CVE-2024-21145 Overview
CVE-2024-21145 is a security vulnerability affecting the 2D component of Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. This improper access control vulnerability allows an unauthenticated attacker with network access to potentially compromise affected systems through multiple protocols. The vulnerability is classified as difficult to exploit but can result in unauthorized data modification and unauthorized read access to sensitive information.
The vulnerability affects Java deployments running sandboxed Java Web Start applications or sandboxed Java applets that load and run untrusted code from the internet, relying on the Java sandbox for security. Additionally, this vulnerability can be exploited through APIs in the 2D component, including via web services that supply data to these APIs.
Critical Impact
Successful exploitation enables unauthorized update, insert, or delete access to data as well as unauthorized read access to a subset of accessible data across Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition deployments.
Affected Products
- Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1
- Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1
- Oracle GraalVM Enterprise Edition: 20.3.14, 21.3.10
- Oracle JDK: 1.8.0 update411, 11.0.23, 17.0.11, 21.0.3, 22.0.1
- Oracle JRE: 1.8.0 update411, 11.0.23, 17.0.11, 21.0.3, 22.0.1
- NetApp BlueXP
- NetApp Cloud Insights Storage Workload Security Agent
- NetApp OnCommand Insight
- NetApp OnCommand Workflow Automation
Discovery Timeline
- 2024-07-16 - CVE-2024-21145 published to NVD
- 2024-07-19 - NetApp releases security advisory
- 2025-03-13 - Last updated in NVD database
Technical Details for CVE-2024-21145
Vulnerability Analysis
This vulnerability resides in the Java 2D graphics component, which is responsible for rendering two-dimensional graphics, images, and text. The 2D component is a core part of the Java platform and is utilized extensively by applications for graphical operations including image processing, font rendering, and graphical transformations.
The vulnerability manifests when the 2D component improperly handles access control for certain operations, allowing attackers to bypass security restrictions. While the attack complexity is high (requiring specific conditions to be met), the vulnerability does not require any privileges or user interaction, making it exploitable in network-accessible deployments.
The impact is limited to confidentiality and integrity with low severity for each, meaning attackers can read limited portions of data and make limited modifications, but cannot achieve complete system compromise or cause denial of service conditions.
Root Cause
The root cause of CVE-2024-21145 is classified as an improper access control issue (CWE-284). The 2D component fails to properly enforce access restrictions when processing certain graphical operations or data inputs. This allows operations that should be restricted by the Java security sandbox to be performed without proper authorization checks.
In sandboxed environments such as Java Web Start applications or Java applets, this weakness can be leveraged by untrusted code to access or modify data that should be protected by the sandbox security model. The vulnerability can also be triggered through APIs that accept external data, such as web services processing image data or graphical content.
Attack Vector
The attack vector for this vulnerability is network-based, requiring the attacker to have network access to the target system. Exploitation can occur through several scenarios:
Sandboxed Applications: An attacker can craft malicious code to be executed within a sandboxed Java Web Start application or Java applet. When a user visits a malicious website hosting the untrusted applet, the vulnerability in the 2D component can be triggered to bypass sandbox restrictions.
API Exploitation: Web services or applications that expose APIs utilizing the 2D component can be targeted. An attacker can send specially crafted data to these APIs, triggering the vulnerability and gaining unauthorized access to data.
Multi-Protocol Access: The vulnerability can be exploited through multiple network protocols, increasing the attack surface for potential exploitation.
The attack mechanism involves sending crafted input to the vulnerable 2D component APIs that bypasses the normal access control checks. Due to the improper access control, the attacker can then read or modify data that should be protected. Technical details of specific exploitation techniques should be obtained from the Oracle Security Alert July 2024.
Detection Methods for CVE-2024-21145
Indicators of Compromise
- Unexpected Java process behavior involving 2D graphics operations from network-connected applications
- Anomalous data access patterns in applications utilizing Java 2D APIs
- Unusual network traffic to Java-based web services processing graphical content
- Java applet or Web Start application loading from untrusted or suspicious sources
Detection Strategies
- Monitor Java application logs for unexpected 2D component operations or errors
- Implement network traffic analysis to detect suspicious data being sent to Java-based APIs
- Deploy endpoint detection to identify anomalous Java process behavior
- Utilize SentinelOne's behavioral AI to detect exploitation attempts targeting Java runtime environments
Monitoring Recommendations
- Enable verbose logging for Java applications, particularly those processing external graphical data
- Monitor for Java processes making unexpected file system or network access requests
- Track Java version deployment across the environment to identify systems running vulnerable versions
- Implement application-level monitoring for web services that utilize Java 2D APIs
How to Mitigate CVE-2024-21145
Immediate Actions Required
- Update Oracle Java SE to the latest patched version (beyond 22.0.1)
- Update Oracle GraalVM for JDK to versions newer than 22.0.1
- Update Oracle GraalVM Enterprise Edition to versions newer than 21.3.10
- Review and restrict network access to Java-based web services processing graphical content
- Disable Java Web Start and Java applets in web browsers if not required
Patch Information
Oracle has addressed this vulnerability in their July 2024 Critical Patch Update. Administrators should apply the latest security patches available from Oracle for Java SE, GraalVM for JDK, and GraalVM Enterprise Edition. NetApp has also released a security advisory for affected products including BlueXP, Cloud Insights Storage Workload Security Agent, OnCommand Insight, and OnCommand Workflow Automation. Refer to the NetApp Security Advisory for specific patch information for NetApp products.
For detailed patch information, consult the Oracle Security Alert July 2024.
Workarounds
- Disable Java applets and Java Web Start functionality in web browsers to prevent exploitation via untrusted code
- Implement network segmentation to limit access to Java-based APIs from untrusted networks
- Apply application-level access controls to restrict who can access web services utilizing the 2D component
- Consider deploying web application firewalls (WAF) to filter potentially malicious input to Java-based services
# Disable Java plugin in browsers (example for system-wide Java configuration)
# Edit java.security file to disable Web Start
echo "deployment.webjava.enabled=false" >> $JAVA_HOME/lib/deployment.config
# Verify Java version to confirm patching
java -version
# Check for vulnerable versions in your environment
find /usr -name "java" -exec {} -version \; 2>&1 | grep -E "1\.8\.0_411|11\.0\.23|17\.0\.11|21\.0\.3|22\.0\.1"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
