Vulnerability Name:

CVE-2017-10356

Assigned:2017-06-21
Published:2017-10-17
Updated:2017-12-14
Summary:Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE, Java SE Embedded, JRockit executes to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Java SE Embedded, JRockit accessible data. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 6.2 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVSS v3 Severity:6.2 Medium (CVSS v3 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
5.4 Medium (Temporal CVSS v3 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
6.2 Medium (CCN CVSS v3 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
5.4 Medium (CCN Temporal CVSS v3 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
6.2 Medium (REDHAT CVSS v3 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
5.4 Medium (REDHAT Temporal CVSS v3 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
4.9 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-200
CWE-327
References:Source: CONFIRM
Type: VENDOR_ADVISORY
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

Source: BID
Type: VENDOR_ADVISORY
101413

Source: SECTRACK
Type: VENDOR_ADVISORY
1039596

Source: REDHAT
Type: UNKNOWN
RHSA-2017:2998

Source: REDHAT
Type: UNKNOWN
RHSA-2017:2999

Source: REDHAT
Type: UNKNOWN
RHSA-2017:3046

Source: REDHAT
Type: UNKNOWN
RHSA-2017:3047

Source: REDHAT
Type: UNKNOWN
RHSA-2017:3264

Source: REDHAT
Type: UNKNOWN
RHSA-2017:3267

Source: REDHAT
Type: UNKNOWN
RHSA-2017:3268

Source: REDHAT
Type: UNKNOWN
RHSA-2017:3392

Source: REDHAT
Type: UNKNOWN
RHSA-2017:3453

Source: XF
Type: UNKNOWN
oracle-cpuoct2017-cve201710356(133785)

Source: GENTOO
Type: UNKNOWN
GLSA-201710-31

Source: GENTOO
Type: UNKNOWN
GLSA-201711-14

Source: CONFIRM
Type: UNKNOWN
https://security.netapp.com/advisory/ntap-20171019-0001/

Source: DEBIAN
Type: UNKNOWN
DSA-4015

Source: DEBIAN
Type: UNKNOWN
DSA-4048

Vulnerable Configuration:Configuration 1:
  • cpe:/a:oracle:jdk:1.6.0:update_161:*:*:*:*:*:*
  • OR cpe:/a:oracle:jdk:1.7.0:update_151:*:*:*:*:*:*
  • OR cpe:/a:oracle:jdk:1.8.0:update_144:*:*:*:*:*:*
  • OR cpe:/a:oracle:jdk:1.9.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:jre:1.6.0:update_161:*:*:*:*:*:*
  • OR cpe:/a:oracle:jre:1.7.0:update_151:*:*:*:*:*:*
  • OR cpe:/a:oracle:jre:1.8.0:update_144:*:*:*:*:*:*
  • OR cpe:/a:oracle:jre:1.9.0:*:*:*:*:*:*:*

  • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:6:*:*:*:*:*:*:*

  • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

  • Configuration RedHat 3:
  • cpe:/a:redhat:rhel_extras_oracle_java:6:*:*:*:*:*:*:*

  • Configuration RedHat 4:
  • cpe:/a:redhat:rhel_extras_oracle_java:7:*:*:*:*:*:*:*

  • Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:201710356
    V
    CVE-2017-10356
    2018-01-22
    oval:com.redhat.rhsa:def:20173046
    P
    RHSA-2017:3046: java-1.7.0-oracle security update (Important)
    2017-12-14
    oval:com.redhat.rhsa:def:20173047
    P
    RHSA-2017:3047: java-1.6.0-sun security update (Important)
    2017-12-14
    oval:com.redhat.rhsa:def:20172999
    P
    RHSA-2017:2999: java-1.8.0-oracle security update (Critical)
    2017-12-14
    oval:com.redhat.rhsa:def:20173392
    P
    RHSA-2017:3392: java-1.7.0-openjdk security and bug fix update (Important)
    2017-12-06
    oval:com.redhat.rhsa:def:20172998
    P
    RHSA-2017:2998: java-1.8.0-openjdk security update (Critical)
    2017-10-20
    oval:com.ubuntu.trusty:def:201710356000
    V
    CVE-2017-10356 on Ubuntu 14.04 LTS (trusty) - medium.
    2017-10-19
    oval:com.ubuntu.xenial:def:201710356000
    V
    CVE-2017-10356 on Ubuntu 16.04 LTS (xenial) - medium.
    2017-10-19
    BACK
    oracle jdk 1.6.0 update_161
    oracle jdk 1.7.0 update_151
    oracle jdk 1.8.0 update_144
    oracle jdk 1.9.0
    oracle jre 1.6.0 update_161
    oracle jre 1.7.0 update_151
    oracle jre 1.8.0 update_144
    oracle jre 1.9.0
    redhat enterprise_linux 6
    redhat enterprise_linux 7
    redhat rhel_extras_oracle_java 6
    redhat rhel_extras_oracle_java 7