CVE-2021-35586: 
NixOS vulnerability analysis and mitigation

A vulnerability was discovered in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). The affected versions include Java SE: 7u311, 8u301, 11.0.12, 17, and Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. This vulnerability was disclosed in October 2021 (Oracle CPU).

The vulnerability exists in the ImageIO component and is easily exploitable by an unauthenticated attacker with network access via multiple protocols. The CVSS 3.1 Base Score is 5.3 (Availability impacts) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. The vulnerability applies to Java deployments that typically run sandboxed Java Web Start applications or sandboxed Java applets that load and run untrusted code from the internet and rely on the Java sandbox for security (NVD).

Successful exploitation of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE and Oracle GraalVM Enterprise Edition. The vulnerability can also be exploited through APIs in the specified Component, such as through a web service which supplies data to the APIs (Oracle CPU).

Oracle has released patches to address this vulnerability in their October 2021 Critical Patch Update. Users should upgrade to the fixed versions: Java SE versions 7u321, 8u311, 11.0.13, 17.0.1 or later. For Debian systems, fixes are available in version 11.0.13+8-1~deb11u1 for Debian 11 (bullseye) and version 17.0.1+12-1+deb11u2 for openjdk-17 (Debian Security Advisory, Debian Security Advisory).