Amazon Linux AMI update for java-1.7.0-openjdk
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 12 |
| CVE-ID | CVE-2016-5546 CVE-2017-3231 CVE-2016-5548 CVE-2017-3289 CVE-2017-3261 CVE-2017-3241 CVE-2017-3272 CVE-2016-5547 CVE-2016-5552 CVE-2017-3253 CVE-2017-3252 CVE-2016-2183 |
| CWE-ID | CWE-20 CWE-200 CWE-264 CWE-327 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #6 is available. Public exploit code for vulnerability #12 is available. |
| Vulnerable software |
Amazon Linux AMI Operating systems & Components / Operating system |
| Vendor | Amazon Web Services |
Security Bulletin
This security bulletin contains information about 12 vulnerabilities.
1) Modification of information
EUVDB-ID: #VU7325
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2016-5546
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to modify information.
The weakness exists due to unknown error in Oracle Java SE Java SE Embedded and Jrockit related to the Libraries component. A remote attacker can modify arbitrary data on the system.
Update the affected packages.
i686:Vulnerable software versions
java-1.7.0-openjdk-devel-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-src-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-debuginfo-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-demo-1.7.0.131-2.6.9.0.70.amzn1.i686
noarch:
java-1.7.0-openjdk-javadoc-1.7.0.131-2.6.9.0.70.amzn1.noarch
src:
java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.src
x86_64:
java-1.7.0-openjdk-demo-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-devel-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-debuginfo-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-src-1.7.0.131-2.6.9.0.70.amzn1.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttps://alas.aws.amazon.com/ALAS-2017-797.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU7330
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3231
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information.
The weakness exists due to unknown error in Oracle Java SE and Java SE Embedded related to the Networking component. A remote attacker can trick the victim into visiting a specially crafted webpage read arbitrary files on the target system.
Successful exploitation of the vulnerability results in information disclosure.
Update the affected packages.
i686:Vulnerable software versions
java-1.7.0-openjdk-devel-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-src-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-debuginfo-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-demo-1.7.0.131-2.6.9.0.70.amzn1.i686
noarch:
java-1.7.0-openjdk-javadoc-1.7.0.131-2.6.9.0.70.amzn1.noarch
src:
java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.src
x86_64:
java-1.7.0-openjdk-demo-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-devel-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-debuginfo-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-src-1.7.0.131-2.6.9.0.70.amzn1.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttps://alas.aws.amazon.com/ALAS-2017-797.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Information disclosure
EUVDB-ID: #VU7327
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-5548
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information.
The weakness exists due to unknown error in Oracle Java SE and Java SE Embedded related to the Libraries component. A remote attacker can trick the victim into visiting a specially crafted webpage and read important files on the target system.
Successful exploitation of the vulnerability results in information disclosure.
Update the affected packages.
i686:Vulnerable software versions
java-1.7.0-openjdk-devel-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-src-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-debuginfo-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-demo-1.7.0.131-2.6.9.0.70.amzn1.i686
noarch:
java-1.7.0-openjdk-javadoc-1.7.0.131-2.6.9.0.70.amzn1.noarch
src:
java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.src
x86_64:
java-1.7.0-openjdk-demo-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-devel-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-debuginfo-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-src-1.7.0.131-2.6.9.0.70.amzn1.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttps://alas.aws.amazon.com/ALAS-2017-797.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Remote code execution
EUVDB-ID: #VU6712
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-3289
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to execute arbitrary code.
The weakness exists due to unknown error in Oracle Java SE and Java SE Embedded related to the Hotspot component. A remote attacker can trick the victim into opening a specially crafted webpage, execute arbitrary code with privileges of the current user and compromise vulnerable system.
Update the affected packages.
i686:Vulnerable software versions
java-1.7.0-openjdk-devel-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-src-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-debuginfo-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-demo-1.7.0.131-2.6.9.0.70.amzn1.i686
noarch:
java-1.7.0-openjdk-javadoc-1.7.0.131-2.6.9.0.70.amzn1.noarch
src:
java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.src
x86_64:
java-1.7.0-openjdk-demo-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-devel-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-debuginfo-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-src-1.7.0.131-2.6.9.0.70.amzn1.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttps://alas.aws.amazon.com/ALAS-2017-797.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Information disclosure
EUVDB-ID: #VU7335
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-3261
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information.
The weakness exists due to unknown error in Oracle Java SE and Java SE Embedded related to the Networking component. A remote attacker can trick the victim into visiting a specially crafted webpage and read arbitrary files on the target system.
Successful exploitation of the vulnerability results in information disclosure.
Update the affected packages.
i686:Vulnerable software versions
java-1.7.0-openjdk-devel-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-src-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-debuginfo-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-demo-1.7.0.131-2.6.9.0.70.amzn1.i686
noarch:
java-1.7.0-openjdk-javadoc-1.7.0.131-2.6.9.0.70.amzn1.noarch
src:
java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.src
x86_64:
java-1.7.0-openjdk-demo-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-devel-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-debuginfo-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-src-1.7.0.131-2.6.9.0.70.amzn1.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttps://alas.aws.amazon.com/ALAS-2017-797.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Remote code execution
EUVDB-ID: #VU7331
Risk: High
CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2017-3241
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: Yes
DescriptionThe vulnerability allows a remote unauthenticated attacker to execute arbitrary code.
The weakness exists due to unknown error in Oracle Java SE Java SE Embedded and Jrockit related to the RMI component. A remote attacker can execute arbitrary code with privileges of the current user and compromise vulnerable system.
