CVE-2025-21502: 
Amazon Corretto JDK vulnerability analysis and mitigation

CVE-2025-21502 is a vulnerability discovered in Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition (component: Hotspot). The affected versions include Oracle Java SE: 8u431-perf, 11.0.25, 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM for JDK: 17.0.13, 21.0.5, 23.0.1; and Oracle GraalVM Enterprise Edition: 20.3.16 and 21.3.12. The vulnerability was disclosed on January 21, 2025 (Oracle CPU).

This is a difficult to exploit vulnerability that allows unauthenticated attackers with network access via multiple protocols to compromise the affected systems. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.8 (Medium) with the vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N. The vulnerability can be exploited through APIs in the specified Component, such as through a web service which supplies data to the APIs (NVD).

Successful exploitation of this vulnerability can result in unauthorized update, insert or delete access to some of the accessible data as well as unauthorized read access to a subset of accessible data. This vulnerability particularly affects Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code and rely on the Java sandbox for security (Oracle CPU).

Oracle has released patches for the affected versions as part of its January 2025 Critical Patch Update. Various distributions have also released patches, including Debian which has fixed the issue in openjdk-11 version 11.0.26+4-1~deb11u1 and openjdk-17 version 17.0.14+7-1~deb11u1 (Debian LTS, Debian LTS).

The vulnerability has garnered attention from various organizations and security researchers. NetApp has issued an advisory (NTAP-20250124-0009) detailing the impact on their products and providing remediation guidance. The open-source community has been actively discussing the vulnerability's impact on OpenJDK implementations (OSS Security).