CVE-2021-35565: 
NixOS vulnerability analysis and mitigation

CVE-2021-35565 is a vulnerability in the Java SE and Oracle GraalVM Enterprise Edition products, specifically affecting the JSSE (Java Secure Socket Extension) component. The vulnerability affects Java SE versions 7u311, 8u301, 11.0.12, and Oracle GraalVM Enterprise Edition versions 20.3.3 and 21.2.0. This vulnerability was discovered by Tristen Hayfield of Cisco and was publicly disclosed in October 2021 (Oracle CPU).

The vulnerability involves a loop condition in HttpsServer that gets triggered during TLS session close operations. It is classified as an easily exploitable vulnerability that allows unauthenticated attackers with network access via TLS to compromise the affected components. The vulnerability has received a CVSS 3.1 Base Score of 5.3 (Medium) with the vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (NVD).

Successful exploitation of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE and Oracle GraalVM Enterprise Edition. The vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service (NVD).

Oracle has released patches to address this vulnerability in their October 2021 Critical Patch Update. Users should upgrade to Java SE versions 7u321, 8u311, 11.0.13, or Oracle GraalVM Enterprise Edition versions newer than 20.3.3 and 21.2.0. Red Hat has also provided fixes through java-1.8.0-openjdk and java-11-openjdk updates (Red Hat Advisory).