1
PublicDateAtUSN: 2017-07-20
2
Candidate: CVE-2017-10090
5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10090
6
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html#AppendixJAVA
7
https://usn.ubuntu.com/usn/usn-3366-1
8
https://usn.ubuntu.com/usn/usn-3396-1
10
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE
11
(subcomponent: Libraries). Supported versions that are affected are Java
12
SE: 7u141 and 8u131; Java SE Embedded: 8u131. Easily exploitable
13
vulnerability allows unauthenticated attacker with network access via
14
multiple protocols to compromise Java SE, Java SE Embedded. Successful
15
attacks require human interaction from a person other than the attacker and
16
while the vulnerability is in Java SE, Java SE Embedded, attacks may
17
significantly impact additional products. Successful attacks of this
18
vulnerability can result in takeover of Java SE, Java SE Embedded. Note:
19
This vulnerability applies to Java deployments, typically in clients
20
running sandboxed Java Web Start applications or sandboxed Java applets,
21
that load and run untrusted code (e.g., code that comes from the internet)
22
and rely on the Java sandbox for security. This vulnerability does not
23
apply to Java deployments, typically in servers, that load and run only
24
trusted code (e.g., code installed by an administrator). CVSS 3.0 Base
25
Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS
26
Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
28
It was discovered that the channel groups implementation in OpenJDK
29
did not properly perform access control checks in some situations. An
30
attacker could use this to specially construct an untrusted Java
31
application or applet that could escape sandbox restrictions.
39
upstream_openjdk-7: needs-triage
40
precise/esm_openjdk-7: DNE
41
trusty_openjdk-7: released (7u151-2.6.11-0ubuntu1.14.04.1)
42
vivid/ubuntu-core_openjdk-7: DNE
44
yakkety_openjdk-7: DNE
51
upstream_openjdk-9: needs-triage
52
precise/esm_openjdk-9: DNE
54
vivid/ubuntu-core_openjdk-9: DNE
55
xenial_openjdk-9: needs-triage
56
yakkety_openjdk-9: ignored (reached end-of-life)
57
zesty_openjdk-9: ignored (reached end-of-life)
58
artful_openjdk-9: not-affected (9b181-1)
63
upstream: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/51631f9fa8d8
64
upstream_openjdk-8: needs-triage
65
precise/esm_openjdk-8: DNE
67
vivid/ubuntu-core_openjdk-8: DNE
68
xenial_openjdk-8: released (8u131-b11-2ubuntu1.16.04.2)
69
yakkety_openjdk-8: ignored (reached end-of-life)
70
zesty_openjdk-8: released (8u131-b11-2ubuntu1.17.04.2)
71
artful_openjdk-8: not-affected (8u141-b15-1)
72
bionic_openjdk-8: not-affected (8u141-b15-1)
73
devel_openjdk-8: not-affected (8u141-b15-1)