CVE-2018-2637

moderate-risk

Published 2018-01-18

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JMX). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, JRockit accessible data as well as unauthorized access to critical data or complete access to all Java SE, Java SE Embedded, JRockit accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

Do I need to act?

0.19% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.4/10 High

NETWORK / HIGH complexity

Affected Products (20)

Jdk

Jre

Jrockit

Satellite

Enterprise Linux Desktop

Enterprise Linux Server

Enterprise Linux Server Aus

Enterprise Linux Server Eus

Affected Vendors

Hp Debian Redhat Oracle Canonical Schneider-Electric

References (44)

Patch http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Broken Link http://www.securityfocus.com/bid/102576

Broken Link http://www.securitytracker.com/id/1040203

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:0095

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:0099

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:0100

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:0115

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:0349

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:0351

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:0352

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:0458

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:0521

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:1463

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:1812

Third Party Advisory https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+Struxur...

Mailing List https://lists.debian.org/debian-lts-announce/2018/04/msg00003.html

Third Party Advisory https://security.netapp.com/advisory/ntap-20180117-0001/

Third Party Advisory https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpe...

Third Party Advisory https://usn.ubuntu.com/3613-1/

Third Party Advisory https://usn.ubuntu.com/3614-1/

and 24 more references

/ 100

moderate-risk

Severity 22/34 · High

Exploitability 1/34 · Minimal

Exposure 23/34 · High