CVE-2024-20921: 
Amazon Corretto JDK vulnerability analysis and mitigation

A vulnerability has been identified in Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition, specifically in the Hotspot component. The affected versions include Oracle Java SE versions 8u391, 8u391-perf, 11.0.21, 17.0.9, and 21.0.1; Oracle GraalVM for JDK versions 17.0.9 and 21.0.1; and Oracle GraalVM Enterprise Edition versions 20.3.12, 21.3.8, and 22.3.4. This vulnerability is classified as difficult to exploit and requires network access via multiple protocols (Oracle CPU Jan 2024).

The vulnerability is related to a range check loop optimization issue in the Hotspot component. It has been assigned a CVSS 3.1 Base Score of 5.9 (Medium severity) with the following vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability can be exploited through APIs in the specified Component, such as through web services that supply data to the APIs (Oracle CPU Jan 2024).

Successful exploitation of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition accessible data. The vulnerability particularly affects Java deployments that load and run untrusted code, such as sandboxed Java Web Start applications or sandboxed Java applets (Oracle CPU Jan 2024).

Oracle has released patches to address this vulnerability as part of its January 2024 Critical Patch Update. Users are advised to update to the latest versions of the affected products. For Java SE, this includes updating to version 17.0.10 which contains security fixes for this vulnerability (Red Hat Advisory).