Published: Oracle CPU April 2024
CVSS 3.1 Base Score: 4.8 (Confidentiality and Integrity impacts)
Components Affected: 2D (Java 2D Graphics)
CVE Record: CVE-2024-21145 Details (NVD)
What is CVE-2024-21145?
CVE-2024-21145 is a vulnerability discovered in several Oracle Java products, specifically within the Java 2D (graphic rendering) component. Although considered "difficult to exploit," if an attacker finds a way in, this flaw allows remote, unauthenticated attackers to gain unauthorized access, read and manipulate some data processed by Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition.
Update, insert, or delete some data without permission.
This vulnerability is *not* about completely taking over a system, but about snooping and quietly changing bits of information, which in some cases can be just as damaging.
Can be reached through common Java APIs (including via web services),
- Not limited to servers: client-side Java apps (Java Web Start, applets) loading untrusted internet code can also be vulnerable.
Exploitation Details
Access Complexity: High
Attackers need to send carefully-crafted payloads to specific Java APIs that rely on the 2D component (for example, image deserialization, custom graphics objects in serialized Java content, or content handled by web services).
Here's a simplified example to show how such attacks might be crafted.
Code Snippet Example
Suppose your Java web service accepts serialized image data and renders it using Java 2D. An attacker might supply a malicious image stream that triggers a flaw.
// BAD: Accepting untrusted binary data and passing to Java2D
InputStream in = request.getInputStream();
BufferedImage img = ImageIO.read(in); // vulnerable call
// ... further processing ...
Graphics2D g2d = img.createGraphics();
// work with g2d...
Data from the attacker could exploit the CVE-2024-21145 bug,
- Resulting in leaking data, or allowing attacker to update/insert records in the app's memory, possibly modifying its in-memory dataset, log events, or misbehaving.
Note: This isn't the exact exploit chain, but illustrates how hostile serialized input through 2D API entry points can expose the app.
REST or SOAP endpoints that accept graphic data as uploads (PNG, JPEG, SVG, etc.) could be targeted.
2. Remote Desktop/Visualization
Systems that do server-side rendering for client graphics may parse attacker-controlled graphical assets.
3. Java Clients (Web Start / Applets)
Java sandbox is supposed to be safe, but loading code from the web that uses the 2D component can open up the vulnerability if the sandbox fails to enforce boundaries.
Proof of Concept (PoC) Outline
While a full working exploit is not public, here's a high-level PoC flow based on available information:
// 1. Create a specially-crafted image stream (PoisonedImage.dat):
// This would be customized to trigger the underlying 2D bug
// 2. Send payload to vulnerable API endpoint:
HttpURLConnection con = (HttpURLConnection) new URL("https://vulnerable.example.com/api/upload";).openConnection();
con.setDoOutput(true);
con.setRequestMethod("POST");
try(OutputStreamOut = con.getOutputStream()) {
Files.copy(Paths.get("PoisonedImage.dat"), out);
}
int responseCode = con.getResponseCode();
// 3. Check for side-effects: Did I get data I should not? Was data changed unexpectedly?
References
- Oracle Security Advisory: April 2024 Critical Patch Update
- National Vulnerability Database: CVE-2024-21145
- Java SE Support Roadmap (Oracle)
- GraalVM Release Notes
Patch Immediately:
Update Java SE or GraalVM to the latest version specified in the Oracle CPU April 2024.
Limit network access to endpoints handling graphics data.
- Disable Java Web Start/Applets:
Conclusion
CVE-2024-21145 underscores the risk of processing untrusted input via Java's rich API landscape. Even "non-critical" areas like graphics can hide dangerous secrets if left unpatched. If you run or maintain systems on affected Oracle Java SE or GraalVM versions, take prompt action to update and review how you handle incoming data.
Stay safe—patch early, patch often!
*This post is exclusive and distills CVE-2024-21145 using information from official sources and security best practices.*
Timeline
Published on: 07/16/2024 23:15:15 UTC
Last modified on: 09/20/2024 13:46:53 UTC