CVE-2024-21138 Overview
CVE-2024-21138 is a Denial of Service vulnerability affecting the Hotspot component of Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. The vulnerability allows an unauthenticated attacker with network access to cause a partial denial of service condition against affected Java deployments.
This vulnerability can be exploited through APIs in the Hotspot component, including scenarios where a web service supplies data to the APIs. It also impacts Java deployments running sandboxed Java Web Start applications or sandboxed Java applets that load and run untrusted code from the internet while relying on the Java sandbox for security.
Critical Impact
Successful exploitation enables attackers to cause partial denial of service (availability impact) to Java applications and services without requiring authentication.
Affected Products
- Oracle JDK: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1
- Oracle JRE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1
- Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1
- Oracle GraalVM Enterprise Edition: 20.3.14, 21.3.10
- NetApp Active IQ Unified Manager (for VMware vSphere)
- NetApp BlueXP
- NetApp Data Infrastructure Insights Storage Workload Security Agent
- NetApp OnCommand Insight
- NetApp OnCommand Workflow Automation
Discovery Timeline
- 2024-07-16 - CVE-2024-21138 published to NVD
- 2024-12-05 - Last updated in NVD database
Technical Details for CVE-2024-21138
Vulnerability Analysis
This vulnerability resides in the Hotspot component of Oracle Java SE. The Hotspot JVM is the core execution engine responsible for just-in-time (JIT) compilation and runtime optimizations in Java applications. The flaw enables remote attackers to degrade service availability without requiring any privileges or user interaction.
The vulnerability is network-accessible and can be triggered through multiple protocols, making it relevant for both server-side Java applications exposing web services and client-side deployments using sandboxed applets or Java Web Start applications. While the attack complexity is high, successful exploitation does not require authentication, making it a concern for internet-facing Java deployments.
Root Cause
The root cause involves improper handling within the Hotspot component that can lead to resource consumption or processing issues when maliciously crafted input is provided through affected APIs. While Oracle has not disclosed specific technical details (classified as NVD-CWE-noinfo), the vulnerability affects the core JVM execution engine, suggesting potential issues in JIT compilation, garbage collection, or other Hotspot subsystems that can be triggered remotely.
Attack Vector
The attack vector is network-based, allowing unauthenticated attackers to target vulnerable Java deployments through multiple network protocols. Exploitation scenarios include:
- Server-side exploitation: Attackers can send crafted requests to web services that pass data to vulnerable Hotspot APIs, triggering the denial of service condition.
- Client-side exploitation: Users running sandboxed Java Web Start applications or Java applets that load untrusted code from the internet may be vulnerable when malicious code exploits the Hotspot flaw.
The vulnerability has high attack complexity, meaning successful exploitation requires specific conditions or significant effort to achieve. However, no privileges, authentication, or user interaction is required for the attack.
Detection Methods for CVE-2024-21138
Indicators of Compromise
- Unexpected Java process resource consumption (CPU spikes, memory issues) without corresponding legitimate workload
- Java application or JVM crashes or hangs affecting service availability
- Unusual patterns in application logs indicating processing failures in Hotspot-related operations
- Network traffic anomalies to Java-based web services with malformed or unusual request patterns
Detection Strategies
- Implement application performance monitoring (APM) to detect abnormal JVM behavior and Hotspot-related issues
- Monitor Java process health metrics including CPU usage, memory allocation, and garbage collection patterns
- Deploy network intrusion detection systems to identify suspicious traffic targeting Java services
- Enable JVM diagnostic logging to capture detailed information about Hotspot component operations
Monitoring Recommendations
- Configure alerts for Java application availability degradation and partial service outages
- Monitor JVM metrics using tools like JMX, VisualVM, or commercial APM solutions
- Track network connections to Java services for unusual volume or request patterns
- Implement health checks for Java-based web services to quickly detect availability issues
How to Mitigate CVE-2024-21138
Immediate Actions Required
- Update all Oracle JDK and JRE installations to the latest patched versions from Oracle's July 2024 Critical Patch Update
- Update Oracle GraalVM for JDK and GraalVM Enterprise Edition to patched versions
- Review and update NetApp products (Active IQ Unified Manager, BlueXP, OnCommand Insight, OnCommand Workflow Automation, Data Infrastructure Insights) per NetApp Security Advisory NTAP-20240719-0008
- Audit all Java deployments across the organization to identify affected versions
Patch Information
Oracle has released security patches addressing this vulnerability in the Oracle Security Alert July 2024. Organizations using affected versions should apply the latest Critical Patch Update immediately.
For NetApp products, refer to the NetApp Security Advisory NTAP-20240719-0008 for product-specific patching guidance.
Patched Versions:
- Oracle JDK/JRE: Versions released after July 2024 CPU
- Oracle GraalVM for JDK: Versions released after July 2024 CPU
- Oracle GraalVM Enterprise Edition: Versions released after July 2024 CPU
Workarounds
- Restrict network access to Java-based services using firewall rules and network segmentation
- Disable or remove Java Web Start and Java applet functionality where not required
- Implement rate limiting and request validation for web services that process external data through Java APIs
- Consider application-level sandboxing or containerization to limit the impact of potential denial of service conditions
# Example: Verify Java version to confirm patching status
java -version
# Check for affected JDK versions in use
find /opt /usr/lib -name "java" -exec {} -version \; 2>&1 | grep -E "(1\.8\.0_411|11\.0\.23|17\.0\.11|21\.0\.3|22\.0\.1)"
# Example: Restrict network access to Java services (iptables)
iptables -A INPUT -p tcp --dport 8080 -s trusted_network/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
