#VU8861 Information disclosure in JRockit and Oracle Java SE


Published: 2017-10-18

Vulnerability identifier: #VU8861

Vulnerability risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-10165

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
JRockit
Server applications / Web servers
Oracle Java SE
Universal components / Libraries / Software for developers

Vendor: Oracle

Description
The vulnerability allows a remote attacker to obtain potentially sensitive information.

The weakness exists due to a flaw in the 2D (Little CMS 2) component. A remote attacker can read arbitrary files on the target system.

Mitigation
The vulnerability is addressed in the following version: 8u151.

Vulnerable software versions

JRockit: r28.3.15

Oracle Java SE: 9, 8u144, 7u151

External links
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Cognos Controller
SUSE Linux update for java-1
SUSE Linux update for java-1
SUSE Linux update for java-1_7_1-ibm
SUSE Linux update for java-1_8_0-ibm
Red Hat update for java-1.8.0-ibm
Multiple vulnerabilities in IBM AIX
Red Hat update for java-1.7.1-ibm
Red Hat update for java-1.8.0-ibm
Red Hat update for java-1.8.0-ibm