CVE-2024-21145
📋 TL;DR
This vulnerability in Oracle Java SE's 2D component allows unauthenticated attackers with network access to potentially modify or read some accessible data. It affects multiple Java versions and GraalVM implementations, particularly dangerous for systems running untrusted code via Java Web Start or applets. The attack is difficult to exploit but can impact both confidentiality and integrity.
💻 Affected Systems
- Oracle Java SE
- Oracle GraalVM for JDK
- Oracle GraalVM Enterprise Edition
📦 What is this software?
Bluexp by Netapp
Cloud Insights Storage Workload Security Agent by Netapp
View all CVEs affecting Cloud Insights Storage Workload Security Agent →
Graalvm by Oracle
Graalvm by Oracle
Graalvm by Oracle
Jdk by Oracle
Jdk by Oracle
Jdk by Oracle
Jdk by Oracle
Jdk by Oracle
Jdk by Oracle
Jre by Oracle
Jre by Oracle
Jre by Oracle
Jre by Oracle
Jre by Oracle
Jre by Oracle
⚠️ Risk & Real-World Impact
Worst Case
Attackers could modify critical data or exfiltrate sensitive information from Java applications, potentially leading to data corruption or unauthorized access to restricted data.
Likely Case
Limited data manipulation or unauthorized reading of non-critical data in vulnerable Java deployments, particularly in environments running untrusted Java applications.
If Mitigated
With proper network segmentation and Java sandbox restrictions, impact would be minimal to none as the vulnerability requires specific conditions to exploit.
🎯 Exploit Status
Exploitation requires network access via multiple protocols and is described as 'difficult to exploit' by Oracle. The vulnerability can be triggered through APIs in the 2D component.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply Critical Patch Update for July 2024 - specific patched versions available in Oracle advisory
Vendor Advisory: https://www.oracle.com/security-alerts/cpujul2024.html
Restart Required: Yes
Instructions:
1. Review Oracle's July 2024 Critical Patch Update advisory. 2. Download and install the appropriate patched version for your Java installation. 3. Restart all Java applications and services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable Java Web Start and Applets
allPrevent execution of untrusted Java code via web technologies
For browsers: Disable Java plugin
For systems: Remove or disable Java Web Start
Network Segmentation
allRestrict network access to Java applications
Configure firewall rules to limit inbound connections to Java services
Implement network segmentation for Java application servers
🧯 If You Can't Patch
- Implement strict network controls to limit access to Java applications
- Disable or remove Java Web Start and applet functionality entirely
🔍 How to Verify
Check if Vulnerable:
Check Java version using 'java -version' command and compare against affected versions listed in the advisoryCheck Version:
java -versionVerify Fix Applied:
Verify Java version is updated to a version not listed in the affected versions, then test Java applications for functionality📡 Detection & Monitoring
Log Indicators:
- Unusual network connections to Java applications
- Errors or exceptions in Java application logs related to 2D component
Network Indicators:
- Unexpected network traffic to Java application ports
- Multiple protocol attempts to Java services
SIEM Query:
source="java_app.log" AND (error OR exception) AND "2D" OR destination_port IN (java_ports) AND protocol_count > 1