CVE-2021-35565 in Java SE
Summary
by MITRE • 10/20/2021
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/15/2025
This vulnerability resides within the Java Secure Socket Extension component of Oracle Java SE and GraalVM Enterprise Edition, representing a critical weakness in the TLS implementation that affects multiple supported versions including Java 7u311, 8u301, 11.0.12, and GraalVM versions 20.3.3 and 21.2.0. The flaw manifests as a buffer overflow condition in the TLS protocol handling mechanism that occurs when processing certain malformed TLS handshake messages. The vulnerability operates at the protocol level where the Java runtime fails to properly validate the length of TLS records during the handshake process, creating a scenario where malicious input can cause memory corruption. This specific weakness aligns with CWE-121, which describes heap-based buffer overflow conditions, and represents a classic example of improper input validation in cryptographic protocol implementations. The attack vector requires only network access and does not demand authentication, making it particularly dangerous as it can be exploited remotely by any attacker with access to the network.
The technical exploitation of this vulnerability occurs through the manipulation of TLS handshake sequences where specially crafted TLS records are sent to a vulnerable Java application server. When the Java runtime processes these malformed records, the insufficient bounds checking in the JSSE component causes a buffer overflow that can lead to memory corruption and subsequent denial of service conditions. The vulnerability specifically impacts the TLS record layer processing where the application fails to properly validate the length field of TLS records before attempting to read or process the associated data. This flaw enables attackers to cause partial denial of service by corrupting memory structures that govern the TLS connection handling, effectively preventing legitimate connections from being established or maintained. The CVSS score of 5.3 reflects the availability impact and the relatively low complexity required to exploit this weakness, as the attacker only needs to establish a network connection and send malformed TLS data to trigger the vulnerability.
The operational impact of this vulnerability extends beyond simple service disruption as it creates opportunities for more sophisticated attacks that could potentially be leveraged in broader exploitation chains. While the immediate effect is partial denial of service, the memory corruption aspects could theoretically be extended to allow for more advanced exploitation techniques, particularly when combined with other vulnerabilities or when targeting specific application configurations. Organizations running vulnerable Java applications in production environments face significant risk as this vulnerability can be exploited without authentication, allowing attackers to disrupt services and potentially gain unauthorized access to system resources. The vulnerability's presence in both standard Java SE and GraalVM Enterprise Edition means that organizations using either platform are equally at risk, particularly those running web services or applications that rely heavily on TLS connections for secure communication. The exploitation does not require specialized tools or complex attack chains, making it accessible to a broad range of threat actors.
Mitigation strategies for this vulnerability should focus on immediate patching of affected systems with the latest Oracle security updates, which address the buffer overflow condition in the JSSE implementation. Organizations should prioritize updating their Java installations to versions that contain the security fixes, particularly since this vulnerability affects multiple major versions of the platform. Network segmentation and firewall rules should be implemented to limit access to vulnerable services where possible, while monitoring systems should be enhanced to detect anomalous TLS handshake patterns that might indicate exploitation attempts. Additional protective measures include implementing strict TLS configuration policies that disable vulnerable TLS versions and cipher suites, along with regular security assessments to identify and remediate similar vulnerabilities in the application stack. The remediation process should also include comprehensive testing to ensure that patch deployment does not introduce compatibility issues with existing applications, as the security updates may modify the TLS processing behavior in ways that could impact legacy systems. Organizations should also consider implementing intrusion detection systems specifically tuned to detect the patterns associated with this vulnerability to provide early warning of potential exploitation attempts.