IRONSMITHINTEL
MEDIUMCVSS3.7
|CVE-2024-21011|Auth: none — network accessible java application sufficient|Reboot: not required|Est. 30 minutes per server including application restart|Manual only

Oracle Java SE < 11.0.23 — DoS

An unauthenticated attacker can trigger a denial of service in Oracle Java SE's Hotspot JIT compiler by sending crafted input to a Java application. Apply the April 2024 Critical Patch Update — Java powers many enterprise server applications.

Published Apr 16, 2024 · Updated May 10, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

An attacker can crash Java processes handling their requests, causing service interruption. Applications relying on JIT compilation for performance (such as application servers, middleware, and microservices) may repeatedly crash when targeted.

How the attack works

The HotSpot JIT compiler in Java SE contains a vulnerability that allows an unauthenticated remote attacker to cause a partial denial of service without any user interaction required beyond the attack itself.

Am I affected?Quick check

Probably yes if any of these apply:

Java Application Teams
DevOps Teams
Server Administrators
Running Java SE 8u401 and earlier, Java SE 11.0.22 and earlier, Java SE 17.0.10 and earlier, Java SE 21.0.2 and earlier

Affected OS versions

Windows Server 2016Windows Server 2019Windows Server 2022
Fixed inJava SE 8u411 / 11.0.23 / 17.0.11 / 21.0.3 (April 2024 CPU)
Real-world incidentsWhat we've seen

An e-commerce company discovers their Java-based payment processing service becomes unresponsive when a specific sequence of REST API calls is made. Investigation reveals an attacker was repeatedly sending crafted JSON payloads that triggered the HotSpot bug, causing intermittent outages. The fix is the April 2024 CPU update.

How to patch

Manual remediation steps

30 minutes per server including application restart

Check Installed Java Version

# Check default Java
java -version 2>&1

# Find all Java installations on the system
Get-ChildItem "C:\Program Files\Java" -ErrorAction SilentlyContinue
Get-ChildItem "C:\Program Files\Eclipse Adoptium" -ErrorAction SilentlyContinue
Get-ChildItem "C:\Program Files\Microsoft" -Filter "jdk*" -ErrorAction SilentlyContinue

# Check JAVA_HOME
$env:JAVA_HOME

Download and Install the April 2024 CPU

1
Download from Oracle: https://www.oracle.com/java/technologies/javase-downloads.html
    1
    Java 8: 8u411
    1
    Java 11: 11.0.23
    1
    Java 17: 17.0.11
    1
    Java 21: 21.0.3
2
Run the installer and follow prompts
3
Restart any Java application servers (Tomcat, JBoss, WebSphere, etc.)

Or Use Adoptium (OpenJDK) as an Alternative

# Install via winget (Adoptium Temurin builds follow Oracle CPU release cycle)
winget install EclipseAdoptium.Temurin.21.JDK
winget install EclipseAdoptium.Temurin.17.JDK

Verify

java -version 2>&1
# Must show 8u411 / 11.0.23 / 17.0.11 / 21.0.3 or later
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2024-21011NVD