance of keeping Java installations up-to-date, as it specifically targets known versions that have been superseded by patched releases, emphasizing the risks associated with running unsupported software versions in production environments.