CVE-2021-2161: 
NixOS vulnerability analysis and mitigation

CVE-2021-2161 is a vulnerability in Java SE, Java SE Embedded, and Oracle GraalVM Enterprise Edition's Libraries component. The affected versions include Java SE: 7u291, 8u281, 11.0.10, 16; Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and 21.0.0.2. The vulnerability was disclosed in April 2021 and is described as difficult to exploit but allows unauthenticated attackers with network access via multiple protocols to compromise the affected systems (Oracle CPU).

The vulnerability has been assigned a CVSS 3.1 Base Score of 5.9 (Medium) with a vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N. This indicates that while the vulnerability is network-accessible, it is difficult to exploit and requires no privileges or user interaction. The vulnerability specifically applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. It can also be exploited by supplying untrusted data to APIs in the specified Component (NVD).

Successful exploitation of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition accessible data. The vulnerability primarily affects the integrity of the system, with no direct impact on confidentiality or availability (NetApp Advisory).

Oracle has released patches for all affected versions. Users should upgrade to the latest versions of Java SE, Java SE Embedded, and Oracle GraalVM Enterprise Edition. For Java SE, this means updating to versions newer than 7u291, 8u281, 11.0.10, and 16. For Java SE Embedded, versions after 8u281 should be used, and for Oracle GraalVM Enterprise Edition, versions after 19.3.5, 20.3.1.2, and 21.0.0.2 (Debian Security Advisory).