CVE-2025-21587: 
Amazon Corretto JDK vulnerability analysis and mitigation

A vulnerability has been identified in Oracle Java SE (component: JSSE) affecting multiple Oracle products including Oracle Java SE (versions 8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24), Oracle GraalVM for JDK (versions 17.0.14, 21.0.6, 24), and Oracle GraalVM Enterprise Edition (versions 20.3.17 and 21.3.13). The vulnerability, tracked as CVE-2025-21587, was discovered by Alicja Kario and disclosed on April 15, 2025 (Oracle CPU).

The vulnerability is classified as difficult to exploit and allows unauthenticated attackers with network access via multiple protocols to compromise affected systems. It has received a CVSS 3.1 Base Score of 7.4 (High severity) with the vector string: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating high impacts on both confidentiality and integrity but no impact on availability. The vulnerability can be exploited through APIs in the JSSE component, particularly through web services that supply data to these APIs (NVD).

Successful exploitation of this vulnerability can result in unauthorized creation, deletion, or modification of critical data, as well as unauthorized access to critical data across all affected Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition installations. The vulnerability particularly affects Java deployments running sandboxed Java Web Start applications or sandboxed Java applets that load and execute untrusted code from the internet (NVD).

Oracle has released patches for all affected versions as part of the April 2025 Critical Patch Update. Users are strongly advised to update to the following versions: Java SE 8u441, 11.0.26, 17.0.14, 21.0.6, 24; GraalVM for JDK 17.0.14, 21.0.6, 24; and GraalVM Enterprise Edition 20.3.17 and 21.3.13 (Oracle CPU).