CVE-2021-35603 in Java SEinfo

Summary

by MITRE • 10/20/2021

Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 10/15/2024

This vulnerability resides within the Java Secure Socket Extension component of Oracle Java SE and GraalVM Enterprise Edition, representing a significant security weakness that affects multiple supported versions including Java 7u311, 8u301, 11.0.12, and 17, alongside GraalVM versions 20.3.3 and 21.2.0. The flaw manifests as a difficulty in exploitation but remains a serious concern for systems running sandboxed Java applications. The vulnerability specifically targets the TLS implementation within these Java deployments, creating a pathway for unauthenticated attackers to gain unauthorized access to sensitive data through network-based attacks. The CVSS score of 3.7 indicates a low to medium severity impact primarily focused on confidentiality rather than integrity or availability, yet the potential for data exfiltration makes it particularly concerning in enterprise environments.

The technical nature of this vulnerability stems from weaknesses in the JavaScript Secure Socket Extension implementation that handles TLS connections, allowing attackers to bypass expected security boundaries within the Java sandbox environment. This flaw particularly affects deployments where Java Web Start applications or applets operate in sandboxed environments, loading and executing untrusted code from external sources. The vulnerability's impact is amplified when considering that modern web services often rely on APIs that could be leveraged to exploit this weakness, making it relevant beyond traditional desktop applications. The attack vector requires only network access and does not require authentication, making it particularly dangerous as it can be exploited remotely without prior access credentials.

The operational impact of this vulnerability extends beyond simple data theft, as it undermines the fundamental security model of Java sandboxed applications that depend on code isolation for protection. Organizations running Java applications in client environments, particularly those utilizing Java Web Start or applets for business-critical functions, face potential exposure to unauthorized data access. The vulnerability affects systems where untrusted code execution is expected and relies on the Java sandbox for security enforcement, making it particularly problematic for environments that host web-based applications or services that utilize Java APIs for data processing. The fact that this vulnerability can be exploited through web services that supply data to APIs means that even server-side applications using Java components could be at risk if they interface with vulnerable client applications.

Mitigation strategies should focus on immediate patching of affected Java versions, implementing network segmentation to limit exposure, and reviewing application configurations to reduce reliance on potentially vulnerable APIs. Organizations should also consider disabling unnecessary Java applet or Web Start functionality where possible, as these components are primary attack vectors for this vulnerability. The implementation of network monitoring and anomaly detection systems can help identify potential exploitation attempts. Additionally, organizations should conduct thorough assessments of their Java deployment environments to identify all systems running affected versions and prioritize remediation efforts. This vulnerability aligns with CWE-295 which addresses improper certificate validation and relates to ATT&CK technique T1071.004 for application layer protocol usage, particularly in the context of TLS/SSL protocol manipulation and data exfiltration through compromised Java applications.

Responsible

Oracle

Reservation

06/28/2021

Disclosure

10/20/2021

Moderation

accepted

CPE

ready

EPSS

0.04104

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!