CVE-2021-35586 in Java SEinfo

Summary

by MITRE • 10/20/2021

Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 05/15/2025

This vulnerability resides within the Java SE ImageIO component of Oracle's Java platform and GraalVM Enterprise Edition, representing a critical availability risk that affects multiple supported versions including Java SE 7u311, 8u301, 11.0.12, and 17, alongside GraalVM Enterprise Edition versions 20.3.3 and 21.2.0. The flaw manifests as an easily exploitable weakness that permits unauthenticated remote attackers to compromise affected systems through various network protocols, demonstrating the inherent risks associated with image processing libraries that handle untrusted input data. The vulnerability's classification under CWE-129 indicates a weakness related to improper validation of buffer limits, specifically in image data handling operations.

The technical exploitation of this vulnerability occurs through the manipulation of image data processing within the ImageIO framework, where insufficient input validation allows attackers to craft malicious image files that trigger unexpected behavior in the Java runtime environment. This flaw operates at the intersection of security boundaries, particularly affecting sandboxed applications that rely on Java's security model to isolate untrusted code execution. Attackers can leverage this vulnerability through Java Web Start applications or applets that load external image content, or through web services that utilize the affected ImageIO APIs. The CVSS 3.1 scoring of 5.3 reflects the medium severity impact with a low attack complexity and no required privileges, making it particularly dangerous in environments where users interact with untrusted web content.

The operational impact of this vulnerability extends beyond simple denial of service conditions, as it enables attackers to perform partial denial of service attacks against Java applications that depend on image processing capabilities. This can result in application instability, resource exhaustion, or complete application failure when malicious image data triggers the vulnerable code path. The vulnerability's applicability to both client-side sandboxed applications and server-side web services creates a broad attack surface, particularly concerning web applications that process user-uploaded images or consume external image resources. The security implications are further amplified by the fact that this vulnerability can be exploited without authentication, requiring only network access to the affected Java deployment, which aligns with ATT&CK technique T1203 for legitimate credentials and T1059 for command and scripting interpreter usage patterns.

Organizations should implement immediate mitigations including updating to patched versions of affected Java SE and GraalVM Enterprise Edition releases, disabling unnecessary image processing capabilities in web applications, and implementing network-level restrictions to prevent unauthorized access to affected Java applications. Security teams should also consider deploying web application firewalls and input validation controls specifically targeting image data processing operations. The vulnerability highlights the importance of proper input validation in multimedia processing libraries and underscores the need for comprehensive security testing of image handling components within Java applications. Regular security assessments should focus on identifying and patching similar vulnerabilities in third-party libraries and components that process untrusted data, particularly those operating within sandboxed environments where traditional security controls may be insufficient.

Responsible

Oracle

Reservation

06/28/2021

Disclosure

10/20/2021

Moderation

accepted

CPE

ready

EPSS

0.06322

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!