{"id":"USN-3473-1","summary":"openjdk-8 vulnerabilities","details":"It was discovered that the Smart Card IO subsystem in OpenJDK did not\nproperly maintain state. An attacker could use this to specially construct\nan untrusted Java application or applet to gain access to a smart card,\nbypassing sandbox restrictions. (CVE-2017-10274)\n\nGaston Traberg discovered that the Serialization component of OpenJDK did\nnot properly limit the amount of memory allocated when performing\ndeserializations. An attacker could use this to cause a denial of service\n(memory exhaustion). (CVE-2017-10281)\n\nIt was discovered that the Remote Method Invocation (RMI) component in\nOpenJDK did not properly handle unreferenced objects. An attacker could use\nthis to specially construct an untrusted Java application or applet that\ncould escape sandbox restrictions. (CVE-2017-10285)\n\nIt was discovered that the HTTPUrlConnection classes in OpenJDK did not\nproperly handle newlines. An attacker could use this to convince a Java\napplication or applet to inject headers into http requests.\n(CVE-2017-10295)\n\nFrancesco Palmarini, Marco Squarcina, Mauro Tempesta, and Riccardo Focardi\ndiscovered that the Serialization component of OpenJDK did not properly\nrestrict the amount of memory allocated when deserializing objects from\nJava Cryptography Extension KeyStore (JCEKS). An attacker could use this to\ncause a denial of service (memory exhaustion). (CVE-2017-10345)\n\nIt was discovered that the Hotspot component of OpenJDK did not properly\nperform loader checks when handling the invokespecial JVM instruction. An\nattacker could use this to specially construct an untrusted Java\napplication or applet that could escape sandbox restrictions.\n(CVE-2017-10346)\n\nGaston Traberg discovered that the Serialization component of OpenJDK did\nnot properly limit the amount of memory allocated when performing\ndeserializations in the SimpleTimeZone class. An attacker could use this to\ncause a denial of service (memory exhaustion). (CVE-2017-10347)\n\nIt was discovered that the Serialization component of OpenJDK did not\nproperly limit the amount of memory allocated when performing\ndeserializations. An attacker could use this to cause a denial of service\n(memory exhaustion). (CVE-2017-10348, CVE-2017-10357)\n\nIt was discovered that the JAXP component in OpenJDK did not properly limit\nthe amount of memory allocated when performing deserializations. An\nattacker could use this to cause a denial of service (memory exhaustion).\n(CVE-2017-10349)\n\nIt was discovered that the JAX-WS component in OpenJDK did not properly\nlimit the amount of memory allocated when performing deserializations. An\nattacker could use this to cause a denial of service (memory exhaustion).\n(CVE-2017-10350)\n\nIt was discovered that the Networking component of OpenJDK did not properly\nset timeouts on FTP client actions. A remote attacker could use this to\ncause a denial of service (application hang). (CVE-2017-10355)\n\nFrancesco Palmarini, Marco Squarcina, Mauro Tempesta, Riccardo Focardi, and\nTobias Ospelt discovered that the Security component in OpenJDK did not\nsufficiently protect password-based encryption keys in key stores. An\nattacker could use this to expose sensitive information. (CVE-2017-10356)\n\nJeffrey Altman discovered that the Kerberos client implementation in\nOpenJDK incorrectly trusted unauthenticated portions of Kerberos tickets. A\nremote attacker could use this to impersonate trusted network services or\nperform other