Protection Mechanism Failure in openjdk

#VU19281 Protection Mechanism Failure in openjdk

Published: 2019-07-22

Vulnerability identifier: #VU19281

Vulnerability risk: Low

CVSSv3.1: 3 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-2786

CWE-ID: CWE-693

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
openjdk
Web applications / JS libraries

Vendor: Oracle

Description

The vulnerability allows a remote attacker to bypass certain restrictions.

The vulnerability exists due to the the AccessController class implementation in the Security component failed in certain cases. A remote attacker can use an untrusted Java application or applet to bypass certain Java sandbox restrictions.

The vulnerability affects openjdk-jre package of an implementation of the Java Platform, Standard Edition (Java SE).

Mitigation
Install updates from vendor's website.

Vulnerable software versions

openjdk: 11.0.3 - 12.0.1

External links
http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixJAVA

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Dell EMC Data Computing Appliance (DCA)

Amazon Linux AMI update for java-1.8.0-openjdk

Amazon Linux AMI update for java-1.7.0-openjdk

OpenSUSE Linux update for java-1_8_0-openjdk

Protection Mechanism Failure in openjdk8 (Alpine package)

Red Hat Enterprise Linux 7 update for java-1.7.0-openjdk

Red Hat Enterprise Linux 6 update for java-1.7.0-openjdk

Red Hat Enterprise Linux 8 update for java-1.8.0-openjdk

Red Hat Enterprise Linux 7 update for java-1.8.0-openjdk

Red Hat Enterprise Linux 6 update for java-1.8.0-openjdk