CVE-2021-35565 Overview
CVE-2021-35565 is a denial of service vulnerability in the Java Secure Socket Extension (JSSE) component of Oracle Java SE and Oracle GraalVM Enterprise Edition. This vulnerability allows unauthenticated attackers with network access via TLS to cause a partial denial of service condition against affected Java applications. The flaw is easily exploitable and can be triggered by supplying specially crafted data to JSSE APIs through network services, without requiring the use of untrusted Java Web Start applications or Java applets.
Critical Impact
Network-accessible Java applications using TLS can be disrupted by unauthenticated attackers, potentially impacting service availability for web services, APIs, and enterprise applications relying on affected Java versions.
Affected Products
- Oracle OpenJDK 7 Update 311, 8 Update 301, and 11.0.12
- Oracle GraalVM Enterprise Edition 20.3.3 and 21.2.0
- NetApp Active IQ Unified Manager, E-Series SANtricity products, OnCommand Insight, SnapManager
- NetApp HCI Management Node and SolidFire
- Fedora 33, 34, and 35
- Debian Linux 9.0, 10.0, and 11.0
Discovery Timeline
- October 20, 2021 - CVE-2021-35565 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-35565
Vulnerability Analysis
This vulnerability resides in the JSSE (Java Secure Socket Extension) component, which provides the framework and implementation for SSL, TLS, and DTLS protocols in Java. The flaw allows an unauthenticated attacker to exploit the vulnerability through network access via TLS connections. Unlike many Java vulnerabilities that require user interaction through applets or Web Start, this vulnerability can be exploited entirely through server-side API interactions, making it particularly relevant for backend services and web applications.
The attack does not compromise confidentiality or integrity of the system, but successfully exploiting this vulnerability results in a partial denial of service condition. The "partial" designation indicates that while the vulnerability can degrade service availability, it may not result in a complete system crash or full service outage. However, repeated exploitation could significantly impact application performance and user experience.
Root Cause
The vulnerability stems from improper handling of certain TLS protocol data within the JSSE component. When processing malformed or specially crafted TLS handshake or session data, the JSSE implementation fails to properly validate or limit resource consumption, allowing attackers to cause service degradation. The specific weakness was not assigned a detailed CWE classification by NVD, indicating Oracle has not publicly disclosed the precise code-level defect.
Attack Vector
The attack can be executed remotely over the network without authentication. An attacker sends malicious TLS traffic to any Java application that uses the JSSE component for secure communications. This includes web servers, application servers, RESTful APIs, and any networked Java service accepting TLS connections. The attack requires no user interaction and can be automated, making it suitable for use in denial of service campaigns against exposed Java services.
The vulnerability is exploited by supplying crafted data to JSSE APIs through legitimate TLS connection channels. Since this targets the protocol handling layer, any Java application accepting TLS connections on affected versions is potentially vulnerable, regardless of the application logic implemented on top of it.
Detection Methods for CVE-2021-35565
Indicators of Compromise
- Unusual increases in TLS handshake failures or connection resets from specific source IPs
- Elevated CPU or memory usage in Java processes handling TLS connections without corresponding legitimate traffic increases
- Application logs showing JSSE-related exceptions or errors during TLS processing
- Repeated connection attempts from the same sources that fail to complete normal transactions
Detection Strategies
- Monitor Java application logs for unusual JSSE exceptions or SSL/TLS processing errors
- Implement network traffic analysis to detect anomalous TLS handshake patterns targeting Java services
- Deploy application performance monitoring to identify degradation in TLS-enabled Java services
- Use intrusion detection systems with signatures for malformed TLS traffic patterns
Monitoring Recommendations
- Establish baseline metrics for TLS connection handling performance and alert on significant deviations
- Configure alerting on Java process resource utilization spikes, particularly memory and CPU
- Monitor network connection states for unusual patterns of half-open or failed TLS sessions
- Review and correlate firewall and load balancer logs with application-level TLS metrics
How to Mitigate CVE-2021-35565
Immediate Actions Required
- Upgrade to patched versions of Java SE: Java 7u321, 8u311, or 11.0.13 and later
- Update Oracle GraalVM Enterprise Edition to version 20.3.4 or 21.3.0 and later
- Apply vendor-specific patches for affected NetApp, Fedora, and Debian distributions
- Implement network-level rate limiting on TLS connections to affected services as a temporary measure
Patch Information
Oracle addressed this vulnerability in the October 2021 Critical Patch Update (CPU). The official security advisory is available at the Oracle CPU October 2021 Security Alert. Linux distribution users should apply updates through their package managers - Debian has released DSA-5000 and Fedora has issued package announcements for affected versions. NetApp customers should consult the NetApp Security Advisory for guidance on affected products.
Workarounds
- Implement Web Application Firewalls (WAF) or reverse proxies to inspect and filter TLS traffic before it reaches Java applications
- Use network segmentation to limit exposure of vulnerable Java services to trusted networks only
- Configure connection timeouts and limits on TLS-accepting services to reduce impact of exploitation attempts
- Consider using non-Java TLS termination (such as nginx or HAProxy) in front of vulnerable applications while awaiting patches
# Check current Java version to determine vulnerability status
java -version
# For Debian/Ubuntu systems, update OpenJDK packages
sudo apt update && sudo apt upgrade openjdk-11-jdk
# For RHEL/CentOS/Fedora systems, update OpenJDK packages
sudo dnf update java-11-openjdk
# Verify updated version after patching
java -version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
