CVE-2021-35561 Overview
CVE-2021-35561 is a denial of service vulnerability affecting the Utility component of Oracle Java SE and Oracle GraalVM Enterprise Edition. This easily exploitable vulnerability allows an unauthenticated attacker with network access via multiple protocols to cause a partial denial of service (partial DoS) condition. The vulnerability affects Java deployments that load and run untrusted code, including sandboxed Java Web Start applications, sandboxed Java applets, and web services that supply data to vulnerable APIs.
Critical Impact
Unauthenticated remote attackers can exploit this vulnerability to disrupt Java-based applications and services, causing availability issues across affected enterprise environments without requiring any user interaction or special privileges.
Affected Products
- Oracle OpenJDK versions 7u311, 8u301, 11.0.12, and 17
- Oracle GraalVM Enterprise Edition versions 20.3.3 and 21.2.0
- NetApp Active IQ Unified Manager (VMware vSphere and Windows)
- NetApp E-Series SANtricity OS Controller, Storage Manager, and Web Services
- NetApp HCI Management Node and SolidFire
- NetApp OnCommand Insight and Workflow Automation
- NetApp SANtricity Unified Manager and SnapManager (Oracle and SAP)
- Fedora versions 33, 34, and 35
- Debian Linux versions 9.0, 10.0, and 11.0
Discovery Timeline
- October 20, 2021 - CVE-2021-35561 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-35561
Vulnerability Analysis
This vulnerability exists within the Utility component of Java SE and Oracle GraalVM Enterprise Edition. The flaw enables remote attackers to cause resource exhaustion or service disruption without requiring authentication or user interaction. The attack can be executed over the network through multiple protocols, making it particularly concerning for internet-facing Java applications.
The vulnerability primarily affects client-side Java deployments that execute untrusted code within a sandbox environment, such as Java Web Start applications and Java applets loaded from external sources. However, the vulnerability can also be exploited server-side through web services and APIs that process external data using the affected Utility component.
Root Cause
The vulnerability stems from improper handling within the Utility component of the Java runtime. When processing certain inputs, the component fails to properly manage resources or validate data, allowing an attacker to trigger a denial of service condition. The exact technical mechanism relates to how the Utility component processes data in a manner that can be abused to cause partial service disruption.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Sending specially crafted requests to a Java-based web service that uses the vulnerable Utility APIs
- Tricking a user into loading a malicious Java applet or Web Start application that exploits the vulnerability
- Providing malicious data to applications that pass it to the affected component for processing
The vulnerability can be triggered through multiple network protocols, expanding the potential attack surface for organizations running affected Java versions.
Detection Methods for CVE-2021-35561
Indicators of Compromise
- Unusual resource consumption patterns in Java Virtual Machine (JVM) processes
- Increased memory usage or CPU utilization in Java-based applications without corresponding increase in legitimate traffic
- Application log entries indicating utility component errors or exceptions
- Service degradation or partial outages in Java-based web services
Detection Strategies
- Monitor JVM metrics including heap memory usage, garbage collection frequency, and thread counts for anomalous patterns
- Implement application-level logging to capture and alert on utility component exceptions
- Deploy network intrusion detection rules to identify patterns consistent with DoS attempts against Java services
- Use endpoint detection and response (EDR) solutions to monitor for abnormal Java process behavior
Monitoring Recommendations
- Configure alerting thresholds for Java application resource utilization metrics
- Enable verbose garbage collection logging to identify memory-related issues
- Implement centralized log aggregation for Java application logs to facilitate correlation and analysis
- Regularly audit which Java versions are deployed across the environment using software inventory tools
How to Mitigate CVE-2021-35561
Immediate Actions Required
- Upgrade Oracle OpenJDK to the latest patched version beyond 7u311, 8u301, 11.0.12, or 17
- Update Oracle GraalVM Enterprise Edition to versions newer than 20.3.3 or 21.2.0
- Apply vendor-specific patches for affected NetApp, Fedora, and Debian products
- Disable or restrict access to sandboxed Java applets and Web Start applications where not required
Patch Information
Oracle released security patches addressing this vulnerability as part of their October 2021 Critical Patch Update (CPU). Organizations should apply the appropriate patches based on their Java SE or GraalVM Enterprise Edition version:
- Review the Oracle Security Alert October 2021 for official patch guidance
- NetApp has published advisories for affected products via their NetApp Security Advisory
- Debian users should apply updates per Debian DSA-5000 Announcement and Debian DSA-5012 Announcement
- Gentoo users should reference Gentoo GLSA 202209-05 for package updates
Workarounds
- Restrict network access to Java-based services using firewall rules and network segmentation
- Disable Java applets and Web Start applications in web browsers where not business-critical
- Implement rate limiting and request throttling on web services that utilize Java backends
- Consider deploying a web application firewall (WAF) to filter potentially malicious requests targeting Java applications
# Check installed Java version
java -version
# List all Java installations on the system
update-alternatives --list java
# Update Java on Debian/Ubuntu systems
sudo apt-get update && sudo apt-get upgrade openjdk-11-jdk
# Update Java on RHEL/Fedora systems
sudo dnf update java-11-openjdk
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
