KLA11234
Multiple vulnerabilities in Oracle Java SE, Java SE Embedded and JRockit
Обновлено: 26/06/2019
Дата обнаружения
17/04/2018
Уровень угрозы
Critical
Описание

Multiple serious vulnerabilities have been found in Oracle products. Malicious users can exploit these vulnerabilities to bypass security restrictions, execute arbitrary code, obtain sensitive information, cause denial of service and perform unspecified attacks.

Below is a complete list of vulnerabilities:

  1. Multiple unspecified vulnerabilities in the Libraries component can be exploited remotely to bypass security restrictions;
  2. An unspecified vulnerability in the Libraries component can be exploited remotely to bypass security restrictions;
  3. An unspecified vulnerability in the Install component can be exploited locally to perform unspecified attacks;
  4. An unspecified vulnerability in the Security component can be exploited locally via a specially crafted JCEKS key store to execute arbitrary code and obtain sensitive information;
  5. An unspecified vulnerability in the Security component can be exploited remotely to perform unspecified attacks;
  6. An unbounded memory allocation during deserialization in Container can be exploited remotely via specially crafted input to cause denial of service;
  7. An unbounded memory allocation during deserialization in PriorityBlockingQueue can be exploited remotely via specially crafted input to cause denial of service;
  8. An unbounded memory allocation during deserialization in NamedNodeMapImpl can be exploited remotely via specially crafted input to cause denial of service;
  9. An unbounded memory allocation during deserialization in TabularDataSupport can be exploited remotely via specially crafted input to cause denial of service;
  10. An insufficient consistency checks in deserialization of multiple classes in the Security component can be exploited remotely via specially crafted input to cause denial of service;
  11. An unbounded memory allocation during deserialization in StubIORImpl can be exploited remotely via specially crafted input to cause denial of service;
  12. An unspecified vulnerabilities in the RMI can be exploited remotely to bypass security restrictions;
  13. An incorrect merging of sections in the JAR manifest can be exploited remotely to bypass security restrictions.

Technical details

Java SE 10 is affected by vulnerabilities (1)-(11) and (13)

Java SE 8 is affected by vulnerabilities (2)-(13)

Java SE 6 and 7 is affected by vulnerabilities (2) and (4)-(13)

Java SE Embedded 8 is affected by vulnerabilities (2), (5)-(11) and (13)

JRockit is affected by vulnerabilities (5)-(12)

Пораженные продукты

Java SE 6u181 and earlier
Java SE 7u171 and earlier
Java SE 8u171 and earlier
Java SE 10.0.1 and earlier
Java SE Embedded 8u161 and earlier
JRockit R28.3.17 and earlier

Решение

Update to the latest version
Oracle software downloads

Первичный источник обнаружения
Oracle Critical Patch Update Advisory - April 2018
Оказываемое влияние
?
ACE 
[?]

OSI 
[?]

DoS 
[?]

SB 
[?]
Связанные продукты
Oracle Java JRE 1.7.x
Oracle Java JRE 1.8.x
Oracle JRockit
Oracle Java JRE 1.10.x
CVE-IDS
CVE-2018-28113.7Warning
CVE-2018-28145.1High
CVE-2018-28155.0Critical
CVE-2018-27835.8High
CVE-2018-28265.1High
CVE-2018-27902.6Warning
CVE-2018-28255.1High
CVE-2018-27943.7Warning
CVE-2018-27955.0Critical
CVE-2018-27965.0Critical
CVE-2018-27975.0Critical
CVE-2018-27985.0Critical
CVE-2018-27995.0Critical
CVE-2018-28004.0Warning