CVE-2024-21085: Low severity NetApp Active Iq Unified Manager Vmware Vsphere vulnerability

Published Apr 14, 2024
·
Updated

A flaw was found in the Pack200 archive format in OpenJDK. The NativeUnpack class did not properly validate the memory size when allocating a buffer, potentially leading to an excessive memory allocation and denial of service condition.

Other sources

An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low availability impacts.

IBM

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

NVD

Affected Software

16 affected componentsFixes available
debian/openjdk-11
11.0.24+8-2~deb11u111.0.26+4-1~deb11u111.0.27+6-1
debian/openjdk-8
8u442-ga-2
NetApp Active Iq Unified Manager Vmware Vsphere
NetApp Active Iq Unified Manager Windows
NetApp Data Infrastructure Insights Acquisition Unit
NetApp Data Infrastructure Insights Storage Workload Security Agent
NetApp OnCommand Insight
NetApp OnCommand Workflow Automation
Debian Debian Linux=10.0
Oracle GraalVM=20.3.13
Oracle GraalVM=21.3.9
Oracle JDK=1.8.0-update401
Oracle JDK=11.0.22
Oracle JRE=1.8.0-update401
Oracle JRE=11.0.22
IBM InfoSphere Data Architect<=9.2.1

Remediation

Patch Available

https://github.com/openjdk/jdk8u/commit/2ffb900d7eca6472fd21d362d00e229babb7bd3f

Patch Available

https://github.com/openjdk/jdk11u/commit/44165ab6786d42c4e413d72d55931393432ce1d2

Event History

Apr 14, 2024
Data Sourced
via Red Hat·04:25 PM
DescriptionSeverityAffected Software
Apr 16, 2024
CVE Published
via MITRE·09:26 PM
Data Sourced
via MITRE·09:26 PM
DescriptionSeverity
Data Sourced
via NVD·10:15 PM
DescriptionSeverity
Jun 6, 2024
Data Sourced
via Launchpad·04:54 AM
Description
Nov 11, 2024
Data Sourced
via Ubuntu·05:43 AM
RemedyDescriptionSeverityAffected Software
Mar 4, 2026
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-21085?

CVE-2024-21085 has been classified with a moderate severity level due to its potential to cause denial of service.

2

How do I fix CVE-2024-21085?

To remediate CVE-2024-21085, update OpenJDK to versions 11.0.24+8-2~deb11u1 or later for OpenJDK 11, or 8u432-b06-2 or later for OpenJDK 8.

3

Which software is affected by CVE-2024-21085?

CVE-2024-21085 affects OpenJDK 8 and OpenJDK 11, as well as IBM's Storage Protect Backup-Archive Client versions up to 8.1.23.0.

4

What type of vulnerability is CVE-2024-21085?

CVE-2024-21085 is a denial of service vulnerability caused by improper memory allocation in the Pack200 archive format of OpenJDK.

5

Is CVE-2024-21085 a known exploit?

As of now, there is no publicly disclosed exploit for CVE-2024-21085, though it presents a risk of denial of service.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203