#VU11953 Security restrictions bypass in Oracle products - CVE-2018-2799


Vulnerability identifier: #VU11953

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-2799

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Oracle Java SE
Universal components / Libraries / Software for developers
Java SE Embedded
Universal components / Libraries / Software for developers
JRockit
Server applications / Web servers

Vendor: Oracle

Description
The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE due to improper security restrictions. A remote attacker can partially cause the service to crash.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Oracle Java SE: 7u171, 8u162, 10

Java SE Embedded: 8u161

JRockit: r28.3.17

External links
https://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Operational Decision Manager
openEuler 22.03 LTS update for xerces-j2
openEuler 20.03 LTS SP3 update for xerces-j2
openEuler 20.03 LTS SP1 update for xerces-j2
Gentoo update for Oracle JDK/JRE
Multiple vulnerabilities in IBM Cognos Business Intelligence Server
Red Hat update for java-se
Red Hat update for java-se
OpenSUSE Linux update for java-1
OpenSUSE Linux update for java-1