Searching
..

Click anywhere to stop

KLA11234
Multiple vulnerabilities in Oracle Java SE, Java SE Embedded and JRockit

Updated: 01/22/2024
Detect date
?
04/17/2018
Severity
?
Critical
Description

Multiple serious vulnerabilities have been found in Oracle products. Malicious users can exploit these vulnerabilities to bypass security restrictions, execute arbitrary code, obtain sensitive information, cause denial of service and perform unspecified attacks.

Below is a complete list of vulnerabilities:

  1. Multiple unspecified vulnerabilities in the Libraries component can be exploited remotely to bypass security restrictions;
  2. An unspecified vulnerability in the Libraries component can be exploited remotely to bypass security restrictions;
  3. An unspecified vulnerability in the Install component can be exploited locally to perform unspecified attacks;
  4. An unspecified vulnerability in the Security component can be exploited locally via a specially crafted JCEKS key store to execute arbitrary code and obtain sensitive information;
  5. An unspecified vulnerability in the Security component can be exploited remotely to perform unspecified attacks;
  6. An unbounded memory allocation during deserialization in Container can be exploited remotely via specially crafted input to cause denial of service;
  7. An unbounded memory allocation during deserialization in PriorityBlockingQueue can be exploited remotely via specially crafted input to cause denial of service;
  8. An unbounded memory allocation during deserialization in NamedNodeMapImpl can be exploited remotely via specially crafted input to cause denial of service;
  9. An unbounded memory allocation during deserialization in TabularDataSupport can be exploited remotely via specially crafted input to cause denial of service;
  10. An insufficient consistency checks in deserialization of multiple classes in the Security component can be exploited remotely via specially crafted input to cause denial of service;
  11. An unbounded memory allocation during deserialization in StubIORImpl can be exploited remotely via specially crafted input to cause denial of service;
  12. An unspecified vulnerabilities in the RMI can be exploited remotely to bypass security restrictions;
  13. An incorrect merging of sections in the JAR manifest can be exploited remotely to bypass security restrictions.

Technical details

Java SE 10 is affected by vulnerabilities (1)-(11) and (13)

Java SE 8 is affected by vulnerabilities (2)-(13)

Java SE 6 and 7 is affected by vulnerabilities (2) and (4)-(13)

Java SE Embedded 8 is affected by vulnerabilities (2), (5)-(11) and (13)

JRockit is affected by vulnerabilities (5)-(12)

Affected products

Java SE 6u181 and earlier
Java SE 7u171 and earlier
Java SE 8u171 and earlier
Java SE 10.0.1 and earlier
Java SE Embedded 8u161 and earlier
JRockit R28.3.17 and earlier

Solution

Update to the latest version
Oracle software downloads

Original advisories

Oracle Critical Patch Update Advisory – April 2018

Impacts
?
ACE 
[?]

OSI 
[?]

DoS 
[?]

SB 
[?]

LoI 
[?]
Related products
Oracle Java JRE 1.7.x
Oracle Java JRE 1.8.x
Oracle JRockit
Oracle Java JRE 1.10.x
CVE-IDS
?
CVE-2018-28113.7Warning
CVE-2018-28145.1High
CVE-2018-28155.0Warning
CVE-2018-27835.8High
CVE-2018-28265.1High
CVE-2018-27902.6Warning
CVE-2018-28255.1High
CVE-2018-27943.7Warning
CVE-2018-27955.0Warning
CVE-2018-27965.0Warning
CVE-2018-27975.0Warning
CVE-2018-27985.0Warning
CVE-2018-27995.0Warning
CVE-2018-28004.0Warning
Find out the statistics of the vulnerabilities spreading in your region