CVE-2021-35567 Overview
CVE-2021-35567 is a vulnerability in the Libraries component of Oracle Java SE and Oracle GraalVM Enterprise Edition. The flaw affects Java SE versions 8u301, 11.0.12, and 17, as well as Oracle GraalVM Enterprise Edition 20.3.3 and 21.2.0. A low-privileged attacker with network access via Kerberos can exploit the vulnerability, though successful attacks require user interaction. Exploitation can result in unauthorized access to critical data or complete access to all data accessible to Java SE or GraalVM. Because the scope is changed, attacks may significantly impact products beyond Java SE itself, including downstream NetApp, Debian, and Fedora distributions.
Critical Impact
A low-privileged network attacker can compromise confidentiality of Java SE and GraalVM data through Kerberos, with cascading impact to downstream products that bundle the affected runtime.
Affected Products
- Oracle Java SE 8u301, 11.0.12, 17 and Oracle GraalVM Enterprise Edition 20.3.3, 21.2.0
- NetApp products including Active IQ Unified Manager, E-Series SANtricity OS Controller, OnCommand Insight, OnCommand Workflow Automation, SnapManager, HCI Management Node, and SolidFire
- Debian Linux 9.0, 10.0, 11.0 and Fedora 33, 34, 35
Discovery Timeline
- 2021-10-20 - CVE-2021-35567 published to NVD alongside the Oracle October 2021 Critical Patch Update
- 2025-08-15 - Last updated in the NVD database
Technical Details for CVE-2021-35567
Vulnerability Analysis
The vulnerability resides in the Libraries component of Oracle Java SE and GraalVM Enterprise Edition. It is reachable over the network through Kerberos authentication flows. The CWE classification is recorded as NVD-CWE-noinfo, indicating that Oracle has not publicly disclosed specific weakness details under its standard advisory practice.
Exploitation produces a high impact on confidentiality with no impact on integrity or availability. The scope is changed, meaning a successful attack can affect resources beyond the vulnerable Java runtime. This is significant in enterprise environments where Java underpins management consoles, storage controllers, and middleware platforms.
The vulnerability applies to sandboxed Java Web Start applications and sandboxed Java applets that load untrusted code. It can also be exploited through APIs in the Libraries component, such as a web service that passes attacker-controlled data into the affected API surface.
Root Cause
The root cause is an information disclosure flaw in the Kerberos-related Libraries code path in Oracle Java SE and GraalVM Enterprise Edition. Oracle has not published technical specifics, consistent with its Critical Patch Update disclosure policy. The condition allows a low-privileged actor to retrieve data the Java sandbox should isolate when a user is induced to interact with attacker-supplied content.
Attack Vector
The attack vector is network-based via Kerberos. An attacker needs low privileges and user interaction from a victim other than the attacker. Typical scenarios include a victim loading a malicious Java Web Start application, executing a sandboxed applet from a hostile origin, or invoking a server-side API that forwards untrusted input to the vulnerable Libraries code path. No verified public exploit code is available for this CVE.
No verified public exploit code is available for CVE-2021-35567. For technical context, refer to the Oracle Critical Patch Update October 2021 and the NetApp Security Advisory.
Detection Methods for CVE-2021-35567
Indicators of Compromise
- Unexpected outbound Kerberos (TCP/UDP 88) traffic originating from Java application servers or developer workstations
- Java Web Start (javaws) or applet execution events sourced from untrusted internet domains
- Anomalous KRB5 ticket requests from Java runtime processes outside normal authentication windows
Detection Strategies
- Inventory all hosts running Oracle JDK, OpenJDK, JRE, or GraalVM versions at or below 8u301, 11.0.12, 17, 20.3.3, and 21.2.0
- Correlate process execution telemetry for java, javaw, and javaws with subsequent Kerberos network activity to identify unexpected authentication flows
- Monitor NetApp management products and middleware that bundle vulnerable Java versions for outbound connections to untrusted Kerberos realms
Monitoring Recommendations
- Log and alert on Java runtime version strings across endpoints and servers to track patch compliance
- Track child process creation chains from browsers or mail clients leading to Java executables, indicating user-interaction-driven exploitation attempts
- Capture and review web service API calls that pass externally sourced data into Java Kerberos APIs in custom applications
How to Mitigate CVE-2021-35567
Immediate Actions Required
- Apply the Oracle October 2021 Critical Patch Update to upgrade Java SE beyond 8u301, 11.0.12, and 17, and GraalVM Enterprise Edition beyond 20.3.3 and 21.2.0
- Update NetApp products listed in the NetApp Security Advisory NTAP-20211022-0004 to fixed versions
- Apply distribution updates from Debian DSA-5000, Debian DSA-5012, and the relevant Fedora package announcements
Patch Information
Oracle addressed CVE-2021-35567 in the Oracle Critical Patch Update October 2021. Downstream patches are available from Debian via the Debian LTS Announcement, Fedora through multiple package announcements, and Gentoo via GLSA 202209-05. NetApp shipped fixes for affected products including Active IQ Unified Manager, OnCommand Insight, OnCommand Workflow Automation, SnapManager, SolidFire, and the E-Series SANtricity family.
Workarounds
- Disable Java Web Start and applet support in browsers and on endpoints where it is not required for business workflows
- Restrict Kerberos authentication endpoints reachable by Java client applications using network segmentation and firewall rules
- Validate and sanitize all externally sourced input passed to Java Libraries APIs in custom web services until patches are deployed
# Verify installed Java version on Linux hosts
java -version
# Debian/Ubuntu - apply security updates
sudo apt-get update && sudo apt-get install --only-upgrade openjdk-11-jre openjdk-17-jre
# Fedora - update OpenJDK packages
sudo dnf update java-11-openjdk java-17-openjdk
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
