CVE-2021-2161: Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions...

Description

Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16; Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and 21.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. It can also be exploited by supplying untrusted data to APIs in the specified Component. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

Metrics

CVSS 3.1

5.9/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Probability

3.13%

86.2th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

Vendor	Product	Versions	Update
Oracle	Jdk	1.7.0	Update291
Oracle	Jdk	1.8.0	Update281
Oracle	Jdk	11.0.10	—
Oracle	Jdk	16.0.0	—
Oracle	Jre	1.8.0	Update281
Debian	Debian Linux	9.0	—
Debian	Debian Linux	10.0	—
Fedoraproject	Fedora	32	—
Fedoraproject	Fedora	33	—
Fedoraproject	Fedora	34	—
Oracle	Graalvm	19.3.5	—
Oracle	Graalvm	20.3.1.2	—
Oracle	Graalvm	21.0.0.2	—
Oracle	Openjdk	>= 11, <= 11.0.10	—
Oracle	Openjdk	>= 13, <= 13.0.6	—
Oracle	Openjdk	>= 15, <= 15.0.2	—
Oracle	Openjdk	7	—
Oracle	Openjdk	8	—
Oracle	Openjdk	16	—
Netapp	Active Iq Unified Manager	All versions	—
Netapp	Hci Management Node	All versions	—
Netapp	Solidfire	All versions	—
Netapp	Hci Compute Node	All versions	—
Netapp	Hci Storage Node	All versions	—
Mcafee	Epolicy Orchestrator	< 5.10.0	—
Mcafee	Epolicy Orchestrator	5.10.0	—

References

Timeline

Published: Apr 22, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-2161?

Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16; Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and 21.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. It can also be exploited by supplying untrusted data to APIs in the specified Component. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

How severe is CVE-2021-2161?

CVE-2021-2161 has a CVSS score of 5.9/10 (MEDIUM severity). The EPSS model estimates a 3.13% probability of exploitation in the next 30 days.

How do I fix CVE-2021-2161?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.