ID CVE-2017-10243
Summary Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JAX-WS). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded, JRockit accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 6.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L).
References
Vulnerable Configurations
  • cpe:2.3:a:oracle:jdk:1.6.0:update_151:*:*:*:*:*:*
    cpe:2.3:a:oracle:jdk:1.6.0:update_151:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdk:1.7.0:update_141:*:*:*:*:*:*
    cpe:2.3:a:oracle:jdk:1.7.0:update_141:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jdk:1.8.0:update_131:*:*:*:*:*:*
    cpe:2.3:a:oracle:jdk:1.8.0:update_131:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jre:1.6.0:update_151:*:*:*:*:*:*
    cpe:2.3:a:oracle:jre:1.6.0:update_151:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jre:1.7.0:update_141:*:*:*:*:*:*
    cpe:2.3:a:oracle:jre:1.7.0:update_141:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jre:1.8.0:update_131:*:*:*:*:*:*
    cpe:2.3:a:oracle:jre:1.8.0:update_131:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jrockit:r28.3.14:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:jrockit:r28.3.14:*:*:*:*:*:*:*
CVSS
Base: 6.4 (as of 03-10-2019 - 00:03)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:N/A:P
redhat via4
advisories
  • bugzilla
    id 1472345
    title CVE-2017-10102 OpenJDK: incorrect handling of references in DGC (RMI, 8163958)
    oval
    OR
    • AND
      • OR
        • comment Red Hat Enterprise Linux 7 Client is installed
          oval oval:com.redhat.rhba:tst:20150364001
        • comment Red Hat Enterprise Linux 7 Server is installed
          oval oval:com.redhat.rhba:tst:20150364002
        • comment Red Hat Enterprise Linux 7 Workstation is installed
          oval oval:com.redhat.rhba:tst:20150364003
        • comment Red Hat Enterprise Linux 7 ComputeNode is installed
          oval oval:com.redhat.rhba:tst:20150364004
      • OR
        • AND
          • comment java-1.8.0-openjdk is earlier than 1:1.8.0.141-1.b16.el7_3
            oval oval:com.redhat.rhsa:tst:20171789027
          • comment java-1.8.0-openjdk is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20141636006
        • AND
          • comment java-1.8.0-openjdk-accessibility is earlier than 1:1.8.0.141-1.b16.el7_3
            oval oval:com.redhat.rhsa:tst:20171789007
          • comment java-1.8.0-openjdk-accessibility is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20150809023
        • AND
          • comment java-1.8.0-openjdk-accessibility-debug is earlier than 1:1.8.0.141-1.b16.el7_3
            oval oval:com.redhat.rhsa:tst:20171789009
          • comment java-1.8.0-openjdk-accessibility-debug is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20160049016
        • AND
          • comment java-1.8.0-openjdk-debug is earlier than 1:1.8.0.141-1.b16.el7_3
            oval oval:com.redhat.rhsa:tst:20171789025
          • comment java-1.8.0-openjdk-debug is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20151919012
        • AND
          • comment java-1.8.0-openjdk-demo is earlier than 1:1.8.0.141-1.b16.el7_3
            oval oval:com.redhat.rhsa:tst:20171789015
          • comment java-1.8.0-openjdk-demo is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20141636012
        • AND
          • comment java-1.8.0-openjdk-demo-debug is earlier than 1:1.8.0.141-1.b16.el7_3
            oval oval:com.redhat.rhsa:tst:20171789019
          • comment java-1.8.0-openjdk-demo-debug is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20151919018
        • AND
          • comment java-1.8.0-openjdk-devel is earlier than 1:1.8.0.141-1.b16.el7_3
            oval oval:com.redhat.rhsa:tst:20171789021
          • comment java-1.8.0-openjdk-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20141636016
        • AND
          • comment java-1.8.0-openjdk-devel-debug is earlier than 1:1.8.0.141-1.b16.el7_3
            oval oval:com.redhat.rhsa:tst:20171789013
          • comment java-1.8.0-openjdk-devel-debug is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20151919016
        • AND
          • comment java-1.8.0-openjdk-headless is earlier than 1:1.8.0.141-1.b16.el7_3
            oval oval:com.redhat.rhsa:tst:20171789023
