The Oracle Java SE is a widely used Java runtime environment that powers many applications. This vulnerability allows attackers to execute arbitrary code on your server by exploiting the security features of Java. If your app uses Java and logs user input, you're at risk.
You're affected if you use:
- Oracle Java SE versions 8u461, 8u461-perf, 11.0.28, 17.0.16, 21.0.8, or 25
Check with: find / -name "libjava.so" (Linux) or find %PROGRAMFILES% -name "jre*" (Windows)
Note: This vulnerability is specific to Oracle Java SE and not related to other Java implementations like OpenJDK.
Upgrade to Oracle Java SE 17.0.16 or later.
Maven: Update your pom.xml dependency version
If you can't upgrade immediately:
- Set java.security.manager.logging.fullySpecifiedFrags to true as a JVM flag
- Remove the javax management extension classes from your classpath