CVE-2024-21140: 
Amazon Corretto JDK vulnerability analysis and mitigation

A vulnerability has been identified in Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition (CVE-2024-21140). The affected versions include Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; and Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. This vulnerability is classified as difficult to exploit and allows unauthenticated attackers with network access via multiple protocols to compromise the affected systems (Oracle CPU).

The vulnerability is related to a Range Check Elimination (RCE) pre-loop limit overflow issue (identified as bug 8320548). It has been assigned a CVSS 3.1 Base Score of 4.8 (Medium severity) with the following vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N. The vulnerability can be exploited through APIs in the specified Component, particularly through web services that supply data to the APIs (Oracle CPU).

Successful exploitation of this vulnerability can result in unauthorized update, insert or delete access to some of the accessible data, as well as unauthorized read access to a subset of accessible data in the affected products. This vulnerability also applies to Java deployments that run sandboxed Java Web Start applications or sandboxed Java applets, particularly those that load and run untrusted code from the internet and rely on the Java sandbox for security (Oracle CPU).

Oracle has released patches to address this vulnerability as part of its July 2024 Critical Patch Update. Users are strongly advised to update to the latest versions of the affected products. For Java deployments, it's particularly important to apply these security patches without delay, especially in environments where untrusted code is executed (Oracle CPU, NetApp Advisory).