Improper access control in Oracle Java SE

#VU8867 Improper access control in Oracle Java SE

Published: 2017-10-18

Vulnerability identifier: #VU8867

Vulnerability risk: Low

CVSSv3.1: 4.4 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-10295

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Oracle Java SE
Universal components / Libraries / Software for developers

Vendor: Oracle

Description
The vulnerability allows a remote attacker to access potentially sensitive information.

The weakness exists due to a flaw in the Javadoc component. A remote attacker can partially modify arbitrary files on the target system.

Mitigation
The vulnerability is addressed in the following version: 8u151.

Vulnerable software versions

Oracle Java SE: 6u161, 9, 8u144, 7u151

External links
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Cognos Controller

Multiple vulnerabilities in IBM Virtualization Engine TS7700

SUSE Linux update for java-1

SUSE Linux update for java-1_7_1-ibm

SUSE Linux update for java-1_8_0-ibm

SUSE Linux update for java-1_6_0-ibm

Red Hat update for java-1.8.0-ibm

Multiple vulnerabilities in IBM AIX

SUSE Linux update for java-1