Details of VAR-201804-1619

ID

VAR-201804-1619

CVE

CVE-2018-2811

TITLE

Oracle Java SE In Install Vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2018-002871

DESCRIPTION

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Install). Supported versions that are affected are Java SE: 8u162 and 10. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE executes to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: Applies to installation process on client deployment of Java. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). Oracle Java SE Is Install There are vulnerabilities that affect confidentiality, integrity, and availability due to incomplete handling.Information is obtained by local users, information is altered, and service operation is interrupted. (DoS) An attack may be carried out. This issue affects the 'Install' component. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201903-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Oracle JDK/JRE: Multiple vulnerabilities Date: March 14, 2019 Bugs: #653560, #661456, #676134 ID: 201903-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Oracleas JDK and JRE software suites. Background ========== Java Platform, Standard Edition (Java SE) lets you develop and deploy Java applications on desktops and servers, as well as in todayas demanding embedded environments. Java offers the rich user interface, performance, versatility, portability, and security that todayas applications require. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-java/oracle-jdk-bin < 1.8.0.202 >= 1.8.0.202 2 dev-java/oracle-jre-bin < 1.8.0.202 >= 1.8.0.202 ------------------------------------------------------------------- 2 affected packages Description =========== Multiple vulnerabilities have been discovered in Oracleas JDK and JRE software suites. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could possibly execute arbitrary code with the privileges of the process, gain access to information, or cause a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== All Oracle JDK bin users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=dev-java/oracle-jdk-bin-1.8.0.202" All Oracle JRE bin users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=dev-java/oracle-jre-bin-1.8.0.202" References ========== [ 1 ] CVE-2018-2790 https://nvd.nist.gov/vuln/detail/CVE-2018-2790 [ 2 ] CVE-2018-2794 https://nvd.nist.gov/vuln/detail/CVE-2018-2794 [ 3 ] CVE-2018-2795 https://nvd.nist.gov/vuln/detail/CVE-2018-2795 [ 4 ] CVE-2018-2796 https://nvd.nist.gov/vuln/detail/CVE-2018-2796 [ 5 ] CVE-2018-2797 https://nvd.nist.gov/vuln/detail/CVE-2018-2797 [ 6 ] CVE-2018-2798 https://nvd.nist.gov/vuln/detail/CVE-2018-2798 [ 7 ] CVE-2018-2799 https://nvd.nist.gov/vuln/detail/CVE-2018-2799 [ 8 ] CVE-2018-2800 https://nvd.nist.gov/vuln/detail/CVE-2018-2800 [ 9 ] CVE-2018-2811 https://nvd.nist.gov/vuln/detail/CVE-2018-2811 [ 10 ] CVE-2018-2814 https://nvd.nist.gov/vuln/detail/CVE-2018-2814 [ 11 ] CVE-2018-2815 https://nvd.nist.gov/vuln/detail/CVE-2018-2815 [ 12 ] CVE-2019-2422 https://nvd.nist.gov/vuln/detail/CVE-2019-2422 [ 13 ] CVE-2019-2426 https://nvd.nist.gov/vuln/detail/CVE-2019-2426 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201903-14 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2019 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5

