Vulnerability Name:

CVE-2017-10350

Assigned:2017-06-21
Published:2017-10-17
Updated:2017-12-14
Summary:Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JAX-WS). Supported versions that are affected are Java SE: 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVSS v3 Severity:5.3 Medium (CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.6 Medium (Temporal CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
5.3 Medium (CCN CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.6 Medium (CCN Temporal CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
5.3 Medium (REDHAT CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.6 Medium (REDHAT Temporal CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-770
References:Source: CONFIRM
Type: VENDOR_ADVISORY
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

Source: BID
Type: VENDOR_ADVISORY
101341

Source: SECTRACK
Type: VENDOR_ADVISORY
1039596

Source: REDHAT
Type: UNKNOWN
RHSA-2017:2998

Source: REDHAT
Type: UNKNOWN
RHSA-2017:2999

Source: REDHAT
Type: UNKNOWN
RHSA-2017:3046

Source: REDHAT
Type: UNKNOWN
RHSA-2017:3264

Source: REDHAT
Type: UNKNOWN
RHSA-2017:3267

Source: REDHAT
Type: UNKNOWN
RHSA-2017:3268

Source: REDHAT
Type: UNKNOWN
RHSA-2017:3392

Source: REDHAT
Type: UNKNOWN
RHSA-2017:3453

Source: XF
Type: UNKNOWN
oracle-cpuoct2017-cve201710350(133779)

Source: GENTOO
Type: UNKNOWN
GLSA-201710-31

Source: GENTOO
Type: UNKNOWN
GLSA-201711-14

Source: CONFIRM
Type: UNKNOWN
https://security.netapp.com/advisory/ntap-20171019-0001/

Source: DEBIAN
Type: UNKNOWN
DSA-4015

Source: DEBIAN
Type: UNKNOWN
DSA-4048

Vulnerable Configuration:Configuration 1:
  • cpe:/a:oracle:jdk:1.7.0:update_151:*:*:*:*:*:*
  • OR cpe:/a:oracle:jdk:1.8.0:update_144:*:*:*:*:*:*
  • OR cpe:/a:oracle:jdk:1.9.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:jre:1.7.0:update_151:*:*:*:*:*:*
  • OR cpe:/a:oracle:jre:1.8.0:update_144:*:*:*:*:*:*
  • OR cpe:/a:oracle:jre:1.9.0:*:*:*:*:*:*:*

  • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:6:*:*:*:*:*:*:*

  • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

  • Configuration RedHat 3:
  • cpe:/a:redhat:rhel_extras_oracle_java:6:*:*:*:*:*:*:*

  • Configuration RedHat 4:
  • cpe:/a:redhat:rhel_extras_oracle_java:7:*:*:*:*:*:*:*

  • Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.redhat.rhsa:def:20173046
    P
    RHSA-2017:3046: java-1.7.0-oracle security update (Important)
    2017-12-14
    oval:com.redhat.rhsa:def:20172999
    P
    RHSA-2017:2999: java-1.8.0-oracle security update (Critical)
    2017-12-14
    oval:org.opensuse.security:def:201710350
    V
    CVE-2017-10350
    2017-12-13
    oval:com.redhat.rhsa:def:20173392
    P
    RHSA-2017:3392: java-1.7.0-openjdk security and bug fix update (Important)
    2017-12-06
    oval:com.redhat.rhsa:def:20172998
    P
    RHSA-2017:2998: java-1.8.0-openjdk security update (Critical)
    2017-10-20
    oval:com.ubuntu.trusty:def:201710350000
    V
    CVE-2017-10350 on Ubuntu 14.04 LTS (trusty) - medium.
    2017-10-19
    oval:com.ubuntu.xenial:def:201710350000
    V
    CVE-2017-10350 on Ubuntu 16.04 LTS (xenial) - medium.
    2017-10-19
    BACK
    oracle jdk 1.7.0 update_151
    oracle jdk 1.8.0 update_144
    oracle jdk 1.9.0
    oracle jre 1.7.0 update_151
    oracle jre 1.8.0 update_144
    oracle jre 1.9.0
    redhat enterprise_linux 6
    redhat enterprise_linux 7
    redhat rhel_extras_oracle_java 6
    redhat rhel_extras_oracle_java 7