CVE-2021-35556: Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing).
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
Security readout for executives and security teams
Plain-English summary
This is a Java/Swing sandbox issue that can let unauthenticated network-originated untrusted Java code cause partial denial of service in affected Java SE or GraalVM Enterprise deployments. It matters mainly where legacy applets or Java Web Start apps run untrusted internet code; typical server-side Java running administrator-installed trusted code is outside Oracle’s stated scope.
Executive priority
Prioritize remediation where legacy client-side Java remains enabled or where regulated services depend on Java availability. This is not a broad server-side data compromise signal from the provided sources, but outdated Java runtimes should still be removed or updated as part of routine risk reduction.
Technical view
CVE-2021-35556 affects Oracle Java SE JDK/JRE 7u311, 8u301, 11.0.12, 17 and GraalVM Enterprise Edition 20.3.3/21.2.0. Component: Swing. CWE-693. CVSS 5.3, availability impact only. Oracle describes unauthenticated network exploitation over multiple protocols, but only for sandboxed untrusted-code deployments.
Likely exposure
Likely exposure is concentrated on desktops, legacy browser-era Java workflows, or Java Web Start environments that load untrusted internet code. Server-side Java applications running only administrator-installed trusted code are not in Oracle’s stated affected deployment category.
Exploitation context
The source bundle does not show CISA KEV listing or cited evidence of active exploitation. The vulnerability is described as easily exploitable, unauthenticated, and network reachable, but the stated impact is partial denial of service, not code execution or data theft.
Researcher notes
The main scoping detail is Oracle’s deployment note: the issue applies to sandboxed untrusted-code Java deployments, not typical trusted-code server deployments. Public sources in the bundle do not provide exploit mechanics or active exploitation evidence. Treat product advisories as authoritative for bundled Java cases.
Mitigation direction
Apply Oracle Java SE or GraalVM updates from the October 2021 CPU guidance.
Use OS vendor OpenJDK updates where Java is supplied by Debian, Fedora, Gentoo, or similar distributions.
Retire or disable Java applets and Web Start workflows that run untrusted code where possible.
Inventory GraalVM Enterprise deployments and align them with vendor-supported fixed releases.
Check NetApp and other product advisories for bundled Java exposure.
Validation and detection
Identify Java SE, JDK, JRE, OpenJDK, and GraalVM versions across endpoints and servers.
Flag Java SE 7u311, 8u301, 11.0.12, 17 and GraalVM EE 20.3.3/21.2.0.
Confirm whether any environment runs sandboxed applets or Java Web Start applications from untrusted sources.
Verify distribution packages include the relevant 2021 Java security updates.
Review asset owners’ evidence that server deployments load only trusted code.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-693: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-693 · source CWE mapping
Protection Mechanism Failure
Protection Mechanism Failure represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.