          • comment java-1.8.0-openjdk-headless is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20141636008
        • AND
          • comment java-1.8.0-openjdk-headless-debug is earlier than 1:1.8.0.141-1.b16.el7_3
            oval oval:com.redhat.rhsa:tst:20171789005
          • comment java-1.8.0-openjdk-headless-debug is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20151919006
        • AND
          • comment java-1.8.0-openjdk-javadoc is earlier than 1:1.8.0.141-1.b16.el7_3
            oval oval:com.redhat.rhsa:tst:20171789035
          • comment java-1.8.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20141636014
        • AND
          • comment java-1.8.0-openjdk-javadoc-debug is earlier than 1:1.8.0.141-1.b16.el7_3
            oval oval:com.redhat.rhsa:tst:20171789029
          • comment java-1.8.0-openjdk-javadoc-debug is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20151919028
        • AND
          • comment java-1.8.0-openjdk-javadoc-zip is earlier than 1:1.8.0.141-1.b16.el7_3
            oval oval:com.redhat.rhsa:tst:20171789033
          • comment java-1.8.0-openjdk-javadoc-zip is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20170180051
        • AND
          • comment java-1.8.0-openjdk-javadoc-zip-debug is earlier than 1:1.8.0.141-1.b16.el7_3
            oval oval:com.redhat.rhsa:tst:20171789031
          • comment java-1.8.0-openjdk-javadoc-zip-debug is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20170180048
        • AND
          • comment java-1.8.0-openjdk-src is earlier than 1:1.8.0.141-1.b16.el7_3
            oval oval:com.redhat.rhsa:tst:20171789017
          • comment java-1.8.0-openjdk-src is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20141636010
        • AND
          • comment java-1.8.0-openjdk-src-debug is earlier than 1:1.8.0.141-1.b16.el7_3
            oval oval:com.redhat.rhsa:tst:20171789011
          • comment java-1.8.0-openjdk-src-debug is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20151919022
    • AND
      • OR
        • comment Red Hat Enterprise Linux 6 Client is installed
          oval oval:com.redhat.rhba:tst:20111656001
        • comment Red Hat Enterprise Linux 6 Server is installed
          oval oval:com.redhat.rhba:tst:20111656002
        • comment Red Hat Enterprise Linux 6 Workstation is installed
          oval oval:com.redhat.rhba:tst:20111656003
        • comment Red Hat Enterprise Linux 6 ComputeNode is installed
          oval oval:com.redhat.rhba:tst:20111656004
      • OR
        • AND
          • comment java-1.8.0-openjdk is earlier than 1:1.8.0.141-2.b16.el6_9
            oval oval:com.redhat.rhsa:tst:20171789041
          • comment java-1.8.0-openjdk is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20141636006
        • AND
          • comment java-1.8.0-openjdk-debug is earlier than 1:1.8.0.141-2.b16.el6_9
            oval oval:com.redhat.rhsa:tst:20171789046
          • comment java-1.8.0-openjdk-debug is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20151919012
        • AND
          • comment java-1.8.0-openjdk-demo is earlier than 1:1.8.0.141-2.b16.el6_9
            oval oval:com.redhat.rhsa:tst:20171789049
          • comment java-1.8.0-openjdk-demo is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20141636012
        • AND
          • comment java-1.8.0-openjdk-demo-debug is earlier than 1:1.8.0.141-2.b16.el6_9
            oval oval:com.redhat.rhsa:tst:20171789050
          • comment java-1.8.0-openjdk-demo-debug is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20151919018
        • AND
          • comment java-1.8.0-openjdk-devel is earlier than 1:1.8.0.141-2.b16.el6_9
            oval oval:com.redhat.rhsa:tst:20171789042
          • comment java-1.8.0-openjdk-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20141636016
        • AND
          • comment java-1.8.0-openjdk-devel-debug is earlier than 1:1.8.0.141-2.b16.el6_9
            oval oval:com.redhat.rhsa:tst:20171789044
          • comment java-1.8.0-openjdk-devel-debug is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20151919016
        • AND
          • comment java-1.8.0-openjdk-headless is earlier than 1:1.8.0.141-2.b16.el6_9
            oval oval:com.redhat.rhsa:tst:20171789047
          • comment java-1.8.0-openjdk-headless is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20141636008
