CVE-2021-35588 Overview
CVE-2021-35588 is a denial of service vulnerability in the Hotspot component of Oracle Java SE and Oracle GraalVM Enterprise Edition. This vulnerability affects Java deployments that run untrusted code in sandboxed environments, such as Java Web Start applications and Java applets that load code from the internet and rely on the Java sandbox for security.
The vulnerability can be exploited by an unauthenticated attacker with network access via multiple protocols, though successful exploitation requires human interaction from someone other than the attacker and the attack complexity is high. When exploited, attackers can cause a partial denial of service, impacting the availability of affected Java applications.
Critical Impact
Successful exploitation allows attackers to cause partial denial of service in Java SE and Oracle GraalVM Enterprise Edition environments, potentially disrupting sandboxed Java applications and web services.
Affected Products
- Oracle OpenJDK 7 Update 311
- Oracle OpenJDK 8 Update 301
- Oracle GraalVM Enterprise Edition 20.3.3
- Oracle GraalVM Enterprise Edition 21.2.0
- NetApp Active IQ Unified Manager (VMware vSphere and Windows)
- NetApp E-Series SANtricity OS Controller
- NetApp E-Series SANtricity Storage Manager
- NetApp E-Series SANtricity Web Services
- NetApp HCI Management Node
- NetApp OnCommand Insight
- NetApp OnCommand Workflow Automation
- NetApp SANtricity Unified Manager
- NetApp SnapManager (Oracle and SAP)
- NetApp SolidFire
- Fedora 33, 34, 35
- Debian Linux 9.0
Discovery Timeline
- October 20, 2021 - CVE-2021-35588 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-35588
Vulnerability Analysis
This vulnerability resides in the Hotspot component of Java SE and Oracle GraalVM Enterprise Edition. The Hotspot JVM is the core execution engine responsible for compiling and executing Java bytecode. The flaw can be triggered through multiple network protocols and allows an unauthenticated attacker to cause availability impacts on vulnerable systems.
The vulnerability primarily affects sandboxed Java deployments where untrusted code is executed. This includes traditional Java Web Start applications and Java applets that load content from the internet. Additionally, the vulnerability can be exploited through APIs in the Hotspot component, meaning web services that supply data to these APIs are also at risk.
While the attack requires high complexity and human interaction, the ability to disrupt Java-based services without authentication makes this vulnerability relevant for environments running affected Java versions.
Root Cause
The root cause is related to improper handling within the Hotspot JVM component. While Oracle has not disclosed specific technical details about the underlying issue, the vulnerability allows attackers to trigger conditions that cause partial denial of service through resource consumption or improper state handling within the JVM's execution engine.
Attack Vector
This vulnerability is exploitable over the network via multiple protocols. The attack scenario involves:
- An attacker crafts malicious input or content designed to exploit the Hotspot vulnerability
- A victim interacts with the malicious content (e.g., visiting a webpage with a vulnerable Java applet or Web Start application)
- The sandboxed Java environment loads and processes the untrusted code
- The vulnerability is triggered, causing partial denial of service
Alternatively, the vulnerability can be exploited through web services that pass data to vulnerable Hotspot APIs, allowing attackers to trigger the condition without requiring a user to directly interact with a Java applet.
The attack is considered difficult to exploit due to the combination of required human interaction and the specific conditions needed to trigger the vulnerability.
Detection Methods for CVE-2021-35588
Indicators of Compromise
- Unexpected Java application crashes or hangs affecting availability
- Increased resource consumption by Java processes without clear cause
- Abnormal network traffic patterns to Java-based web services
- User reports of Java applets or Web Start applications becoming unresponsive
Detection Strategies
- Monitor Java application logs for unexpected exceptions or errors related to Hotspot components
- Implement network traffic analysis to identify anomalous patterns targeting Java-based services
- Deploy application performance monitoring to detect degradation in Java application responsiveness
- Use endpoint detection and response (EDR) solutions to monitor Java process behavior
Monitoring Recommendations
- Enable verbose logging for Java applications running untrusted code
- Configure alerts for Java process resource consumption anomalies
- Monitor web service endpoints that utilize Java APIs for unusual request patterns
- Track Java version deployments across the environment to identify vulnerable installations
How to Mitigate CVE-2021-35588
Immediate Actions Required
- Update Oracle Java SE to a patched version (post-October 2021 Critical Patch Update)
- Update Oracle GraalVM Enterprise Edition to versions newer than 20.3.3 and 21.2.0
- Review and restrict Java Web Start and applet usage where possible
- Apply vendor patches for NetApp products as referenced in security advisories
Patch Information
Oracle addressed this vulnerability in the Oracle October 2021 Security Alert. Patches are available for all affected Java SE and GraalVM Enterprise Edition versions.
Additional vendor advisories:
Fedora users should apply updates through their standard package management system as announced in Fedora Package Announcements.
Workarounds
- Disable Java Web Start and Java applet functionality if not required in your environment
- Restrict network access to Java-based services from untrusted networks
- Implement web application firewalls (WAF) to filter potentially malicious requests to Java services
- Consider migrating from Java 7 and 8 to newer, actively maintained LTS versions
# Check Java version to identify vulnerable installations
java -version
# Example: Update Java on Debian/Ubuntu systems
sudo apt update && sudo apt upgrade openjdk-8-jdk
# Example: Update Java on RHEL/CentOS/Fedora systems
sudo dnf update java-1.8.0-openjdk
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