Update the affected packages.
i686:Vulnerable software versions
java-1.7.0-openjdk-devel-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-src-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-debuginfo-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-demo-1.7.0.131-2.6.9.0.70.amzn1.i686
noarch:
java-1.7.0-openjdk-javadoc-1.7.0.131-2.6.9.0.70.amzn1.noarch
src:
java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.src
x86_64:
java-1.7.0-openjdk-demo-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-devel-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-debuginfo-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-src-1.7.0.131-2.6.9.0.70.amzn1.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttps://alas.aws.amazon.com/ALAS-2017-797.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
7) Remote code execution
EUVDB-ID: #VU7336
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-3272
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to execute arbitrary code.
The weakness exists due to unknown error in Oracle Java SE and Java SE Embedded related to the Libraries component. A remote attacker can trick the victim into visiting a specially crafted webpage, execute arbitrary code with privileges of the current user and compromise vulnerable system.
Update the affected packages.
i686:Vulnerable software versions
java-1.7.0-openjdk-devel-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-src-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-debuginfo-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-demo-1.7.0.131-2.6.9.0.70.amzn1.i686
noarch:
java-1.7.0-openjdk-javadoc-1.7.0.131-2.6.9.0.70.amzn1.noarch
src:
java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.src
x86_64:
java-1.7.0-openjdk-demo-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-devel-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-debuginfo-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-src-1.7.0.131-2.6.9.0.70.amzn1.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttps://alas.aws.amazon.com/ALAS-2017-797.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Denial of service
EUVDB-ID: #VU7326
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-5547
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.
The weakness exists due to unknown error in Oracle Java SE Java SE Embedded and Jrockit related to the Libraries component. A remote attacker can cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Update the affected packages.
i686:Vulnerable software versions
java-1.7.0-openjdk-devel-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-src-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-debuginfo-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-demo-1.7.0.131-2.6.9.0.70.amzn1.i686
noarch:
java-1.7.0-openjdk-javadoc-1.7.0.131-2.6.9.0.70.amzn1.noarch
src:
java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.src
x86_64:
java-1.7.0-openjdk-demo-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-devel-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-debuginfo-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-src-1.7.0.131-2.6.9.0.70.amzn1.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttps://alas.aws.amazon.com/ALAS-2017-797.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Modification of information
EUVDB-ID: #VU7329
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-5552
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to modify information.
The weakness exists due to unknown error in Oracle Java SE Java SE Embedded and Jrockit related to the Networking component. A remote attacker can modify arbitrary data on the system.
Update the affected packages.
i686:Vulnerable software versions
java-1.7.0-openjdk-devel-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-src-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-debuginfo-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-demo-1.7.0.131-2.6.9.0.70.amzn1.i686
noarch:
java-1.7.0-openjdk-javadoc-1.7.0.131-2.6.9.0.70.amzn1.noarch
src:
java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.src
x86_64:
java-1.7.0-openjdk-demo-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-devel-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-debuginfo-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-src-1.7.0.131-2.6.9.0.70.amzn1.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttps://alas.aws.amazon.com/ALAS-2017-797.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Denial of service
EUVDB-ID: #VU7333
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2017-3253
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.
The weakness exists due to unknown error in Oracle Java SE Java SE Embedded and Jrockit related to the 2D component. A remote attacker can cause the system to crash.
Successful exploitation of the vulnerability results in denial of service.
Update the affected packages.
i686:Vulnerable software versions
java-1.7.0-openjdk-devel-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-src-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-debuginfo-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-demo-1.7.0.131-2.6.9.0.70.amzn1.i686
noarch:
java-1.7.0-openjdk-javadoc-1.7.0.131-2.6.9.0.70.amzn1.noarch
src:
java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.src
x86_64:
java-1.7.0-openjdk-demo-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-devel-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-debuginfo-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-src-1.7.0.131-2.6.9.0.70.amzn1.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttps://alas.aws.amazon.com/ALAS-2017-797.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Modification of information
EUVDB-ID: #VU7332
Risk: Medium
CVSSv4.0: 4.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2017-3252
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to modify information.
The weakness exists due to unknown error in Oracle Java SE Java SE Embedded and Jrockit related to the JAAS component. A remote attacker can trick the victim into visiting a specially crafted webpage and modify arbitrary data on the system.
Update the affected packages.
i686:Vulnerable software versions
java-1.7.0-openjdk-devel-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-src-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-debuginfo-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-demo-1.7.0.131-2.6.9.0.70.amzn1.i686
noarch:
java-1.7.0-openjdk-javadoc-1.7.0.131-2.6.9.0.70.amzn1.noarch
src:
java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.src
x86_64:
java-1.7.0-openjdk-demo-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-devel-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-debuginfo-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-src-1.7.0.131-2.6.9.0.70.amzn1.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttps://alas.aws.amazon.com/ALAS-2017-797.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Information disclosure
EUVDB-ID: #VU370
Risk: Low
CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2016-2183
CWE-ID:
CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to decrypt transmitted data.
The vulnerability exists due to remote user's ability to control the network and capture long duration 3DES CBC mode encrypted session during which he can see a part of the text. In case of repeated sending the attacker can read the part and reconstruct the whole text.
Successful exploitation of this vulnerability may allow a remote attacker to decode transmitted data. This vulnerability is known as SWEET32.
MitigationUpdate the affected packages.
i686:Vulnerable software versions
java-1.7.0-openjdk-devel-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-src-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-debuginfo-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.i686
java-1.7.0-openjdk-demo-1.7.0.131-2.6.9.0.70.amzn1.i686
noarch:
java-1.7.0-openjdk-javadoc-1.7.0.131-2.6.9.0.70.amzn1.noarch
src:
java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.src
x86_64:
java-1.7.0-openjdk-demo-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-devel-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-debuginfo-1.7.0.131-2.6.9.0.70.amzn1.x86_64
java-1.7.0-openjdk-src-1.7.0.131-2.6.9.0.70.amzn1.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttps://alas.aws.amazon.com/ALAS-2017-797.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
