#VU7326 Denial of service in JRockit and Oracle Java SE


Published: 2017-07-05 | Updated: 2018-11-22

Vulnerability identifier: #VU7326

Vulnerability risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-5547

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
JRockit
Server applications / Web servers
Oracle Java SE
Universal components / Libraries / Software for developers

Vendor: Oracle

Description
The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists due to unknown error in Oracle Java SE Java SE Embedded and Jrockit related to the Libraries component. A remote attacker can cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

Mitigation
Install update from vendor's website.

Vulnerable software versions

JRockit: r28.3.12

Oracle Java SE: 8u111 - 8u112, 7u121, 6u131

External links
http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM FlashSystem models 840 and 900
Multiple vulnerabilities in IBM Algo One Core and Algo Risk Application
Gentoo update for IcedTea
Multiple vulnerabilities in SAN Volume Controller, Storwize family and FlashSystem V9000 products
Amazon Linux AMI update for java-1.7.0-openjdk
Red Hat update for java-1.7.0-openjdk
Ubuntu update for OpenJDK 7
OpenSUSE Linux update for java-1
SUSE Linux update for java-1
Amazon Linux AMI update for java-1.8.0-openjdk