English | Deutsch | Español
 
Home ▼
Home About Us Contact Us Privacy Partner Programs Testimonials In Press Mailing Lists Abuse Developer APIs
Bookkeeping
Online ▼
Home Free Trial FAQ
Open/Create Company File Accept an Invite Order/Renew
Security
Audits ▼
Home Dedicated audits Advanced audits Standard audits Recurring audits No Risk audits Desktop audits Basic audit Security Seal FAQ Price/Feature Summary Order New Tests All Tests Confidentiality Vulnerability search Run Audit Scheduler IP Permissions Audit Configuration Editor Scan Queue Reminder Notification Schedule Seal Reports Reports Style Editor
Managed
DNS ▼
About Order FAQ Acceptable Use Policy Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password
Network
Monitor ▼
Enterprise Package Advanced Package Standard Package Free Trial FAQ Price/Feature Summary Order/Renew Examples
Configure/Status Alert Profiles
Research
Reports ▼
Home FAQ Glossary Archive
 Login/Register 
 
 Vulnerability   
Search   		     Search 324607 CVE descriptions
and 146377 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.843361
Category:Ubuntu Local Security Checks
Title:Ubuntu: Security Advisory (USN-3473-1)
Summary:The remote host is missing an update for the 'openjdk-8' package(s) announced via the USN-3473-1 advisory.
Description:Summary:
The remote host is missing an update for the 'openjdk-8' package(s) announced via the USN-3473-1 advisory.

Vulnerability Insight:
It was discovered that the Smart Card IO subsystem in OpenJDK did not
properly maintain state. An attacker could use this to specially construct
an untrusted Java application or applet to gain access to a smart card,
bypassing sandbox restrictions. (CVE-2017-10274)

Gaston Traberg discovered that the Serialization component of OpenJDK did
not properly limit the amount of memory allocated when performing
deserializations. An attacker could use this to cause a denial of service
(memory exhaustion). (CVE-2017-10281)

It was discovered that the Remote Method Invocation (RMI) component in
OpenJDK did not properly handle unreferenced objects. An attacker could use
this to specially construct an untrusted Java application or applet that
could escape sandbox restrictions. (CVE-2017-10285)

It was discovered that the HTTPUrlConnection classes in OpenJDK did not
properly handle newlines. An attacker could use this to convince a Java
application or applet to inject headers into http requests.
(CVE-2017-10295)

Francesco Palmarini, Marco Squarcina, Mauro Tempesta, and Riccardo Focardi
discovered that the Serialization component of OpenJDK did not properly
restrict the amount of memory allocated when deserializing objects from
Java Cryptography Extension KeyStore (JCEKS). An attacker could use this to
cause a denial of service (memory exhaustion). (CVE-2017-10345)

It was discovered that the Hotspot component of OpenJDK did not properly
perform loader checks when handling the invokespecial JVM instruction. An
attacker could use this to specially construct an untrusted Java
application or applet that could escape sandbox restrictions.
(CVE-2017-10346)

Gaston Traberg discovered that the Serialization component of OpenJDK did
not properly limit the amount of memory allocated when performing
deserializations in the SimpleTimeZone class. An attacker could use this to
cause a denial of service (memory exhaustion). (CVE-2017-10347)

It was discovered that the Serialization component of OpenJDK did not
properly limit the amount of memory allocated when performing
deserializations. An attacker could use this to cause a denial of service
(memory exhaustion). (CVE-2017-10348, CVE-2017-10357)

It was discovered that the JAXP component in OpenJDK did not properly limit
the amount of memory allocated when performing deserializations. An
attacker could use this to cause a denial of service (memory exhaustion).
(CVE-2017-10349)

It was discovered that the JAX-WS component in OpenJDK did not properly
limit the amount of memory allocated when performing deserializations. An
attacker could use this to cause a denial of service (memory exhaustion).
(CVE-2017-10350)

It was discovered that the Networking component of OpenJDK did not properly
set timeouts on FTP client actions. A remote attacker could use this to
cause a denial of service (application hang). (CVE-2017-10355)

Francesco Palmarini, Marco ... [Please see the references for more information on the vulnerabilities]

Affected Software/OS:
'openjdk-8' package(s) on Ubuntu 16.04, Ubuntu 17.04, Ubuntu 17.10.

