CVE-2024-21094 Overview
CVE-2024-21094 is a vulnerability in the Hotspot component of Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. The flaw allows an unauthenticated network attacker to compromise integrity by performing unauthorized update, insert, or delete operations on accessible data. Oracle classifies the issue as difficult to exploit. The vulnerability maps to [CWE-349]: Acceptance of Extraneous Untrusted Data With Trusted Data. It also affects Java deployments running sandboxed Java Web Start applications or applets that load untrusted code and rely on the Java sandbox. Oracle addressed the issue in the April 2024 Critical Patch Update.
Critical Impact
An unauthenticated remote attacker can achieve unauthorized modification of data accessible to Oracle Java SE, GraalVM for JDK, and GraalVM Enterprise Edition through APIs in the Hotspot component.
Affected Products
- Oracle Java SE: 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22
- Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22
- Oracle GraalVM Enterprise Edition: 20.3.13, 21.3.9 (also redistributed in NetApp Active IQ Unified Manager, OnCommand Insight, OnCommand Workflow Automation, Data Infrastructure Insights agents, and Debian Linux 10)
Discovery Timeline
- 2024-04-16 - CVE-2024-21094 published to NVD following the Oracle April 2024 Critical Patch Update
- 2024-04-25 - Debian LTS advisory released (see Debian LTS Announcement)
- 2024-04-26 - NetApp publishes downstream advisory (see NetApp Security Advisory)
- 2025-05-21 - Last updated in NVD database
Technical Details for CVE-2024-21094
Vulnerability Analysis
The vulnerability resides in the Hotspot virtual machine, the just-in-time compilation and runtime engine that executes Java bytecode. An attacker reaches the flaw by invoking APIs in the affected component, including through web services that pass attacker-controlled data into Java APIs. Successful exploitation yields a limited integrity impact: an attacker can update, insert, or delete a subset of data accessible to the Java runtime, but cannot read confidential data or affect availability.
The issue extends to sandboxed Java Web Start applications and applets. Untrusted code loaded from the internet can break trust boundaries enforced by the Java sandbox, allowing modification of data the sandbox is expected to protect. Exploitation requires meeting timing or environmental preconditions, which Oracle reflects in the high attack complexity rating.
Root Cause
The weakness is categorized as [CWE-349]: Acceptance of Extraneous Untrusted Data With Trusted Data. Hotspot incorporates data from an untrusted source alongside trusted data without sufficient separation. This trust boundary failure permits an attacker-supplied input to influence operations that should rely only on validated data, producing the observed integrity violations.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker reaches Hotspot through multiple protocols, typically by submitting crafted inputs to a Java-backed web service or by causing a victim client to execute an untrusted sandboxed application. Because exploitation conditions are non-trivial, opportunistic mass exploitation is unlikely; targeted attacks against Java-fronted services remain the realistic scenario. No public proof-of-concept code or CISA KEV listing exists for this CVE at the time of writing. EPSS data indicates a low near-term exploitation probability.
No verified public exploit code is available. See the Oracle Critical Patch Update for vendor technical context.
Detection Methods for CVE-2024-21094
Indicators of Compromise
- Unexpected Java process spawn patterns or abnormal class loading from Hotspot on servers running affected JDK or JRE versions
- Anomalous data modifications in datasets reachable through Java-fronted APIs without corresponding authenticated user activity
- Inbound network requests delivering serialized or crafted payloads to Java web services on hosts that have not yet applied the April 2024 CPU
Detection Strategies
- Inventory all hosts running affected JDK, JRE, and GraalVM versions and correlate with vulnerability scanner output that flags CVE-2024-21094
- Enable Java Flight Recorder or equivalent runtime logging on Hotspot to capture suspicious method invocations and class instantiation
- Monitor application-layer logs for malformed inputs reaching Java APIs, particularly via web services exposed to untrusted networks
Monitoring Recommendations
- Track JVM patch level across the fleet and alert on hosts running pre-April 2024 CPU builds of Oracle Java SE or GraalVM
- Forward web application and Java application logs to a centralized analytics platform and baseline normal API input patterns to surface anomalies
- Watch for outbound connections from sandboxed Java Web Start or applet processes on user endpoints, which indicates legacy attack surface
How to Mitigate CVE-2024-21094
Immediate Actions Required
- Apply the Oracle April 2024 Critical Patch Update to all instances of Oracle Java SE, GraalVM for JDK, and GraalVM Enterprise Edition
- Update Debian packages per the Debian LTS Announcement and NetApp products per the NetApp Security Advisory
- Disable Java Web Start and the browser Java plug-in on endpoints where they are not strictly required
Patch Information
Oracle released fixes in the April 2024 Critical Patch Update. Upgrade to Oracle Java SE 8u411, 11.0.23, 17.0.11, 21.0.3, or 22.0.1; Oracle GraalVM for JDK 17.0.11, 21.0.3, or 22.0.1; and the patched GraalVM Enterprise Edition releases. Refer to the Oracle Critical Patch Update for the authoritative version matrix.
Workarounds
- Restrict network exposure of Java-fronted APIs and web services using network segmentation and authenticated ingress controls
- Block execution of untrusted Java Web Start applications and applets through application allowlisting on endpoints
- Validate and sanitize all data passed into Java APIs at the application layer to reduce reachable attack surface until patches are deployed
# Verify Java runtime version after patching
java -version
# Example expected output for a patched Java 17 install
# java version "17.0.11" 2024-04-16 LTS
# Java(TM) SE Runtime Environment (build 17.0.11+...)
# Java HotSpot(TM) 64-Bit Server VM (build 17.0.11+..., mixed mode)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
