Security Bulletin

SecB0013: CVE-2024-21147

Summary

First published: July 14, 2025

Description

CVE-2024-21147 is a high-severity vulnerability (CVSS 7.4) affecting the Java HotSpot Virtual Machine in Oracle Java and compatible distributions such as Amazon Corretto. This vulnerability may allow remote attackers to compromise Java-based applications under specific conditions involving unsafe deserialization or malformed input handling.

This vulnerability affects Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition (component: Hotspot). Supported affected versions include Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. The vulnerability is difficult to exploit but allows unauthenticated attackers with network access via multiple protocols to compromise these Java environments.

Products

enteliWEB (not affected)

Why enteliWEB Is Not Affected

JVM Isolation
enteliWEB's architecture does not expose the Java Virtual Machine (JVM) directly to end users. All interactions with Java components are mediated through internal logic and web services, preventing direct exploitation paths.
Controlled Use of Corretto 21.0.2
The affected module—Amazon Corretto 21.0.2—is used exclusively within the BIRT Reporting Engine, a subsystem of enteliWEB responsible for generating structured reports. This component is not exposed directly to users or external interfaces.
Sanitized and Internal Data Only
enteliWEB does not provide any feature or interface that allows customers to upload or submit XML, JSON, or serialized Java objects that could interact with the JVM. Report parameters are passed through the PHP backend, where they are strictly sanitized before being handed to the BIRT engine.
In one scenario, BIRT uses these sanitized parameters to issue SQL queries directly to the PostgreSQL server. In another, the PHP backend performs the database queries and passes only the result set to BIRT for rendering.
In both cases, there is no possibility for interactive XML/JSON or raw serialized data from users to reach the JVM. This architectural model inherently prevents exploitation of CVE-2024-21147.

Recommended Action

None. While enteliWEB is not affected, Delta Controls takes security seriously. The Amazon Corretto JDK will be upgraded to version 21.0.4 or later as part of the enteliWEB 4.31 release, eliminating any theoretical exposure and aligning with security best practices.

CVE Details

CVE ID	CVSS Vector	Score
CVE-2024-21147	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N	7.4

	Delta Controls Security Bulletin: OpenSSL Vulnerability CVE-2022-3786 and CVE-2022-3602 Delta Controls Security Bulletin SecB0006 details an OpenSSL vulnerability (CVE-2022-3786, CVE-2022-3602) related to buffer overflows in X.509 certificate verification. It provides a summary, description, affected products, recommended actions, and CVSS scoring information, along with an explanation of the Common Vulnerability Scoring System.
	Security Bulletin: CVE-2020-25694, 25695, 25696 - Delta Controls Details a critical security vulnerability (CVE-2020-25694, 25695, 25696) affecting PostgreSQL versions prior to 13.1, 12.5, 11.10, 10.15, 9.6.20, and 9.5.24, impacting enteliSYNC. Provides recommended actions and mitigation strategies for Delta Controls products.
	Delta Controls Niagara Security Bulletin: CVE-2023-4863 Vulnerability Update Delta Controls issues Security Bulletin SecB0009 for Niagara Framework and Niagara Enterprise Security, addressing a critical vulnerability (CVE-2023-4863) in the libwebp component used by jxBrowser. Details recommended updates to Niagara Framework 4.10u7 and 4.13u2 to mitigate risks.
	enteliWEB v4.0 Deployment Planning Guide \| Delta Controls This Deployment Planning Guide for enteliWEB v4.0 by Delta Controls provides essential information for planning system deployments. It covers site sizing, hardware and software requirements for physical servers and virtual machines, installation guidelines including services and network ports, comprehensive security features, licensing, email configuration, bandwidth considerations, browser compatibility, IIS settings, and troubleshooting procedures.
	enteliWEB Network Hardening Guide This guide provides essential information for planning and implementing robust security best practices for enteliWEB installations, covering critical areas such as password management, user permissions, server security, and network hardening.
	enteliWEB 4.2 Release Notes This document provides release notes for enteliWEB version 4.2, detailing new features, system requirements, installation instructions, and known issues.
	Delta Controls enteliWEB Case Study: Brooke Army Medical Center Infection Control This case study details how Delta Controls' enteliWEB system was implemented at Brooke Army Medical Center (BAMC) to enhance infection control, environmental monitoring, and operational efficiency, improving patient safety and facility management.
	Delta Controls e301 enteliWEB Fundamentals Course Description Detailed course description for Delta Controls' e301 enteliWEB Fundamentals training. Covers course objectives, logistics, prerequisites, and topics including enteliWEB software, object management, alarms, and user administration.

Summary

Description

Products

Why enteliWEB Is Not Affected

JVM Isolation

Controlled Use of Corretto 21.0.2

Sanitized and Internal Data Only

Recommended Action

CVE Details

Related Documents