#VU10130 Security restrictions bypass in Oracle Java SE


Published: 2018-01-22

Vulnerability identifier: #VU10130

Vulnerability risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-2602

CWE-ID: CWE-264

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Oracle Java SE
Universal components / Libraries / Software for developers

Vendor: Oracle

Description
The vulnerability allows a local attacker to bypass security restrictions on the target system.

The weakness exists due to a flaw in the Java SE, Java SE Embedded I18n component. A local attacker can partially access data, partially modify data, and partially deny service.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Oracle Java SE: 8u151 - 8u152, 9.0.1, 7u161, 6u171

External links
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Tivoli System Automation Application Manager
Multiple vulnerabilities in IBM Cognos Insight
Red Hat update for Oracle Java SE
Multiple vulnerabilities in IBM Cognos Command Center
Multiple vulnerabilities in IBM MQ
Red Hat update for Oracle Java SE
Multiple vulnerabilities in IBM AIX
Multiple vulnerabilities in IBM Algo Credit Manager
Debian update for openjdk-7
Amazon Linux AMI update for java-1.7.0-openjdk