CVE-2024-21131: 
Amazon Corretto JDK vulnerability analysis and mitigation

A vulnerability (CVE-2024-21131) has been identified in Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition products, specifically in the Hotspot component. The affected versions include Oracle Java SE (8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1), Oracle GraalVM for JDK (17.0.11, 21.0.3, 22.0.1), and Oracle GraalVM Enterprise Edition (20.3.14 and 21.3.10). This vulnerability was disclosed in July 2024 as part of Oracle's Critical Patch Update (Oracle Advisory).

The vulnerability is characterized as difficult to exploit and involves a potential UTF8 size overflow issue (bug ID: 8314794). It has been assigned a CVSS 3.1 Base Score of 3.7 (Low severity) with the following vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N. The vulnerability can be exploited through APIs in the specified Component, particularly through web services that supply data to the APIs (Oracle Advisory).

Successful exploitation of this vulnerability can result in unauthorized update, insert or delete access to some of the accessible data in affected Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition installations. The vulnerability particularly affects Java deployments that load and run untrusted code, such as sandboxed Java Web Start applications or sandboxed Java applets (Oracle Advisory).

Oracle has released patches for the affected versions as part of its July 2024 Critical Patch Update. Users are advised to update to the patched versions. For systems that cannot be immediately updated, it may be possible to reduce the risk by blocking network protocols required for attacks or removing privileges from users who don't need access to the affected packages (Oracle Advisory, NetApp Advisory).