CVE-2024-21145: 
Amazon Corretto JDK vulnerability analysis and mitigation

CVE-2024-21145 is a vulnerability in Oracle Java SE's 2D component that affects multiple versions including Oracle Java SE (8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1), Oracle GraalVM for JDK (17.0.11, 21.0.3, 22.0.1), and Oracle GraalVM Enterprise Edition (20.3.14 and 21.3.10). The vulnerability was discovered by Sergey Bylokhov of Amazon and disclosed in Oracle's July 2024 Critical Patch Update (Oracle CPU).

The vulnerability is characterized as difficult to exploit and involves out-of-bounds access in 2D image handling. It has been assigned a CVSS 3.1 Base Score of 4.8 (Medium severity) with the following vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N. This indicates that while the vulnerability is network-accessible, it requires high attack complexity, needs no privileges, and requires no user interaction (Oracle CPU).

Successful exploitation of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data, as well as unauthorized read access to a subset of Oracle Java SE accessible data. The vulnerability can be exploited through APIs in the 2D component, such as through a web service which supplies data to the APIs (NVD).

Oracle has released patches to address this vulnerability in their July 2024 Critical Patch Update. Users are strongly recommended to update to the patched versions of affected products. For Java SE, this includes updating to versions 8u411, 11.0.23, 17.0.11, 21.0.3, or 22.0.1 depending on the version in use (Oracle CPU).