NVD Vulnerability Detail

CVE-2017-10309

Summary	Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are Java SE: 8u144 and 9. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized read access to a subset of Java SE accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 7.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Publication Date	Oct. 20, 2017, 2:29 a.m.
Registration Date	Jan. 26, 2021, 1:11 p.m.
Last Update	Nov. 21, 2024, 12:05 p.m.

CVSS3.1 : HIGH
スコア	7.1
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃に必要な特権レベル(PR)	不要
利用者の関与(UI)	要
影響の想定範囲(S)	変更あり
機密性への影響(C)	低
完全性への影響(I)	低
可用性への影響(A)	低

CVSS2.0 : MEDIUM
Score	6.8
Vector	AV:N/AC:M/Au:N/C:P/I:P/A:P
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	中
攻撃前の認証要否(Au)	不要
機密性への影響(C)	低
完全性への影響(I)	低
可用性への影響(A)	低
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	はい

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:oracle:jdk:1.9.0:::::::*
cpe:2.3:a:oracle:jre:1.9.0:::::::*
cpe:2.3:a:oracle:jdk:1.8.0:update144::::::
cpe:2.3:a:oracle:jre:1.8.0:update144::::::

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:7.5:::::::*
cpe:2.3:a:redhat:satellite:5.8:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:a:netapp:cloud_backup:-:::::::*
cpe:2.3:a:netapp:oncommand_balance:-:::::::*
cpe:2.3:a:netapp:element_software:-:::::::*
cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:::::::*
cpe:2.3:a:netapp:snapmanager:-:::::oracle::
cpe:2.3:a:netapp:snapmanager:-:::::sap::
cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*
cpe:2.3:a:netapp:oncommand_insight:-:::::::*
cpe:2.3:a:netapp:virtual_storage_console::::::vmware_vsphere::*	7.2
cpe:2.3:a:netapp:e-series_santricity_storage_manager:-:::::::*
cpe:2.3:a:netapp:oncommand_unified_manager:-:::::7-mode::
cpe:2.3:a:netapp:active_iq_unified_manager::::::windows::*	7.3
cpe:2.3:a:netapp:active_iq_unified_manager::::::vmware_vsphere::*	9.5
cpe:2.3:a:netapp:vasa_provider_for_clustered_data_ontap::::::::	7.2
cpe:2.3:a:netapp:e-series_santricity_management_plug-ins:-:::::vmware_vcenter::
cpe:2.3:a:netapp:oncommand_shift:-:::::::*
cpe:2.3:a:netapp:oncommand_performance_manager:-:::::vmware_vsphere::
cpe:2.3:a:netapp:plug-in_for_symantec_netbackup:-:::::::*
cpe:2.3:a:netapp:e-series_santricity_web_services:-:::::web_services_proxy::
cpe:2.3:a:netapp:e-series_santricity_os_controller::::::::	11.0	11.70.1
cpe:2.3:a:netapp:storage_replication_adapter_for_clustered_data_ontap::::::windows::*	7.2
cpe:2.3:a:netapp:oncommand_unified_manager::::::vsphere::*		7.1
cpe:2.3:a:netapp:oncommand_unified_manager::::::windows::*		7.1
cpe:2.3:a:netapp:vasa_provider_for_clustered_data_ontap:6.0:::::::*
cpe:2.3:a:netapp:storage_replication_adapter_for_clustered_data_ontap::::::vmware_vsphere::*	7.2
cpe:2.3:a:netapp:virtual_storage_console:6.0:::::vmware_vsphere::

Related information, measures and tools

No	URL	タグ
1	http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html	Patch Vendor Advisory
2	http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html	Patch Vendor Advisory
3	http://www.securityfocus.com/bid/101328	Broken Link
4	http://www.securityfocus.com/bid/101328	Broken Link
5	http://www.securitytracker.com/id/1039596	Broken Link
6	http://www.securitytracker.com/id/1039596	Broken Link
7	https://access.redhat.com/errata/RHSA-2017:2999	Third Party Advisory
8	https://access.redhat.com/errata/RHSA-2017:2999	Third Party Advisory
9	https://access.redhat.com/errata/RHSA-2017:3264	Third Party Advisory
10	https://access.redhat.com/errata/RHSA-2017:3264	Third Party Advisory
11	https://access.redhat.com/errata/RHSA-2017:3267	Third Party Advisory
12	https://access.redhat.com/errata/RHSA-2017:3267	Third Party Advisory
13	https://access.redhat.com/errata/RHSA-2017:3453	Third Party Advisory
14	https://access.redhat.com/errata/RHSA-2017:3453	Third Party Advisory
15	https://security.gentoo.org/glsa/201710-31	Third Party Advisory
16	https://security.gentoo.org/glsa/201710-31	Third Party Advisory
17	https://security.netapp.com/advisory/ntap-20171019-0001/	Third Party Advisory
18	https://security.netapp.com/advisory/ntap-20171019-0001/	Third Party Advisory
19	https://www.exploit-db.com/exploits/43103/	Exploit Third Party Advisory VDB Entry
20	https://www.exploit-db.com/exploits/43103/	Exploit Third Party Advisory VDB Entry

