CVE-2017-3539

Current Description

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u141, 7u131 and 8u121; Java SE Embedded: 8u121. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).

Basic Data

PublishedApril 24, 2017
Last ModifiedOctober 03, 2019
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeNVD-CWE-noinfo
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:H/Au:S/C:N/I:P/A:N
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityHIGH
CVSS 2 - AuthenticationSINGLE
CVSS 2 - Confidentiality ImpactNONE
CVSS 2 - Availability ImpactNONE
CVSS 2 - Base Score2.1
SeverityLOW
Exploitability Score3.9
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

CVSS 3 - Version3.0
CVSS 3 - Vector StringCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
CVSS 3 - Attack VectorNETWORK
CVSS 3 - Attack ComplexityHIGH
CVSS 3 - Privileges RequiredNONE
CVSS 3 - User InteractionREQUIRED
CVSS 3 - ScopeUNCHANGED
CVSS 3 - Confidentiality ImpactNONE
CVSS 3 - Integrity ImpactLOW
CVSS 3 - Availability ImpactNONE
CVSS 3 - Base Score3.1
CVSS 3 - Base SeverityLOW
Exploitability Score1.6
Base SeverityLOW

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationOracleJdk1.6.0update_141******
    2.3ApplicationOracleJdk1.7.0update_131******
    2.3ApplicationOracleJdk1.8.0update_121******
    2.3ApplicationOracleJre1.6.0update_141******
    2.3ApplicationOracleJre1.7.0update_131******
    2.3ApplicationOracleJre1.8.0update_121******
  • OR - Configuration 2
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationRedhatSatellite5.8*******
    2.3OSDebianDebian Linux8.0*******
    2.3OSRedhatEnterprise Linux Desktop6.0*******
    2.3OSRedhatEnterprise Linux Desktop7.0*******
    2.3OSRedhatEnterprise Linux Server6.0*******
    2.3OSRedhatEnterprise Linux Server7.0*******
    2.3OSRedhatEnterprise Linux Server Aus7.3*******
    2.3OSRedhatEnterprise Linux Server Aus7.4*******
    2.3OSRedhatEnterprise Linux Server Aus7.6*******
    2.3OSRedhatEnterprise Linux Server Eus7.3*******
    2.3OSRedhatEnterprise Linux Server Eus7.4*******
    2.3OSRedhatEnterprise Linux Server Eus7.5*******
    2.3OSRedhatEnterprise Linux Server Eus7.6*******
    2.3OSRedhatEnterprise Linux Server Tus7.3*******
    2.3OSRedhatEnterprise Linux Server Tus7.6*******
    2.3OSRedhatEnterprise Linux Workstation6.0*******
    2.3OSRedhatEnterprise Linux Workstation7.0*******
  • OR - Configuration 3
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationRedhatIcedtea********3.4.0

Vulnerable Software List

VendorProductVersions
Debian Debian Linux 8.0
Redhat Enterprise Linux Workstation 6.0, 7.0
Redhat Satellite 5.8
Redhat Enterprise Linux Desktop 6.0, 7.0
Redhat Enterprise Linux Server Aus 7.3, 7.4, 7.6
Redhat Enterprise Linux Server Tus 7.3, 7.6
Redhat Enterprise Linux Server Eus 7.3, 7.4, 7.5, 7.6
Redhat Icedtea *
Redhat Enterprise Linux Server 6.0, 7.0
Oracle Jre 1.6.0, 1.7.0, 1.8.0
Oracle Jdk 1.6.0, 1.7.0, 1.8.0

References

NameSourceURLTags
DSA-3858http://www.debian.org/security/2017/dsa-3858DEBIANThird Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.htmlCONFIRMPatch Vendor Advisory
97752http://www.securityfocus.com/bid/97752BIDThird Party Advisory VDB Entry
1038286http://www.securitytracker.com/id/1038286SECTRACKThird Party Advisory VDB Entry
RHSA-2017:1108https://access.redhat.com/errata/RHSA-2017:1108REDHATThird Party Advisory
RHSA-2017:1109https://access.redhat.com/errata/RHSA-2017:1109REDHATThird Party Advisory
RHSA-2017:1117https://access.redhat.com/errata/RHSA-2017:1117REDHATThird Party Advisory
RHSA-2017:1118https://access.redhat.com/errata/RHSA-2017:1118REDHATThird Party Advisory
RHSA-2017:1119https://access.redhat.com/errata/RHSA-2017:1119REDHATThird Party Advisory
RHSA-2017:1204https://access.redhat.com/errata/RHSA-2017:1204REDHATThird Party Advisory
RHSA-2017:1220https://access.redhat.com/errata/RHSA-2017:1220REDHATThird Party Advisory
RHSA-2017:1221https://access.redhat.com/errata/RHSA-2017:1221REDHATThird Party Advisory
RHSA-2017:1222https://access.redhat.com/errata/RHSA-2017:1222REDHATThird Party Advisory
RHSA-2017:3453https://access.redhat.com/errata/RHSA-2017:3453REDHATThird Party Advisory
GLSA-201705-03https://security.gentoo.org/glsa/201705-03GENTOOThird Party Advisory
GLSA-201707-01https://security.gentoo.org/glsa/201707-01GENTOOThird Party Advisory