Vulnerability CVE-2017-10393

Vulnerability Name:

CVE-2017-10393 (CCN-133817)

Assigned:

2017-10-17

Published:

2017-10-17

Updated:

2019-10-03

Summary:

Vulnerability in the Oracle GlassFish Server component of Oracle Fusion Middleware (subcomponent: Web Container). Supported versions that are affected are 3.0.1 and 3.1.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle GlassFish Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle GlassFish Server accessible data as well as unauthorized read access to a subset of Oracle GlassFish Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle GlassFish Server. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L).

CVSS v3 Severity:

6.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
5.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

6.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
5.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

6.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

CWE-noinfo

Vulnerability Consequences:

Other

References:

Source: MITRE
Type: CNA
CVE-2017-10393

Source: CCN
Type: Oracle CPUOct2017
Oracle Critical Patch Update Advisory - October 2017

Source: CONFIRM
Type: Patch, Vendor Advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

Source: BID
Type: UNKNOWN
101364

Source: CCN
Type: BID-101364
Oracle GlassFish Server CVE-2017-10393 Remote Security Vulnerability

Source: SECTRACK
Type: UNKNOWN
1039606

Source: XF
Type: UNKNOWN
oracle-cpuoct2017-cve201710393(133817)

Vulnerable Configuration:

Configuration 1:

cpe:/a:oracle:glassfish_server:3.0.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:glassfish_server:3.1.2:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:oracle:glassfish_server:3.0.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:glassfish_server:3.1.2:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.artful:def:201710393000	V	CVE-2017-10393 on Ubuntu 17.10 (artful) - medium.	2017-10-19
oval:com.ubuntu.bionic:def:2017103930000000	V	CVE-2017-10393 on Ubuntu 18.04 LTS (bionic) - medium.	2017-10-19
oval:com.ubuntu.bionic:def:201710393000	V	CVE-2017-10393 on Ubuntu 18.04 LTS (bionic) - medium.	2017-10-19
oval:com.ubuntu.xenial:def:2017103930000000	V	CVE-2017-10393 on Ubuntu 16.04 LTS (xenial) - medium.	2017-10-19
oval:com.ubuntu.trusty:def:201710393000	V	CVE-2017-10393 on Ubuntu 14.04 LTS (trusty) - medium.	2017-10-19
oval:com.ubuntu.xenial:def:201710393000	V	CVE-2017-10393 on Ubuntu 16.04 LTS (xenial) - medium.	2017-10-19

BACK