CVE-2024-21235: 
Amazon Corretto JDK vulnerability analysis and mitigation

CVE-2024-21235 is a vulnerability in Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition products, specifically affecting the Hotspot component. The vulnerability affects multiple versions including Oracle Java SE (8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23), Oracle GraalVM for JDK (17.0.12, 21.0.4, 23), and Oracle GraalVM Enterprise Edition (20.3.15 and 21.3.11). This vulnerability was disclosed in October 2024 as part of Oracle's Critical Patch Update (Oracle Advisory).

The vulnerability is characterized as difficult to exploit and involves an integer conversion error that leads to incorrect range checking in the Hotspot component. It has been assigned a CVSS 3.1 Base Score of 4.8 (Medium severity) with the following vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N. The vulnerability can be exploited through APIs in the specified Component, such as through a web service which supplies data to the APIs (Oracle Advisory).

Successful exploitation of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition accessible data. Additionally, it can lead to unauthorized read access to a subset of accessible data. The vulnerability particularly affects Java deployments that load and run untrusted code and rely on the Java sandbox for security (Oracle Advisory).

Oracle has released patches for this vulnerability as part of its October 2024 Critical Patch Update. Users are strongly advised to update to the patched versions of the affected products. The vulnerability has been fixed in Java SE versions 8u421, 11.0.24, 17.0.12, 21.0.4, and 23, as well as in the corresponding GraalVM versions (Oracle Advisory).