CVE-2021-35567 Overview
CVE-2021-35567 is a vulnerability in the Java SE and Oracle GraalVM Enterprise Edition products affecting the Libraries component. This flaw allows a low-privileged attacker with network access via the Kerberos protocol to compromise affected Java installations. The vulnerability is easily exploitable but requires human interaction from a person other than the attacker. Notably, while the vulnerability exists in Java SE and GraalVM Enterprise Edition, successful attacks may significantly impact additional products beyond the vulnerable component.
This vulnerability is particularly concerning for Java deployments running sandboxed Java Web Start applications or sandboxed Java applets that load and execute untrusted code from external sources such as the internet. Organizations relying on the Java sandbox for security isolation should prioritize remediation. The vulnerability can also be exploited through APIs in the specified Libraries component, including through web services that supply data to these APIs.
Critical Impact
Successful exploitation can result in unauthorized access to critical data or complete access to all Java SE and Oracle GraalVM Enterprise Edition accessible data, with attacks potentially impacting additional products beyond the vulnerable component.
Affected Products
- Oracle Java SE 8u301, 11.0.12, and 17
- Oracle GraalVM Enterprise Edition 20.3.3 and 21.2.0
- Oracle JDK 1.8.0 Update 301, 11.0.12, and 17
- Oracle JRE 1.8.0 Update 301, 11.0.12, and 17
- NetApp Active IQ Unified Manager (VMware vSphere and Windows)
- NetApp E-Series SANtricity OS Controller, Storage Manager, and Web Services
- NetApp HCI Management Node, OnCommand Insight, OnCommand Workflow Automation
- NetApp Santricity Unified Manager, SnapManager, and SolidFire
- Debian Linux 9.0, 10.0, and 11.0
- Fedora 33, 34, and 35
Discovery Timeline
- October 20, 2021 - CVE-2021-35567 published to NVD
- August 15, 2025 - Last updated in NVD database
Technical Details for CVE-2021-35567
Vulnerability Analysis
This vulnerability resides in the Libraries component of Oracle Java SE and GraalVM Enterprise Edition, specifically affecting Kerberos authentication handling. The flaw enables attackers to bypass security controls and gain unauthorized access to sensitive data within Java environments.
The vulnerability's scope is notable because attacks against the vulnerable component can significantly impact additional products. This "changed scope" characteristic means that an attacker exploiting this vulnerability in Java may be able to access resources and data in other systems that trust the compromised Java environment.
The attack requires a low-privileged attacker to have network access to the target system via the Kerberos protocol. While the exploitation complexity is low, it requires some form of user interaction (such as clicking a link or visiting a malicious page), which provides a limited defensive barrier against fully automated attacks.
Root Cause
The vulnerability stems from improper handling within the Java Libraries component when processing Kerberos authentication requests. The flaw allows authentication mechanisms to be manipulated in a way that exposes confidential information to unauthorized parties. The issue affects the security boundaries that the Java sandbox is designed to enforce, particularly for applets and Web Start applications that load untrusted code.
Attack Vector
The attack vector is network-based, specifically leveraging the Kerberos authentication protocol. An attacker can exploit this vulnerability through several methods:
- Sandboxed Applications: Crafting malicious Java Web Start applications or Java applets that, when executed by a victim, exploit the vulnerability to access sensitive data
- API Exploitation: Supplying malicious data to vulnerable APIs through web services or other network-accessible interfaces that interact with the affected Libraries component
- Client-Side Attacks: Tricking users into running untrusted Java code that leverages the flaw to bypass sandbox restrictions
The vulnerability specifically targets confidentiality, allowing attackers to read sensitive information rather than modify or destroy data.
Detection Methods for CVE-2021-35567
Indicators of Compromise
- Unusual Kerberos authentication traffic patterns or failed authentication attempts from unexpected sources
- Java processes accessing sensitive files or resources outside of expected sandbox boundaries
- Anomalous network connections from Java applications to external or unexpected Kerberos Key Distribution Centers (KDCs)
- Suspicious Java Web Start or applet executions from untrusted sources
Detection Strategies
- Monitor for unexpected Kerberos ticket requests and authentications originating from Java processes
- Implement network traffic analysis to detect anomalous communications over Kerberos ports (TCP/UDP 88)
- Deploy application-level logging to track Java applet and Web Start application executions
- Use endpoint detection solutions to identify Java processes exhibiting unusual data access patterns
Monitoring Recommendations
- Enable verbose logging for Java Security Manager events to capture sandbox bypass attempts
- Configure SIEM rules to alert on unusual patterns of Kerberos authentication involving Java applications
- Implement file integrity monitoring for sensitive data accessible to Java applications
- Monitor for unexpected outbound data transfers following Java application execution
How to Mitigate CVE-2021-35567
Immediate Actions Required
- Update all Oracle Java SE installations to versions newer than 8u301, 11.0.12, and 17
- Upgrade Oracle GraalVM Enterprise Edition to versions newer than 20.3.3 and 21.2.0
- Disable Java browser plugins and Java Web Start if not required for business operations
- Restrict network access to Kerberos services from untrusted Java applications
- Apply vendor patches for affected third-party products including NetApp and Fedora/Debian distributions
Patch Information
Oracle has released patches for this vulnerability as part of the Oracle Critical Patch Update from October 2021. Organizations should apply the October 2021 CPU or later updates to all affected Java SE and GraalVM Enterprise Edition installations.
Additional vendor advisories and patches are available from:
- NetApp Security Advisory
- Debian Security Advisory DSA-5000
- Debian Security Advisory DSA-5012
- Gentoo GLSA 2022-09-05
- Debian LTS Announcement
Workarounds
- Disable Java Web Start and browser-based applet execution if not operationally required
- Implement strict network segmentation to limit Kerberos protocol access from Java application servers
- Configure Java Security Manager with restrictive policies to limit sandbox escape potential
- Deploy application whitelisting to prevent execution of untrusted Java applications
- Use SentinelOne Singularity Platform to monitor and protect Java application behavior for signs of exploitation
# Example: Disable Java Plugin and Web Start
# On Windows, disable via Java Control Panel or registry
reg add "HKLM\SOFTWARE\JavaSoft\Java Plug-in" /v UseJava2IExplorer /t REG_DWORD /d 0 /f
# On Linux, remove Java browser plugin symlinks
sudo update-alternatives --remove-all javaws
sudo update-alternatives --remove-all javaplugin
# Verify Java version is patched
java -version
# Ensure version is newer than 8u301, 11.0.12, or 17
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
