CVE-2021-35564: 
NixOS vulnerability analysis and mitigation

Vulnerability in the Java SE and Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Keytool). The affected versions include Java SE: 7u311, 8u301, 11.0.12, 17, and Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. This vulnerability was disclosed on October 20, 2021 (CVE Details, Oracle Advisory).

The vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Java SE and Oracle GraalVM Enterprise Edition. The vulnerability has a CVSS Base Score of 5.3 (Medium) with the vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. It specifically affects the Keytool component and applies to Java deployments that load and run untrusted code, such as sandboxed Java Web Start applications or sandboxed Java applets (Oracle Advisory).

Successful exploitation of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE and Oracle GraalVM Enterprise Edition accessible data. The vulnerability primarily impacts system integrity, with no direct effect on confidentiality or availability (CVE Details).

Oracle has released patches to address this vulnerability in the October 2021 Critical Patch Update. Users should upgrade to the fixed versions: Java SE 7u321, 8u311, 11.0.13, or 17.0.1. For Oracle GraalVM Enterprise Edition, users should upgrade to versions later than 20.3.3 and 21.2.0. Various Linux distributions have also released security updates, including Debian (8u312-b07-1~deb9u1), Fedora, and Ubuntu (Debian Advisory, Ubuntu Advisory).