CVE-2017-3241

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u131, 7u121 and 8u112; Java SE Embedded: 8u111; JRockit: R28.3.12. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. While the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS v3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts).

CVSS v3 9.0 CRITICAL
CVSS v2.0 6.8 MEDIUM

9.0^/10

CVSS v3 : CRITICAL

V3 Legend

Vector : AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Exploitability : 2.2 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

6.8^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://rhn.redhat.com/errata/RHSA-2017-0175.html
http://rhn.redhat.com/errata/RHSA-2017-0176.html
http://rhn.redhat.com/errata/RHSA-2017-0177.html
http://rhn.redhat.com/errata/RHSA-2017-0180.html
http://rhn.redhat.com/errata/RHSA-2017-0263.html
http://rhn.redhat.com/errata/RHSA-2017-0269.html
http://rhn.redhat.com/errata/RHSA-2017-0336.html
http://rhn.redhat.com/errata/RHSA-2017-0337.html
http://rhn.redhat.com/errata/RHSA-2017-0338.html
http://www.debian.org/security/2017/dsa-3782
http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html	Patch Vendor Advisory
http://www.securityfocus.com/bid/95488
http://www.securitytracker.com/id/1037637
https://access.redhat.com/errata/RHSA-2017:1216
https://erpscan.io/advisories/erpscan-17-006-oracle-openjdk-java-serialization-dos-vulnerability/
https://security.gentoo.org/glsa/201701-65
https://security.gentoo.org/glsa/201707-01
https://security.netapp.com/advisory/ntap-20170119-0001/
https://www.exploit-db.com/exploits/41145/

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:oracle:jdk:1.6:update_131::::::
	cpe:2.3:a:oracle:jdk:1.7:update_121::::::
	cpe:2.3:a:oracle:jdk:1.8:update_111::::::
	cpe:2.3:a:oracle:jdk:1.8:update_112::::::
	cpe:2.3:a:oracle:jre:1.6:update_131::::::
	cpe:2.3:a:oracle:jre:1.7:update_121::::::
	cpe:2.3:a:oracle:jre:1.8:update_111::::::
	cpe:2.3:a:oracle:jre:1.8:update_112::::::
	cpe:2.3:a:oracle:jrockit:r28.3.12:::::::*

History

No history.

Information

Published : 2017-01-27 22:59

Updated : 2023-12-10 12:01

NVD link : CVE-2017-3241

Mitre link : CVE-2017-3241

CVE.ORG link : CVE-2017-3241

JSON object : View

Products Affected

oracle

jrockit
jdk
jre

CWE

CWE-20

Improper Input Validation

9.0 /10