#VU6712 Remote code execution in Oracle Java SE - CVE-2017-3289


| Updated: 2018-11-22

Vulnerability identifier: #VU6712

Vulnerability risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2017-3289

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Oracle Java SE
Universal components / Libraries / Software for developers

Vendor: Oracle

Description
The vulnerability allows a remote unauthenticated attacker to execute arbitrary code.

The weakness exists due to unknown error in Oracle Java SE and Java SE Embedded related to the Hotspot component. A remote attacker can trick the victim into opening a specially crafted webpage, execute arbitrary code with privileges of the current user and compromise vulnerable system.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Oracle Java SE: 6u131, 7u121, 8u111 - 8u112

External links
https://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Gentoo update for IcedTea
openSUSE update for java-1_7_0-openjdk
SUSE Linux update for java-1_7_0-openjdk
Amazon Linux AMI update for java-1.7.0-openjdk
Red Hat update for java-1.7.0-openjdk
Ubuntu update for OpenJDK 7
OpenSUSE Linux update for java-1
SUSE Linux update for java-1
Amazon Linux AMI update for java-1.8.0-openjdk
Ubuntu update for OpenJDK 8