        • AND
          • comment java-1.8.0-openjdk-headless-debug is earlier than 1:1.8.0.141-2.b16.el6_9
            oval oval:com.redhat.rhsa:tst:20171789043
          • comment java-1.8.0-openjdk-headless-debug is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20151919006
        • AND
          • comment java-1.8.0-openjdk-javadoc is earlier than 1:1.8.0.141-2.b16.el6_9
            oval oval:com.redhat.rhsa:tst:20171789051
          • comment java-1.8.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20141636014
        • AND
          • comment java-1.8.0-openjdk-javadoc-debug is earlier than 1:1.8.0.141-2.b16.el6_9
            oval oval:com.redhat.rhsa:tst:20171789052
          • comment java-1.8.0-openjdk-javadoc-debug is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20151919028
        • AND
          • comment java-1.8.0-openjdk-src is earlier than 1:1.8.0.141-2.b16.el6_9
            oval oval:com.redhat.rhsa:tst:20171789045
          • comment java-1.8.0-openjdk-src is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20141636010
        • AND
          • comment java-1.8.0-openjdk-src-debug is earlier than 1:1.8.0.141-2.b16.el6_9
            oval oval:com.redhat.rhsa:tst:20171789048
          • comment java-1.8.0-openjdk-src-debug is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20151919022
    rhsa
    id RHSA-2017:1789
    released 2017-07-20
    severity Critical
    title RHSA-2017:1789: java-1.8.0-openjdk security update (Critical)
  • bugzilla
    id 1472666
    title CVE-2017-10243 OpenJDK: insecure XML parsing in wsdlimport (JAX-WS, 8182054)
    oval
    OR
    • AND
      • OR
        • comment Red Hat Enterprise Linux 6 Client is installed
          oval oval:com.redhat.rhba:tst:20111656001
        • comment Red Hat Enterprise Linux 6 Server is installed
          oval oval:com.redhat.rhba:tst:20111656002
        • comment Red Hat Enterprise Linux 6 Workstation is installed
          oval oval:com.redhat.rhba:tst:20111656003
        • comment Red Hat Enterprise Linux 6 ComputeNode is installed
          oval oval:com.redhat.rhba:tst:20111656004
      • OR
        • AND
          • comment java-1.7.0-openjdk is earlier than 1:1.7.0.151-2.6.11.0.el6_9
            oval oval:com.redhat.rhsa:tst:20172424009
          • comment java-1.7.0-openjdk is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20121009006
        • AND
          • comment java-1.7.0-openjdk-demo is earlier than 1:1.7.0.151-2.6.11.0.el6_9
            oval oval:com.redhat.rhsa:tst:20172424007
          • comment java-1.7.0-openjdk-demo is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20121009010
        • AND
          • comment java-1.7.0-openjdk-devel is earlier than 1:1.7.0.151-2.6.11.0.el6_9
            oval oval:com.redhat.rhsa:tst:20172424011
          • comment java-1.7.0-openjdk-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20121009008
        • AND
          • comment java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.151-2.6.11.0.el6_9
            oval oval:com.redhat.rhsa:tst:20172424013
          • comment java-1.7.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20121009012
        • AND
          • comment java-1.7.0-openjdk-src is earlier than 1:1.7.0.151-2.6.11.0.el6_9
            oval oval:com.redhat.rhsa:tst:20172424005
          • comment java-1.7.0-openjdk-src is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20121009014
    • AND
      • OR
        • comment Red Hat Enterprise Linux 7 Client is installed
          oval oval:com.redhat.rhba:tst:20150364001
        • comment Red Hat Enterprise Linux 7 Server is installed
          oval oval:com.redhat.rhba:tst:20150364002
        • comment Red Hat Enterprise Linux 7 Workstation is installed
          oval oval:com.redhat.rhba:tst:20150364003
        • comment Red Hat Enterprise Linux 7 ComputeNode is installed
          oval oval:com.redhat.rhba:tst:20150364004
      • OR
        • AND
          • comment java-1.7.0-openjdk is earlier than 1:1.7.0.151-2.6.11.1.el7_4
            oval oval:com.redhat.rhsa:tst:20172424025
          • comment java-1.7.0-openjdk is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20121009006
        • AND
          • comment java-1.7.0-openjdk-accessibility is earlier than 1:1.7.0.151-2.6.11.1.el7_4
