http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

99832

1038931

GLSA-201709-22

https://security.netapp.com/advisory/ntap-20170720-0001/

An update of the openjre package has been released.

An update of the openjdk package has been released.

An update of [openjdk,openjre,pycrypto,python3-pycrypto] packages for PhotonOS has been released.

The remote host is affected by the vulnerability described in GLSA-201709-22 (Oracle JDK/JRE, IcedTea: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Oracle&rsquo;s JRE, JDK and       IcedTea. Please review the referenced CVE identifiers for details.
  Impact :

    A remote attacker could possibly execute arbitrary code with the       privileges of the process, cause a Denial of Service condition, or gain       access to information.
  Workaround :

    There is no known workaround at this time.

The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 8 Update 141, 7 Update 151, or 6 Update 161. It is, therefore, affected by multiple vulnerabilities :

  - An unspecified flaw exists in the 2D component that     allows an unauthenticated, remote attacker to cause a     denial of service condition. (CVE-2017-10053)

  - Multiple unspecified flaws exist in the Security     component that allow an unauthenticated, remote attacker     to execute arbitrary code. (CVE-2017-10067,     CVE-2017-10116)

  - An unspecified flaw exists in the Hotspot component that     allows an unauthenticated, remote attacker to execute     arbitrary code. (CVE-2017-10074)

  - An unspecified flaw exists in the Scripting component     that allows an authenticated, remote attacker to impact     confidentiality and integrity. (CVE-2017-10078)

  - An unspecified flaw exists in the Hotspot component that     allows an unauthenticated, remote attacker to impact     integrity. (CVE-2017-10081)

  - Multiple unspecified flaws exist in the JavaFX component     that allow an unauthenticated, remote attacker to     execute arbitrary code. (CVE-2017-10086, CVE-2017-10114)

  - Multiple unspecified flaws exist in the Libraries     component that allow an unauthenticated, remote attacker     to execute arbitrary code. (CVE-2017-10087,     CVE-2017-10090, CVE-2017-10111)

  - An unspecified flaw exists in the ImageIO component that     allows an unauthenticated, remote attacker to execute     arbitrary code. (CVE-2017-10089)

  - Multiple unspecified flaws exist in the JAXP component     that allow an unauthenticated, remote attacker to     execute arbitrary code. (CVE-2017-10096, CVE-2017-10101)

  - Multiple unspecified flaws exist in the RMI component     that allow an unauthenticated, remote attacker to     execute arbitrary code. (CVE-2017-10102, CVE-2017-10107)

  - Multiple unspecified flaws exist in the Server component     of the Java Advanced Management Console that allow an     authenticated, remote attacker to impact     confidentiality, integrity, and availability.
    (CVE-2017-10104, CVE-2017-10145)

  - An unspecified flaw exists in the Deployment component     that allows an unauthenticated, remote attacker to     impact integrity. (CVE-2017-10105)

  - Multiple unspecified flaws exist in the Serialization     component that allow an unauthenticated, remote attacker     to exhaust available memory, resulting in a denial of     service condition. (CVE-2017-10108, CVE-2017-10109)

  - An unspecified flaw exists in the AWT component that     allows an unauthenticated, remote attacker to execute     arbitrary code. (CVE-2017-10110)

  - Multiple unspecified flaws exist in the JCE component     that allow an unauthenticated, remote attacker to     disclose sensitive information. (CVE-2017-10115,     CVE-2017-10118, CVE-2017-10135)

  - An unspecified flaw exists in the Server component of     the Java Advanced Management Console that allows an     unauthenticated, remote attacker to disclose sensitive     information. (CVE-2017-10117)

  - An unspecified flaw exists in the Server component of     the Java Advanced Management Console that allows an     unauthenticated, remote attacker to impact     confidentiality and integrity. (CVE-2017-10121)

  - An unspecified flaw exists in the Deployment component     that allows a local attacker to impact confidentiality,     integrity, and availability. (CVE-2017-10125)

  - Multiple unspecified flaws exist in the Security     component that allow an unauthenticated, remote attacker     to disclose sensitive information. (CVE-2017-10176,     CVE-2017-10193, CVE-2017-10198)

  - An unspecified flaw exists in the JAX-WS component that     allows an unauthenticated, remote attacker to impact     confidentiality and availability. (CVE-2017-10243)

ID	Name	Product	Family	Severity
121719	Photon OS 1.0: Openjre PHSA-2017-0026	Nessus	PhotonOS Local Security Checks	high
121718	Photon OS 1.0: Openjdk PHSA-2017-0026	Nessus	PhotonOS Local Security Checks	high
111875	Photon OS 1.0: Openjdk / Openjre / Pycrypto / Python3 PHSA-2017-0026 (deprecated)	Nessus	PhotonOS Local Security Checks	high
103450	GLSA-201709-22 : Oracle JDK/JRE, IcedTea: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
101844	Oracle Java SE Multiple Vulnerabilities (July 2017 CPU) (Unix)	Nessus	Misc.	medium
101843	Oracle Java SE Multiple Vulnerabilities (July 2017 CPU)	Nessus	Windows	medium

CVE-2017-10121

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

medium

medium

medium