CVE-2024-21211: 
Amazon Corretto JDK vulnerability analysis and mitigation

CVE-2024-21211 is a vulnerability affecting Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition (component: Compiler). The affected versions include Oracle Java SE: 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. The vulnerability was disclosed in October 2024 (Oracle CPU).

This is a difficult to exploit vulnerability that allows unauthenticated attackers with network access via multiple protocols to compromise the affected components. The vulnerability has a CVSS 3.1 Base Score of 3.7 (LOW) with the vector string: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N. The vulnerability can be exploited through APIs in the specified Component, such as through a web service which supplies data to the APIs (Oracle CPU).

Successful exploitation of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition accessible data. The vulnerability also applies to Java deployments that typically run in clients with sandboxed Java Web Start applications or sandboxed Java applets, which load and run untrusted code and rely on the Java sandbox for security (Oracle CPU).

Oracle has released patches to address this vulnerability in the October 2024 Critical Patch Update. Users should update to the following fixed versions: Oracle Java SE: beyond version 23; Oracle GraalVM for JDK: beyond versions 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: beyond versions 20.3.15 and 21.3.11 (Oracle CPU, NetApp Advisory).