CVE-2024-21144

Name of the Vulnerable Software and Affected Versions Oracle Java SE versions 8u411, 8u411-perf, 11.0.23 Oracle GraalVM Enterprise Edition versions 20.3.14, 21.3.10 IBM SDK, Java Technology Edition versions 7.1.0.0 through 7.1.5.18 IBM SDK, Java Technology Edition versions 8.0.0.0 through 8.0.8.26

Description The issue is related to insufficient input validation in the Concurrency component, allowing an unauthenticated attacker with network access via multiple protocols to compromise the system. Successful attacks can result in a partial denial of service. This issue applies to Java deployments that load and run untrusted code and rely on the Java sandbox for security, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets. The vulnerability does not apply to Java deployments that load and run only trusted code, typically in servers.

Recommendations For Oracle Java SE versions 8u411, 8u411-perf, 11.0.23, update to a version that includes the fix for this issue. For Oracle GraalVM Enterprise Edition versions 20.3.14, 21.3.10, update to a version that includes the fix for this issue. For IBM SDK, Java Technology Edition versions 7.1.0.0 through 7.1.5.18, update to a version outside of this range. For IBM SDK, Java Technology Edition versions 8.0.0.0 through 8.0.8.26, update to a version outside of this range. As a temporary workaround, consider restricting access to the Concurrency component until a patch is available.