CVE-2024-21085

Name of the Vulnerable Software and Affected Versions: Oracle Java SE versions 8u401, 8u401-perf, 11.0.22 Oracle GraalVM Enterprise Edition versions 20.3.13, 21.3.9

Description: The issue is related to insufficient input validation in the Concurrency component of Oracle Java SE and Oracle GraalVM Enterprise Edition. This can be exploited by an unauthenticated attacker with network access via multiple protocols, potentially leading to a partial denial of service (DOS) of the affected systems. The vulnerability can be exploited through APIs in the specified component, for example, via a web service that supplies data to the APIs. It also affects Java deployments that load and run untrusted code from the internet and rely on the Java sandbox for security.

Recommendations: For Oracle Java SE versions 8u401, 8u401-perf, 11.0.22, consider updating to a newer version to mitigate the risk. For Oracle GraalVM Enterprise Edition versions 20.3.13, 21.3.9, consider updating to a newer version to mitigate the risk. As a temporary workaround, consider restricting access to the Concurrency component until a patch is available. Avoid using APIs in the Concurrency component that supply data from untrusted sources until the issue is resolved.