Common Vulnerabilities List

JVN Vulnerability Information

Oracle Java SE における Deployment に関する脆弱性

Title	Oracle Java SE における Deployment に関する脆弱性
Summary	Oracle Java SE には、Deployment に関する処理に不備があるため、機密性、完全性、および可用性に影響のある脆弱性が存在します。
Possible impacts	リモートの攻撃者により、情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 攻撃が行われる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Oct. 17, 2017, midnight
Registration Date	Oct. 27, 2017, 5:45 p.m.
Last Update	Oct. 27, 2017, 5:45 p.m.

Affected System

オラクル

JDK 8 Update 144

JDK 9

JRE 8 Update 144

JRE 9

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2017-10309	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10309
National Vulnerability Database (NVD)
2	CVE-2017-10309	https://nvd.nist.gov/vuln/detail/CVE-2017-10309

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-284	https://cwe.mitre.org/data/definitions/284.html

ベンダー情報

No	Name	URL
Oracle Critical Patch Update
1	Oracle Critical Patch Update Advisory - October 2017	http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
2	Text Form of Oracle Critical Patch Update - October 2017 Risk Matrices	http://www.oracle.com/technetwork/security-advisory/cpuoct2017verbose-3236627.html
富士通セキュリティ情報
3	Oracle Corporation Javaプラグインの脆弱性に関するお知らせ	http://www.fmworld.net/biz/common/oracle/20171018.html

その他

No	Name	URL
IPA 重要なセキュリティ情報
1	Oracle Java の脆弱性対策について(CVE-2017-10346等)	https://www.ipa.go.jp/security/ciadr/vul/20171018-jre.html
JPCERT 注意喚起
2	JPCERT-AT-2017-0041	http://www.jpcert.or.jp/at/2017/at170041.html

Change Log

No	Changed Details	Date of change
0	[2017年10月27日] 掲載	Feb. 17, 2018, 10:37 a.m.

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:7.5:::::::*
cpe:2.3:a:redhat:satellite:5.8:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:a:netapp:cloud_backup:-:::::::*
cpe:2.3:a:netapp:oncommand_balance:-:::::::*
cpe:2.3:a:netapp:element_software:-:::::::*
cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:::::::*
cpe:2.3:a:netapp:snapmanager:-:::::oracle::
cpe:2.3:a:netapp:snapmanager:-:::::sap::
cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*
cpe:2.3:a:netapp:oncommand_insight:-:::::::*
cpe:2.3:a:netapp:virtual_storage_console::::::vmware_vsphere::*	7.2
cpe:2.3:a:netapp:e-series_santricity_storage_manager:-:::::::*
cpe:2.3:a:netapp:oncommand_unified_manager:-:::::7-mode::
cpe:2.3:a:netapp:active_iq_unified_manager::::::windows::*	7.3
cpe:2.3:a:netapp:active_iq_unified_manager::::::vmware_vsphere::*	9.5
cpe:2.3:a:netapp:vasa_provider_for_clustered_data_ontap::::::::	7.2
cpe:2.3:a:netapp:e-series_santricity_management_plug-ins:-:::::vmware_vcenter::
cpe:2.3:a:netapp:oncommand_shift:-:::::::*
cpe:2.3:a:netapp:oncommand_performance_manager:-:::::vmware_vsphere::
cpe:2.3:a:netapp:plug-in_for_symantec_netbackup:-:::::::*
cpe:2.3:a:netapp:e-series_santricity_web_services:-:::::web_services_proxy::
cpe:2.3:a:netapp:e-series_santricity_os_controller::::::::	11.0	11.70.1
cpe:2.3:a:netapp:storage_replication_adapter_for_clustered_data_ontap::::::windows::*	7.2
cpe:2.3:a:netapp:oncommand_unified_manager::::::vsphere::*		7.1
cpe:2.3:a:netapp:oncommand_unified_manager::::::windows::*		7.1
cpe:2.3:a:netapp:vasa_provider_for_clustered_data_ontap:6.0:::::::*
cpe:2.3:a:netapp:storage_replication_adapter_for_clustered_data_ontap::::::vmware_vsphere::*	7.2
cpe:2.3:a:netapp:virtual_storage_console:6.0:::::vmware_vsphere::