CVE-2024-21217: 
Amazon Corretto JDK vulnerability analysis and mitigation

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). The affected versions include Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. This vulnerability was disclosed in October 2024 (Oracle CPU).

The vulnerability is classified as difficult to exploit and allows unauthenticated attackers with network access via multiple protocols to compromise the affected components. The vulnerability has been assigned a CVSS 3.1 Base Score of 3.7 (Availability impacts) with the vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). The vulnerability can be exploited through APIs in the specified Component, such as through a web service which supplies data to the APIs (Oracle CPU).

Successful exploitation of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. The vulnerability particularly affects Java deployments that load and run untrusted code, such as sandboxed Java Web Start applications or sandboxed Java applets (Oracle CPU).

Oracle has released patches to address this vulnerability as part of its October 2024 Critical Patch Update. Users are strongly recommended to apply these security patches as soon as possible. The patches are available for Oracle Java SE versions 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23, Oracle GraalVM for JDK versions 17.0.12, 21.0.4, 23, and Oracle GraalVM Enterprise Edition versions 20.3.15 and 21.3.11 (Oracle CPU, Red Hat).