CVE-2021-35567 in Java SE
Summary
by MITRE • 10/20/2021
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows low privileged attacker with network access via Kerberos to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 6.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N).
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 08/15/2025
This vulnerability resides within the Java SE and Oracle GraalVM Enterprise Edition libraries, specifically targeting the Kerberos authentication mechanism that is integral to enterprise security infrastructures. The flaw manifests in versions Java SE 8u301, 11.0.12, and 17, alongside Oracle GraalVM Enterprise Edition versions 20.3.3 and 21.2.0, representing a critical weakness that can be exploited by low-privileged attackers with network access. The vulnerability operates through the Kerberos protocol implementation, where attackers can manipulate authentication flows to gain unauthorized access to sensitive data within the Java runtime environment.
The technical exploitation of CVE-2021-35567 leverages a flaw in how Java processes Kerberos tickets, particularly in the context of authentication delegation and credential handling. This vulnerability is classified as easily exploitable due to its low attack complexity requirements and the fact that it can be triggered through network-based attacks without requiring extensive privileges. The vulnerability specifically affects Java deployments that execute untrusted code within sandboxed environments, such as Java Web Start applications or applets that load code from the internet. The attack vector operates through the standard Kerberos authentication flow, where malicious actors can manipulate the credential processing mechanisms to bypass security controls.
The operational impact of this vulnerability extends beyond the immediate Java runtime environment, potentially affecting multiple interconnected systems that rely on Java-based authentication services. According to the CVSS 3.1 scoring system, the vulnerability carries a base score of 6.8, reflecting high confidentiality impact and moderate exploitability characteristics. The attack requires human interaction from users other than the attacker, indicating that social engineering or user manipulation may be necessary to initiate the exploit. The vulnerability's classification as a CWE (Common Weakness Enumeration) issue demonstrates a specific weakness in cryptographic implementation and authentication mechanisms, particularly concerning Kerberos ticket handling.
Security implications of this vulnerability are severe as successful exploitation can result in unauthorized access to critical data or complete access to all data accessible through the Java SE and GraalVM Enterprise Edition runtime environments. The attack can compromise sensitive information stored within Java applications and potentially provide attackers with elevated privileges within the affected systems. Organizations using these Java versions must be particularly concerned about environments where Java Web Start applications or applets are deployed, as these contexts create the perfect conditions for exploitation. The vulnerability's impact is further amplified in enterprise environments where Kerberos authentication is widely used for single sign-on and cross-domain authentication scenarios.
Mitigation strategies for CVE-2021-35567 should prioritize immediate patching of affected Java SE and GraalVM Enterprise Edition installations to the latest security releases. Organizations should also implement network-level controls to restrict Kerberos traffic and monitor for anomalous authentication patterns that might indicate exploitation attempts. Additionally, security teams should review and harden Java sandbox configurations, particularly for applications that load untrusted code from external sources. The implementation of principle of least privilege access controls and regular security audits of Java-based applications can significantly reduce the risk of successful exploitation. Organizations should also consider disabling Kerberos authentication for non-essential applications and implementing additional monitoring for credential usage patterns that deviate from normal operational behavior. This vulnerability demonstrates the critical importance of maintaining up-to-date Java runtime environments and highlights the risks associated with legacy authentication protocols in modern enterprise security architectures.