LiveActive security incident?Get immediate response
CVE Record

CVE-2021-35556: Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing).

Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

MediumCVSS 5.3Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

This is a Java/Swing sandbox issue that can let unauthenticated network-originated untrusted Java code cause partial denial of service in affected Java SE or GraalVM Enterprise deployments. It matters mainly where legacy applets or Java Web Start apps run untrusted internet code; typical server-side Java running administrator-installed trusted code is outside Oracle’s stated scope.

Executive priority

Prioritize remediation where legacy client-side Java remains enabled or where regulated services depend on Java availability. This is not a broad server-side data compromise signal from the provided sources, but outdated Java runtimes should still be removed or updated as part of routine risk reduction.

Technical view

CVE-2021-35556 affects Oracle Java SE JDK/JRE 7u311, 8u301, 11.0.12, 17 and GraalVM Enterprise Edition 20.3.3/21.2.0. Component: Swing. CWE-693. CVSS 5.3, availability impact only. Oracle describes unauthenticated network exploitation over multiple protocols, but only for sandboxed untrusted-code deployments.

Likely exposure

Likely exposure is concentrated on desktops, legacy browser-era Java workflows, or Java Web Start environments that load untrusted internet code. Server-side Java applications running only administrator-installed trusted code are not in Oracle’s stated affected deployment category.

Exploitation context

The source bundle does not show CISA KEV listing or cited evidence of active exploitation. The vulnerability is described as easily exploitable, unauthenticated, and network reachable, but the stated impact is partial denial of service, not code execution or data theft.

Researcher notes

The main scoping detail is Oracle’s deployment note: the issue applies to sandboxed untrusted-code Java deployments, not typical trusted-code server deployments. Public sources in the bundle do not provide exploit mechanics or active exploitation evidence. Treat product advisories as authoritative for bundled Java cases.

Mitigation direction

  • Apply Oracle Java SE or GraalVM updates from the October 2021 CPU guidance.
  • Use OS vendor OpenJDK updates where Java is supplied by Debian, Fedora, Gentoo, or similar distributions.
  • Retire or disable Java applets and Web Start workflows that run untrusted code where possible.
  • Inventory GraalVM Enterprise deployments and align them with vendor-supported fixed releases.
  • Check NetApp and other product advisories for bundled Java exposure.

Validation and detection

  • Identify Java SE, JDK, JRE, OpenJDK, and GraalVM versions across endpoints and servers.
  • Flag Java SE 7u311, 8u301, 11.0.12, 17 and GraalVM EE 20.3.3/21.2.0.
  • Confirm whether any environment runs sandboxed applets or Java Web Start applications from untrusted sources.
  • Verify distribution packages include the relevant 2021 Java security updates.
  • Review asset owners’ evidence that server deployments load only trusted code.
Prepared
Confidence
high
Sources
8

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-693: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2021-35556 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
5.3 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
3Timeline events
2ADP providers
14Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: yesTechnical Impact: partial

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
5.3CVSS 3.1MediumCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L3.91.4oracle

Vulnerability scoring details

Base CVSS 3.1 score

5.3Medium
CVSS 3.1 vector shape for CVE-2021-35556Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
CISA-ADPCISA ADP Vulnrichment
other:ssvc

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
Oracle CorporationJava SE JDK and JREJava SE:7u311, Java SE:8u301, Java SE:11.0.12, Java SE:17, Oracle GraalVM Enterprise Edition:20.3.3, Oracle GraalVM Enterprise Edition:21.2.0Listed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-693 · source CWE mapping

Protection Mechanism Failure

Protection Mechanism Failure represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.