CVE-2021-35550: 
NixOS vulnerability analysis and mitigation

CVE-2021-35550 is a vulnerability in the Java SE and Oracle GraalVM Enterprise Edition products, specifically affecting the JSSE (Java Secure Socket Extension) component. The vulnerability affects Java SE versions 7u311, 8u301, 11.0.12, and Oracle GraalVM Enterprise Edition versions 20.3.3 and 21.2.0. This vulnerability was discovered by Asaf Greenholts of Bank Hapoalim and disclosed in October 2021 (Oracle CPU).

The vulnerability is characterized as difficult to exploit and allows unauthenticated attackers with network access via TLS to potentially compromise Java SE and Oracle GraalVM Enterprise Edition. The vulnerability relates to weak ciphers being preferred over stronger ones for TLS connections. It has a CVSS 3.1 Base Score of 5.9 with Confidentiality impacts (CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) (NVD).

Successful exploitation of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE and Oracle GraalVM Enterprise Edition accessible data. The vulnerability particularly affects Java deployments that load and run untrusted code, such as sandboxed Java Web Start applications or sandboxed Java applets (Oracle CPU).

Oracle released patches for affected versions in their October 2021 Critical Patch Update. Users should upgrade to the fixed versions: Java SE 7u321, 8u311, 11.0.13, or later versions. For Oracle GraalVM Enterprise Edition, users should upgrade to versions later than 20.3.3 and 21.2.0 (Oracle CPU).