#VU7333 Denial of service in JRockit and Oracle Java SE


Published: 2017-07-05 | Updated: 2018-11-22

Vulnerability identifier: #VU7333

Vulnerability risk: Medium

CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-3253

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
JRockit
Server applications / Web servers
Oracle Java SE
Universal components / Libraries / Software for developers

Vendor: Oracle

Description
The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists due to unknown error in Oracle Java SE Java SE Embedded and Jrockit related to the 2D component. A remote attacker can cause the system to crash.

Successful exploitation of the vulnerability results in denial of service.

Mitigation
Install update from vendor's website.

Vulnerable software versions

JRockit: r28.3.12

Oracle Java SE: 8u111 - 8u112, 7u121, 6u131

External links
http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Gentoo update for IcedTea
Ubuntu update for OpenJDK 6
Amazon Linux AMI update for java-1.7.0-openjdk
Red Hat update for java-1.7.0-openjdk
Ubuntu update for OpenJDK 7
OpenSUSE Linux update for java-1
SUSE Linux update for java-1
Amazon Linux AMI update for java-1.8.0-openjdk
Ubuntu update for OpenJDK 8
Red Hat update for java-1.8.0-openjdk