            oval oval:com.redhat.rhsa:tst:20172424021
          • comment java-1.7.0-openjdk-accessibility is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20140675018
        • AND
          • comment java-1.7.0-openjdk-demo is earlier than 1:1.7.0.151-2.6.11.1.el7_4
            oval oval:com.redhat.rhsa:tst:20172424024
          • comment java-1.7.0-openjdk-demo is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20121009010
        • AND
          • comment java-1.7.0-openjdk-devel is earlier than 1:1.7.0.151-2.6.11.1.el7_4
            oval oval:com.redhat.rhsa:tst:20172424023
          • comment java-1.7.0-openjdk-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20121009008
        • AND
          • comment java-1.7.0-openjdk-headless is earlier than 1:1.7.0.151-2.6.11.1.el7_4
            oval oval:com.redhat.rhsa:tst:20172424019
          • comment java-1.7.0-openjdk-headless is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20140675012
        • AND
          • comment java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.151-2.6.11.1.el7_4
            oval oval:com.redhat.rhsa:tst:20172424027
          • comment java-1.7.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20121009012
        • AND
          • comment java-1.7.0-openjdk-src is earlier than 1:1.7.0.151-2.6.11.1.el7_4
            oval oval:com.redhat.rhsa:tst:20172424026
          • comment java-1.7.0-openjdk-src is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20121009014
    rhsa
    id RHSA-2017:2424
    released 2017-08-07
    severity Critical
    title RHSA-2017:2424: java-1.7.0-openjdk security update (Critical)
  • rhsa
    id RHSA-2017:1790
  • rhsa
    id RHSA-2017:1791
  • rhsa
    id RHSA-2017:1792
  • rhsa
    id RHSA-2017:2469
  • rhsa
    id RHSA-2017:2481
  • rhsa
    id RHSA-2017:2530
  • rhsa
    id RHSA-2017:3453
rpms
  • java-1.8.0-openjdk-1:1.8.0.141-1.b16.el7_3
  • java-1.8.0-openjdk-accessibility-1:1.8.0.141-1.b16.el7_3
  • java-1.8.0-openjdk-accessibility-debug-1:1.8.0.141-1.b16.el7_3
  • java-1.8.0-openjdk-debug-1:1.8.0.141-1.b16.el7_3
  • java-1.8.0-openjdk-demo-1:1.8.0.141-1.b16.el7_3
  • java-1.8.0-openjdk-demo-debug-1:1.8.0.141-1.b16.el7_3
  • java-1.8.0-openjdk-devel-1:1.8.0.141-1.b16.el7_3
  • java-1.8.0-openjdk-devel-debug-1:1.8.0.141-1.b16.el7_3
  • java-1.8.0-openjdk-headless-1:1.8.0.141-1.b16.el7_3
  • java-1.8.0-openjdk-headless-debug-1:1.8.0.141-1.b16.el7_3
  • java-1.8.0-openjdk-javadoc-1:1.8.0.141-1.b16.el7_3
  • java-1.8.0-openjdk-javadoc-debug-1:1.8.0.141-1.b16.el7_3
  • java-1.8.0-openjdk-javadoc-zip-1:1.8.0.141-1.b16.el7_3
  • java-1.8.0-openjdk-javadoc-zip-debug-1:1.8.0.141-1.b16.el7_3
  • java-1.8.0-openjdk-src-1:1.8.0.141-1.b16.el7_3
  • java-1.8.0-openjdk-src-debug-1:1.8.0.141-1.b16.el7_3
  • java-1.8.0-openjdk-1:1.8.0.141-2.b16.el6_9
  • java-1.8.0-openjdk-debug-1:1.8.0.141-2.b16.el6_9
  • java-1.8.0-openjdk-demo-1:1.8.0.141-2.b16.el6_9
  • java-1.8.0-openjdk-demo-debug-1:1.8.0.141-2.b16.el6_9
  • java-1.8.0-openjdk-devel-1:1.8.0.141-2.b16.el6_9
  • java-1.8.0-openjdk-devel-debug-1:1.8.0.141-2.b16.el6_9
  • java-1.8.0-openjdk-headless-1:1.8.0.141-2.b16.el6_9
  • java-1.8.0-openjdk-headless-debug-1:1.8.0.141-2.b16.el6_9
  • java-1.8.0-openjdk-javadoc-1:1.8.0.141-2.b16.el6_9
  • java-1.8.0-openjdk-javadoc-debug-1:1.8.0.141-2.b16.el6_9
  • java-1.8.0-openjdk-src-1:1.8.0.141-2.b16.el6_9
  • java-1.8.0-openjdk-src-debug-1:1.8.0.141-2.b16.el6_9
  • java-1.7.0-openjdk-1:1.7.0.151-2.6.11.0.el6_9
  • java-1.7.0-openjdk-demo-1:1.7.0.151-2.6.11.0.el6_9
  • java-1.7.0-openjdk-devel-1:1.7.0.151-2.6.11.0.el6_9
  • java-1.7.0-openjdk-javadoc-1:1.7.0.151-2.6.11.0.el6_9
  • java-1.7.0-openjdk-src-1:1.7.0.151-2.6.11.0.el6_9
  • java-1.7.0-openjdk-1:1.7.0.151-2.6.11.1.el7_4
  • java-1.7.0-openjdk-accessibility-1:1.7.0.151-2.6.11.1.el7_4
  • java-1.7.0-openjdk-demo-1:1.7.0.151-2.6.11.1.el7_4
  • java-1.7.0-openjdk-devel-1:1.7.0.151-2.6.11.1.el7_4
  • java-1.7.0-openjdk-headless-1:1.7.0.151-2.6.11.1.el7_4
  • java-1.7.0-openjdk-javadoc-1:1.7.0.151-2.6.11.1.el7_4
  • java-1.7.0-openjdk-src-1:1.7.0.151-2.6.11.1.el7_4
refmap via4
bid 99827
confirm
debian DSA-3954
gentoo GLSA-201709-22
sectrack 1038931
Last major update 03-10-2019 - 00:03
Published 08-08-2017 - 15:29
Back to Top