KLA11234
Multiple vulnerabilities in Oracle Java SE, Java SE Embedded and JRockit
Updated: 08/17/2018
CVSS
?
5.8
Detect date
?
04/17/2018
Severity
?
High
Description

Multiple serious vulnerabilities have been found in Oracle products. Malicious users can exploit these vulnerabilities to bypass security restrictions, execute arbitrary code, obtain sensitive information, cause denial of service and perform unspecified attacks.

Below is a complete list of vulnerabilities:

  1. Multiple unspecified vulnerabilities in the Libraries component can be exploited remotely to bypass security restrictions;
  2. An unspecified vulnerability in the Libraries component can be exploited remotely to bypass security restrictions;
  3. An unspecified vulnerability in the Install component can be exploited locally to perform unspecified attacks;
  4. An unspecified vulnerability in the Security component can be exploited locally via a specially crafted JCEKS key store to execute arbitrary code and obtain sensitive information;
  5. An unspecified vulnerability in the Security component can be exploited remotely to perform unspecified attacks;
  6. An unbounded memory allocation during deserialization in Container can be exploited remotely via specially crafted input to cause denial of service;
  7. An unbounded memory allocation during deserialization in PriorityBlockingQueue can be exploited remotely via specially crafted input to cause denial of service;
  8. An unbounded memory allocation during deserialization in NamedNodeMapImpl can be exploited remotely via specially crafted input to cause denial of service;
  9. An unbounded memory allocation during deserialization in TabularDataSupport can be exploited remotely via specially crafted input to cause denial of service;
  10. An insufficient consistency checks in deserialization of multiple classes in the Security component can be exploited remotely via specially crafted input to cause denial of service;
  11. An unbounded memory allocation during deserialization in StubIORImpl can be exploited remotely via specially crafted input to cause denial of service;
  12. An unspecified vulnerabilities in the RMI can be exploited remotely to bypass security restrictions;
  13. An incorrect merging of sections in the JAR manifest can be exploited remotely to bypass security restrictions.

Technical details

Java SE 10 is affected by vulnerabilities (1)-(11) and (13)

Java SE 8 is affected by vulnerabilities (2)-(13)

Java SE 6 and 7 is affected by vulnerabilities (2) and (4)-(13)

Java SE Embedded 8 is affected by vulnerabilities (2), (5)-(11) and (13)

JRockit is affected by vulnerabilities (5)-(12) 

Affected products

Java SE 6u181 and earlier
Java SE 7u171 and earlier
Java SE 8u171 and earlier
Java SE 10.0.1 and earlier
Java SE Embedded 8u161 and earlier
JRockit R28.3.17 and earlier

Solution

Update to the latest version
Oracle software downloads

Original advisories

Oracle Critical Patch Update Advisory – April 2018

Impacts
?
ACE 
[?]

OSI 
[?]

DoS 
[?]

SB 
[?]
CVE-IDS
?

CVE-2018-2811
CVE-2018-2814
CVE-2018-2815
CVE-2018-2783
CVE-2018-2826
CVE-2018-2790
CVE-2018-2825
CVE-2018-2794
CVE-2018-2795
CVE-2018-2796
CVE-2018-2797
CVE-2018-2798
CVE-2018-2799
CVE-2018-2800