CVE CyberSecurity Database News

CVE-2024-21144 - Partial Denial of Service Vulnerability in Oracle Java SE and Oracle GraalVM Enterprise Edition

Poster -

In June 2024, Oracle published a security advisory regarding CVE-2024-21144, a vulnerability found in the Concurrency component of Oracle Java SE and Oracle GraalVM Enterprise Edition. Although this issue is hard to exploit and only results in partial denial of service (partial DOS), it affects a wide set of supported versions in commercial and community deployments, especially Java client applications that run untrusted code from the internet.

This post provides an easy-to-understand breakdown of what CVE-2024-21144 is, how it can be exploited, which versions are affected, and most importantly—what you should do if you’re running affected Oracle Java systems.

Vulnerability Overview

CVE-2024-21144 exists in the Java SE component that handles Concurrency features. Specifically, it's part of the infrastructure that lets Java programs handle multiple tasks at once (threads, jobs, etc). When untrusted code is run (for example, in sandboxed Java Web Start apps or applets running from the web), a bug in Concurrency processing can be triggered remotely, causing resource exhaustion or similar issues.

- Impact: Partial Denial of Service (partial DOS) — makes the Java system or application unstable but not completely unavailable.

Java code downloaded and executed from unknown web sources

If your environment only runs trusted Java code (admin-installed apps, servers), this issue does not apply to your setup.

How Does The Exploit Work?

While Oracle has not revealed fine technical details (to reduce the chance of zero-day attacks), the essence of the exploit is that an attacker can remotely trigger a flaw in how Java manages concurrent tasks, eventually causing resource exhaustion (like a thread pool getting stuck or memory consumed). Successfully triggering this makes the Java application slow down, freeze, or partially stop—without leaking data or allowing code execution.

Example Exploit Scenario

Let's imagine an applet loaded from a malicious website. The attacker’s code spawns a lot of tasks using Java concurrency APIs, then gets the applet to deadlock or overwhelm the concurrency subsystem.

Minimal Example Code (for Educational Purposes Only)

import java.util.concurrent.*;

public class ConcurrencyAttack {
    public static void main(String[] args) throws Exception {
        ExecutorService service = Executors.newFixedThreadPool(2);
        Runnable infiniteTask = () -> {
            while(true) {
                // Consumes CPU, never ends
            }
        };
        // Overwhelm thread pool
        for(int i = ; i < 100; i++) {
            service.submit(infiniteTask);
        }
        // Program hangs. In real exploit, this could lead to resource starvation.
    }
}

*Note: This demonstration shows how Java applications can be attacked via untrusted code to consume concurrency resources. The real vulnerability may require more specific triggers based on Oracle's proprietary code.*

Technical Reference

Oracle’s Security Advisory:
CVE-2024-21144 Oracle Security Alert

NVD Entry:
https://nvd.nist.gov/vuln/detail/CVE-2024-21144

Mitigations & Patching

If you run any of the affected Java/Sandboxed client versions, you should update immediately to the latest patched release provided by Oracle.

Summary Table

| Product | Version(s) | Affected? |
|----------------------------------|-----------------------|:---------:|
| Oracle Java SE | 8u411, 8u411-perf | Yes |
| Oracle Java SE | 11..23 | Yes |
| Oracle GraalVM Enterprise Ed. | 20.3.14, 21.3.10 | Yes |

Final Thoughts

CVE-2024-21144 is an unusual but important reminder that Java sandboxing is not foolproof—especially when running untrusted code from the internet. Even if the impact is "only" partial denial of service, it can lead to business disruptions for client-side Java users.

Patch your Java installations, control your exposure to untrusted code, and stay on top of Oracle's advisories. As always, production servers running only trusted code are not at risk from this vulnerability.


Further Reading:
- Oracle Critical Patch Update – July 2024
- CVE-2024-21144 on NVD

Timeline

Published on: 07/16/2024 23:15:15 UTC
Last modified on: 07/19/2024 14:15:05 UTC