attacks. (CVE-2017-10388)\n","modified":"2026-02-10T04:41:14Z","published":"2017-11-08T07:48:39Z","related":["UBUNTU-CVE-2017-10274","UBUNTU-CVE-2017-10281","UBUNTU-CVE-2017-10285","UBUNTU-CVE-2017-10295","UBUNTU-CVE-2017-10345","UBUNTU-CVE-2017-10346","UBUNTU-CVE-2017-10347","UBUNTU-CVE-2017-10348","UBUNTU-CVE-2017-10349","UBUNTU-CVE-2017-10350","UBUNTU-CVE-2017-10355","UBUNTU-CVE-2017-10356","UBUNTU-CVE-2017-10357","UBUNTU-CVE-2017-10388"],"upstream":["CVE-2017-10274","CVE-2017-10281","CVE-2017-10285","CVE-2017-10295","CVE-2017-10345","CVE-2017-10346","CVE-2017-10347","CVE-2017-10348","CVE-2017-10349","CVE-2017-10350","CVE-2017-10355","CVE-2017-10356","CVE-2017-10357","CVE-2017-10388","UBUNTU-CVE-2017-10274","UBUNTU-CVE-2017-10281","UBUNTU-CVE-2017-10285","UBUNTU-CVE-2017-10295","UBUNTU-CVE-2017-10345","UBUNTU-CVE-2017-10346","UBUNTU-CVE-2017-10347","UBUNTU-CVE-2017-10348","UBUNTU-CVE-2017-10349","UBUNTU-CVE-2017-10350","UBUNTU-CVE-2017-10355","UBUNTU-CVE-2017-10356","UBUNTU-CVE-2017-10357","UBUNTU-CVE-2017-10388"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-3473-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-10274"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-10281"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-10285"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-10295"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-10345"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-10346"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-10347"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-10348"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-10349"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-10350"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-10355"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-10356"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-10357"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-10388"}],"affected":[{"package":{"name":"openjdk-8","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/openjdk-8@8u151-b12-0ubuntu0.16.04.2?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"8u151-b12-0ubuntu0.16.04.2"}]}],"versions":["8u66-b01-5","8u72-b05-1ubuntu1","8u72-b05-5","8u72-b05-6","8u72-b15-1","8u72-b15-2ubuntu1","8u72-b15-2ubuntu3","8u72-b15-3ubuntu1","8u77-b03-1ubuntu2","8u77-b03-3ubuntu1","8u77-b03-3ubuntu2","8u77-b03-3ubuntu3","8u91-b14-0ubuntu4~16.04.1","8u91-b14-3ubuntu1~16.04.1","8u111-b14-2ubuntu0.16.04.2","8u121-b13-0ubuntu1.16.04.2","8u131-b11-0ubuntu1.16.04.2","8u131-b11-2ubuntu1.16.04.2","8u131-b11-2ubuntu1.16.04.3"],"ecosystem_specific":{"binaries":[{"binary_version":"8u151-b12-0ubuntu0.16.04.2","binary_name":"openjdk-8-demo"},{"binary_version":"8u151-b12-0ubuntu0.16.04.2","binary_name":"openjdk-8-jdk"},{"binary_version":"8u151-b12-0ubuntu0.16.04.2","binary_name":"openjdk-8-jdk-headless"},{"binary_version":"8u151-b12-0ubuntu0.16.04.2","binary_name":"openjdk-8-jre"},{"binary_version":"8u151-b12-0ubuntu0.16.04.2","binary_name":"openjdk-8-jre-headless"},{"binary_version":"8u151-b12-0ubuntu0.16.04.2","binary_name":"openjdk-8-jre-jamvm"},{"binary_version":"8u151-b12-0ubuntu0.16.04.2","binary_name":"openjdk-8-jre-zero"},{"binary_version":"8u151-b12-0ubuntu0.16.04.2","binary_name":"openjdk-8-source"}],"availability":"No subscription required"},"database_specific":{"cves_map":{"cves":[{"severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2017-10274"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2017-10281"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2017-10285"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2017-10295"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2017-10345"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2017-10346"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2017-10347"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2017-10348"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2017-10349"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2017-10350"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2017-10355"},{"severity":[{"score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2017-10356"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2017-10357"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2017-10388"}],"ecosystem":"Ubuntu:16.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-3473-1.json"}}],"schema_version":"1.7.3"}