Solution:
Please install the updated package(s).

CVSS Score:
6.8

CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2017-10274
BugTraq ID: 101333
http://www.securityfocus.com/bid/101333
Debian Security Information: DSA-4015 (Google Search)
https://www.debian.org/security/2017/dsa-4015
Debian Security Information: DSA-4048 (Google Search)
https://www.debian.org/security/2017/dsa-4048
https://security.gentoo.org/glsa/201710-31
https://security.gentoo.org/glsa/201711-14
https://lists.debian.org/debian-lts-announce/2017/11/msg00033.html
RedHat Security Advisories: RHSA-2017:2998
https://access.redhat.com/errata/RHSA-2017:2998
RedHat Security Advisories: RHSA-2017:2999
https://access.redhat.com/errata/RHSA-2017:2999
RedHat Security Advisories: RHSA-2017:3046
https://access.redhat.com/errata/RHSA-2017:3046
RedHat Security Advisories: RHSA-2017:3047
https://access.redhat.com/errata/RHSA-2017:3047
RedHat Security Advisories: RHSA-2017:3392
https://access.redhat.com/errata/RHSA-2017:3392
http://www.securitytracker.com/id/1039596
Common Vulnerability Exposure (CVE) ID: CVE-2017-10281
BugTraq ID: 101378
http://www.securityfocus.com/bid/101378
RedHat Security Advisories: RHSA-2017:3264
https://access.redhat.com/errata/RHSA-2017:3264
RedHat Security Advisories: RHSA-2017:3267
https://access.redhat.com/errata/RHSA-2017:3267
RedHat Security Advisories: RHSA-2017:3268
https://access.redhat.com/errata/RHSA-2017:3268
RedHat Security Advisories: RHSA-2017:3453
https://access.redhat.com/errata/RHSA-2017:3453
Common Vulnerability Exposure (CVE) ID: CVE-2017-10285
BugTraq ID: 101319
http://www.securityfocus.com/bid/101319
Common Vulnerability Exposure (CVE) ID: CVE-2017-10295
BugTraq ID: 101384
http://www.securityfocus.com/bid/101384
Common Vulnerability Exposure (CVE) ID: CVE-2017-10345
BugTraq ID: 101396
http://www.securityfocus.com/bid/101396
Common Vulnerability Exposure (CVE) ID: CVE-2017-10346
BugTraq ID: 101315
http://www.securityfocus.com/bid/101315
Common Vulnerability Exposure (CVE) ID: CVE-2017-10347
BugTraq ID: 101382
http://www.securityfocus.com/bid/101382
Common Vulnerability Exposure (CVE) ID: CVE-2017-10348
BugTraq ID: 101354
http://www.securityfocus.com/bid/101354
Common Vulnerability Exposure (CVE) ID: CVE-2017-10349
BugTraq ID: 101348
http://www.securityfocus.com/bid/101348
Common Vulnerability Exposure (CVE) ID: CVE-2017-10350
BugTraq ID: 101341
http://www.securityfocus.com/bid/101341
Common Vulnerability Exposure (CVE) ID: CVE-2017-10355
BugTraq ID: 101369
http://www.securityfocus.com/bid/101369
Common Vulnerability Exposure (CVE) ID: CVE-2017-10356
BugTraq ID: 101413
http://www.securityfocus.com/bid/101413
Common Vulnerability Exposure (CVE) ID: CVE-2017-10357
BugTraq ID: 101355
http://www.securityfocus.com/bid/101355
Common Vulnerability Exposure (CVE) ID: CVE-2017-10388
BugTraq ID: 101321
http://www.securityfocus.com/bid/101321
CopyrightCopyright (C) 2017 Greenbone AG

This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.



© 1998-2025 E-Soft Inc. All rights reserved.