Multiple vulnerabilities in Oracle Java SE, Java SE Embedded and JRockit

Description

Multiple serious vulnerabilities have been found in Oracle products. Malicious users can exploit these vulnerabilities to bypass security restrictions, execute arbitrary code, obtain sensitive information, cause denial of service and perform unspecified attacks.

Below is a complete list of vulnerabilities:

1. Multiple unspecified vulnerabilities in the Libraries component can be exploited remotely to bypass security restrictions;
2. An unspecified vulnerability in the Libraries component can be exploited remotely to bypass security restrictions;
3. An unspecified vulnerability in the Install component can be exploited locally to perform unspecified attacks;
4. An unspecified vulnerability in the Security component can be exploited locally via a specially crafted JCEKS key store to execute arbitrary code and obtain sensitive information;
5. An unspecified vulnerability in the Security component can be exploited remotely to perform unspecified attacks;
6. An unbounded memory allocation during deserialization in Container can be exploited remotely via specially crafted input to cause denial of service;
7. An unbounded memory allocation during deserialization in PriorityBlockingQueue can be exploited remotely via specially crafted input to cause denial of service;
8. An unbounded memory allocation during deserialization in NamedNodeMapImpl can be exploited remotely via specially crafted input to cause denial of service;
9. An unbounded memory allocation during deserialization in TabularDataSupport can be exploited remotely via specially crafted input to cause denial of service;
10. An insufficient consistency checks in deserialization of multiple classes in the Security component can be exploited remotely via specially crafted input to cause denial of service;
11. An unbounded memory allocation during deserialization in StubIORImpl can be exploited remotely via specially crafted input to cause denial of service;
12. An unspecified vulnerabilities in the RMI can be exploited remotely to bypass security restrictions;
13. An incorrect merging of sections in the JAR manifest can be exploited remotely to bypass security restrictions.

---

Technical details

Java SE 10 is affected by vulnerabilities (1)-(11) and (13)

Java SE 8 is affected by vulnerabilities (2)-(13)

Java SE 6 and 7 is affected by vulnerabilities (2) and (4)-(13)

Java SE Embedded 8 is affected by vulnerabilities (2), (5)-(11) and (13)

JRockit is affected by vulnerabilities (5)-(12)

Original advisories

• Oracle Critical Patch Update Advisory – April 2018

Exploitation

Public exploits exist for this vulnerability.

Related products

• Oracle-Java-JRE-1.7.x
• Oracle-Java-JRE-1.8.x
• Oracle-JRockit
• Oracle-Java-JRE-1.10.x

CVE list

• CVE-2018-2811
  critical
• CVE-2018-2814
  critical
• CVE-2018-2815
  high
• CVE-2018-2783
  high
• CVE-2018-2826
  critical
• CVE-2018-2790
  warning
• CVE-2018-2825
  critical
• CVE-2018-2794
  critical
• CVE-2018-2795
  high
• CVE-2018-2796
  high
• CVE-2018-2797
  high
• CVE-2018-2798
  high
• CVE-2018-2799
  high
• CVE-2018-2800
  warning

Read more

Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com