CVE-2024-21217 Overview
CVE-2024-21217 is a denial of service vulnerability in the Serialization component of Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. Oracle disclosed the issue in the October 2024 Critical Patch Update. An unauthenticated attacker with network access can trigger a partial denial of service by submitting crafted serialized data to exposed APIs. The flaw is classified under [CWE-502] Deserialization of Untrusted Data. Exploitation conditions are difficult to satisfy, which limits real-world impact, but Java deployments processing serialized objects from untrusted sources remain exposed.
Critical Impact
Unauthenticated network attackers can cause a partial denial of service in affected Java runtimes by abusing serialization APIs reachable through web services or sandboxed Java Web Start clients.
Affected Products
- Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23
- Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23
- Oracle GraalVM Enterprise Edition: 20.3.15, 21.3.11
Discovery Timeline
- 2024-10-15 - CVE-2024-21217 published to NVD as part of Oracle's October 2024 Critical Patch Update
- 2024-10-18 - Debian LTS publishes advisory addressing the vulnerability
- 2024-10-20 - Debian LTS publishes follow-up advisory for additional packages
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2024-21217
Vulnerability Analysis
The vulnerability resides in the Java serialization subsystem, which converts object graphs to and from byte streams. When a Java application deserializes attacker-controlled data, the runtime can be forced into resource-intensive processing paths that degrade availability. The flaw is mapped to [CWE-502], a well-documented class of issues affecting Java deserialization. Successful exploitation produces a partial denial of service rather than code execution or data disclosure. The Java sandbox does not block the condition, so sandboxed Java Web Start applications and applets that load untrusted code remain in scope.
Root Cause
The root cause is unsafe handling of untrusted serialized input within the JDK Serialization component. Crafted object streams trigger expensive computation or resource consumption inside ObjectInputStream processing. Oracle classifies the issue as difficult to exploit, indicating non-trivial preconditions on input shaping and timing.
Attack Vector
Attackers reach the vulnerable code through any API path that accepts serialized Java objects. Common exposure points include web services, RMI endpoints, JMX listeners, and message brokers that forward serialized payloads to the JVM. The vulnerability also applies to client-side Java deployments running sandboxed Java Web Start applications or applets that load code from the network. No authentication or user interaction is required.
No verified proof-of-concept code is publicly available. Refer to the Oracle Security Alert October 2024 for vendor-supplied technical context.
Detection Methods for CVE-2024-21217
Indicators of Compromise
- Unexpected spikes in CPU or heap utilization on JVM processes correlated with inbound serialized payloads
- Repeated java.io.ObjectInputStream activity sourced from external network endpoints
- Application logs showing slow response times or thread pool exhaustion on services exposing serialization endpoints
Detection Strategies
- Inventory all JVM-hosted services that accept serialized Java objects over the network, including RMI, JMX, and HTTP-based serialization endpoints
- Inspect HTTP and RPC traffic for the Java serialization magic bytes 0xAC 0xED 0x00 0x05 arriving from untrusted sources
- Correlate JVM performance telemetry with network ingress patterns to identify resource exhaustion attempts
Monitoring Recommendations
- Forward JVM garbage collection, thread, and CPU metrics to a centralized analytics platform for anomaly detection
- Alert on sustained thread pool saturation or OutOfMemoryError events on internet-facing Java services
- Track outbound advisories from Oracle and downstream distributions such as Debian for additional patch guidance
How to Mitigate CVE-2024-21217
Immediate Actions Required
- Apply the October 2024 Critical Patch Update from Oracle to all affected Java SE and GraalVM installations
- Identify and inventory JVM workloads exposing serialization endpoints to untrusted networks
- Restrict network access to RMI, JMX, and other serialization-capable services using firewall rules or service mesh policies
Patch Information
Oracle released fixed builds in the October 2024 Critical Patch Update. Upgrade Oracle Java SE to releases later than 8u421, 11.0.24, 17.0.12, 21.0.4, and 23. Upgrade Oracle GraalVM for JDK beyond 17.0.12, 21.0.4, and 23, and Oracle GraalVM Enterprise Edition beyond 20.3.15 and 21.3.11. Debian users should apply the updates announced on 2024-10-18 and 2024-10-20. Full vendor details are in the Oracle Security Alert October 2024.
Workarounds
- Configure JVM serialization filters using jdk.serialFilter to reject untrusted classes and limit object graph depth
- Disable or firewall RMI, JMX, and other listeners that accept serialized objects when not required
- Replace Java native serialization with safer formats such as JSON or Protocol Buffers in application code
# Configuration example: restrict Java deserialization using a process-wide filter
java \
-Djdk.serialFilter='maxdepth=10;maxarray=10000;maxrefs=1000;maxbytes=16384;!*' \
-Djdk.serialFilterFactory=disabled \
-jar application.jar
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
