CVE-2021-35567: 
Java vulnerability analysis and mitigation

CVE-2021-35567 is a vulnerability in Java SE and Oracle GraalVM Enterprise Edition affecting the Libraries component. The vulnerability was discovered by Chuck Hunley of sas.com and disclosed in October 2021. It affects Java SE versions 8u301, 11.0.12, 17, and Oracle GraalVM Enterprise Edition versions 20.3.3 and 21.2.0. The vulnerability relates to incorrect principal selection when using Kerberos Constrained Delegation (Oracle CPU, NVD).

The vulnerability has a CVSS v3.1 Base Score of 6.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N. It is a network-accessible vulnerability that requires low attack complexity and low privileges, but does require user interaction. The scope is changed and it primarily impacts confidentiality, with no impact on integrity or availability (NVD).

Successful exploitation of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE and Oracle GraalVM Enterprise Edition accessible data. The vulnerability specifically affects Java deployments that load and run untrusted code and rely on the Java sandbox for security (Oracle CPU).

Oracle released patches for affected versions in their October 2021 Critical Patch Update. Various Linux distributions have also released fixes: Debian provided fixes in openjdk-11 version 11.0.13+8-1~deb11u1 and openjdk-17 version 17.0.1+12-1+deb11u2, Fedora released updates for versions 33, 34, and 35, and Red Hat provided fixes in their OpenJDK builds (Debian Advisory, Red Hat Advisory).