Log

CVE-2017-10101 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Remote
Type
+ Access restriction bypass
Description
+ It was discovered that the JAXP component of OpenJDK failed to restrict access to certain internal classes. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions.
References
+ http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/b3e7354e6ae8
Notes
CVE-2017-10102 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ It was discovered that the DCG (Distributed Garbage Collector) implementation in the RMI component of OpenJDK failed to correctly handle references. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application.
References
+ http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/070e24b47ae0
Notes
CVE-2017-10107 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Remote
Type
+ Access restriction bypass
Description
+ It was discovered that the implementation of the ActivationID class in the RMI component of OpenJDK failed to properly perform access control checks. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions.
References
+ http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/97ea41335486
Notes
CVE-2017-10108 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Denial of service
Description
+ It was discovered that the implementation of the BasicAttribute class in OpenJDK did not limit the amount of memory allocated when creating object instance from a serialized form. A specially-crafted serialized input stream could cause JVM to consume an excessive amount of memory.
References
+ http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/936085d9aff0
Notes
CVE-2017-10109 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Access restriction bypass
Description
+ It was discovered that the implementation of the CodeSource class in OpenJDK did not limit the amount of memory allocated when creating object instance from a serialized form. An untrusted Java application or applet could use this flaw to cause JVM to allocate an excessive amount of memory, bypassing certain Java sandbox restrictions.
References
+ http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/56e0ab47dbec
Notes
CVE-2017-10110 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Remote
Type
+ Access restriction bypass
Description
+ It was discovered that the implementation of the ImageWatched class in the AWT component of OpenJDK failed to properly perform access control checks. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions.
References
+ http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/78a83e6e0fe8
Notes
CVE-2017-10111 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ It was discovered that the LambdaFormEditor class in the Libraries component of OpenJDK did not correctly perform bounds checks in the permuteArgumentsForm() function. An untrusted Java application or applet could use this flaw to corrupt JVM memory and cause it to crash or, possibly, execute arbitrary code, bypassing Java sandbox restrictions. The problem is triggered when using MethodHandle.permuteArguments().
References
+ http://hg.openjdk.java.net/jdk9/dev/jdk/rev/9003926e4a8a
Notes
CVE-2017-10115 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Private key recovery
Description
+ A covert timing channel flaw was found in the DSA implementation in the JCE component of OpenJDK. A remote attacker able to make a Java application generate DSA signatures on demand could possibly use this flaw to extract certain information about the used key via a timing side channel.
References
+ http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/3c8ea47635b6
Notes
CVE-2017-10116 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Privilege escalation
Description
+ It was discovered that the LDAPCertStore class in the Security component of OpenJDK followed LDAP referrals to arbitrary URLs. A specially crafted LDAP referral URL could cause LDAPCertStore to communicate with non-LDAP servers.
References
+ http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/73dd1557f0ef
Notes
CVE-2017-10118 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Private key recovery
Description
+ A covert timing channel flaw was found in the ECDSA implementation in the JCE component of OpenJDK. A remote attacker able to make a Java application generate ECDSA signatures on demand could possibly use this flaw to extract certain information about the used key via a timing side channel.
References
+ http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/996632997de8
Notes