CVE-2021-35578 Overview
CVE-2021-35578 is a vulnerability in the Java SE and Oracle GraalVM Enterprise Edition products affecting the JSSE (Java Secure Socket Extension) component. This vulnerability allows an unauthenticated attacker with network access via TLS to cause a partial denial of service condition. The flaw is easily exploitable and can be triggered by supplying malicious data to APIs in the JSSE component without requiring untrusted Java Web Start applications or untrusted Java applets, making it particularly relevant for web services and server-side Java applications.
Critical Impact
Unauthenticated attackers can remotely trigger partial denial of service conditions on Java applications utilizing TLS connections, potentially disrupting critical business services and web applications.
Affected Products
- Oracle OpenJDK 8 Update 301, 11.0.12, and 17
- Oracle GraalVM Enterprise Edition 20.3.3 and 21.2.0
- NetApp Active IQ Unified Manager (VMware vSphere and Windows)
- NetApp E-Series SANtricity OS Controller, Storage Manager, and Web Services
- NetApp HCI Management Node, OnCommand Insight, OnCommand Workflow Automation
- NetApp Santricity Unified Manager, SnapManager (Oracle and SAP), SolidFire
- Debian Linux 9.0, 10.0, and 11.0
- Fedora 33, 34, and 35
Discovery Timeline
- October 20, 2021 - CVE-2021-35578 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-35578
Vulnerability Analysis
This vulnerability resides in the JSSE (Java Secure Socket Extension) component, which provides the framework and implementation for SSL/TLS protocols in Java applications. The flaw enables remote attackers to cause availability impacts without requiring any privileges or user interaction, making it an attractive target for denial of service attacks against Java-based services.
The vulnerability specifically affects TLS connection handling, where maliciously crafted data sent to JSSE APIs can trigger resource consumption or processing issues that lead to partial service degradation. Notably, this vulnerability cannot be exploited through Java Web Start applications or Java applets, which limits the attack surface to server-side Java applications and web services that process TLS connections directly.
Root Cause
The root cause of this vulnerability lies in improper handling of certain TLS protocol data within the JSSE component. When processing TLS handshake or session data, the affected Java versions fail to adequately validate or limit resource consumption, allowing attackers to trigger conditions that degrade service availability. The specific technical details have not been fully disclosed by Oracle, but the vulnerability affects the core TLS implementation used by numerous Java applications.
Attack Vector
The attack vector is network-based and requires the attacker to send specially crafted TLS protocol data to a vulnerable Java application. The attack characteristics include:
- Network-accessible: The attacker must have network connectivity to the target application's TLS endpoint
- No authentication required: The vulnerability can be exploited by unauthenticated attackers
- No user interaction: Exploitation does not require any action from legitimate users
- API-based exploitation: The attack is executed by supplying malicious data through programmatic interfaces rather than browser-based applets
The vulnerability can be exploited against any Java application that exposes TLS services, including web servers, application servers, messaging systems, and custom Java applications that utilize JSSE for secure communications.
Detection Methods for CVE-2021-35578
Indicators of Compromise
- Unusual patterns of TLS connection attempts or handshake failures from specific source IP addresses
- Increased CPU or memory consumption on Java processes handling TLS connections
- Application logs showing repeated TLS-related errors or exceptions in JSSE components
- Network traffic analysis revealing malformed or unusual TLS protocol data
Detection Strategies
- Monitor Java application performance metrics for anomalies in TLS connection handling latency
- Implement network intrusion detection rules to identify unusual TLS handshake patterns
- Review Java application logs for JSSE-related warnings or exceptions that may indicate exploitation attempts
- Deploy SentinelOne Singularity platform to detect behavioral anomalies in Java processes
Monitoring Recommendations
- Enable verbose logging for JSSE components during incident investigation periods
- Configure alerting thresholds for TLS connection failure rates exceeding baseline metrics
- Implement network flow analysis to detect potential denial of service attack patterns
- Use application performance monitoring to track JSSE component resource utilization
How to Mitigate CVE-2021-35578
Immediate Actions Required
- Upgrade Oracle OpenJDK to versions 8u311, 11.0.13, or 17.0.1 or later
- Update Oracle GraalVM Enterprise Edition to patched versions as specified in Oracle's advisory
- Apply vendor-specific patches for affected NetApp products following their security advisory guidance
- Update Debian and Fedora systems using package managers to receive patched Java packages
Patch Information
Oracle addressed this vulnerability in the October 2021 Critical Patch Update (CPU). The official security advisory is available at Oracle Security Alert, October 2021. Additional patch information is available from distribution-specific advisories including Debian Security Advisory DSA-5000, Debian Security Advisory DSA-5012, and Gentoo GLSA 2022-09-05. NetApp customers should refer to NetApp Security Advisory for product-specific guidance.
Workarounds
- Implement network-level rate limiting on TLS endpoints to mitigate denial of service impact
- Deploy web application firewalls or reverse proxies with TLS termination to filter malicious requests
- Restrict network access to Java applications processing TLS connections to trusted networks where possible
- Consider implementing connection throttling at the application level for TLS services
# Example: Verify Java version and update on Debian/Ubuntu
java -version
sudo apt update
sudo apt install openjdk-11-jdk
# Verify updated version
java -version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