Trust: 1.98

sources: NVD: CVE-2018-2811 // JVNDB: JVNDB-2018-002871 // BID: 103810 // PACKETSTORM: 152088

AFFECTED PRODUCTS

vendor:	redhat	model:	enterprise linux workstation	scope:	eq	version:	7.0	Trust: 1.6
vendor:	redhat	model:	enterprise linux workstation	scope:	eq	version:	6.0	Trust: 1.6
vendor:	redhat	model:	enterprise linux server	scope:	eq	version:	7.0	Trust: 1.6
vendor:	redhat	model:	enterprise linux server	scope:	eq	version:	6.0	Trust: 1.0
vendor:	oracle	model:	jdk	scope:	eq	version:	1.10.0	Trust: 1.0
vendor:	oracle	model:	jre	scope:	eq	version:	1.10.0	Trust: 1.0
vendor:	oracle	model:	jdk	scope:	eq	version:	1.8.0	Trust: 1.0
vendor:	schneider electric	model:	struxureware data center expert	scope:	lt	version:	7.6.0	Trust: 1.0
vendor:	oracle	model:	jre	scope:	eq	version:	1.8.0	Trust: 1.0
vendor:	oracle	model:	jre update	scope:	eq	version:	1.8162	Trust: 0.9
vendor:	oracle	model:	jre	scope:	eq	version:	10.0.1	Trust: 0.9
vendor:	oracle	model:	jdk update	scope:	eq	version:	1.8162	Trust: 0.9
vendor:	oracle	model:	jdk	scope:	eq	version:	10.0.1	Trust: 0.9
vendor:	oracle	model:	jdk	scope:	eq	version:	10	Trust: 0.8
vendor:	oracle	model:	jdk	scope:	eq	version:	8 update 162	Trust: 0.8
vendor:	oracle	model:	jre	scope:	eq	version:	10	Trust: 0.8
vendor:	oracle	model:	jre	scope:	eq	version:	8 update 162	Trust: 0.8
vendor:	red hat	model:	enterprise linux server	scope:	-	version:	-	Trust: 0.8
vendor:	red hat	model:	enterprise linux workstation	scope:	-	version:	-	Trust: 0.8

sources: NVD: CVE-2018-2811 // CNNVD: CNNVD-201804-1210 // JVNDB: JVNDB-2018-002871 // BID: 103810

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2018-2811
value:	HIGH
Trust: 1.8
CNNVD:	CNNVD-201804-1210
value:	HIGH
Trust: 0.6

NVD:	CVE-2018-2811
severity:	LOW
baseScore:	3.7
vectorString:	AV:L/AC:H/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	1.9
impactScore:	6.4
acInsufInfo:	FALSE
obtainAllPrivilege:	FALSE
obtainUserPrivilege:	FALSE
obtainOtherPrivilege:	FALSE
userInteractionRequired:	TRUE
version:	2.0
Trust: 1.8

NVD:	CVE-2018-2811
baseSeverity:	HIGH
baseScore:	7.7
vectorString:	CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.0
impactScore:	6.0
version:	3.0
Trust: 1.8

sources: NVD: CVE-2018-2811 // CNNVD: CNNVD-201804-1210 // JVNDB: JVNDB-2018-002871

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	CWE-284	Trust: 0.8

sources: NVD: CVE-2018-2811 // JVNDB: JVNDB-2018-002871

THREAT TYPE

local

Trust: 0.9

sources: CNNVD: CNNVD-201804-1210 // BID: 103810

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201804-1210

CONFIGURATIONS

sources: NVD: CVE-2018-2811

PATCH

title:	Oracle Critical Patch Update Advisory - April 2018	url:	http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html	Trust: 0.8
title:	Text Form of Oracle Critical Patch Update - April 2018 Risk Matrices	url:	http://www.oracle.com/technetwork/security-advisory/cpuapr2018verbose-3678108.html	Trust: 0.8
title:	RHSA-2018:1204	url:	https://access.redhat.com/errata/rhsa-2018:1204	Trust: 0.8
title:	RHSA-2018:1202	url:	https://access.redhat.com/errata/rhsa-2018:1202	Trust: 0.8
title:	Oracle Corporation Javaプラグインの脆弱性に関するお知らせ	url:	http://www.fmworld.net/biz/common/oracle/20180418.html	Trust: 0.8
title:	Oracle Java SE Fixes for component security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=79528	Trust: 0.6

sources: CNNVD: CNNVD-201804-1210 // JVNDB: JVNDB-2018-002871

EXTERNAL IDS

db:	NVD	id:	CVE-2018-2811	Trust: 2.8
db:	BID	id:	103810	Trust: 1.9
db:	SECTRACK	id:	1040697	Trust: 1.6
db:	JVNDB	id:	JVNDB-2018-002871	Trust: 0.8
db:	PACKETSTORM	id:	152088	Trust: 0.7
db:	CNNVD	id:	CNNVD-201804-1210	Trust: 0.6

sources: NVD: CVE-2018-2811 // CNNVD: CNNVD-201804-1210 // JVNDB: JVNDB-2018-002871 // BID: 103810 // PACKETSTORM: 152088

REFERENCES

url:	http://www.securityfocus.com/bid/103810	Trust: 2.2
url:	http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html	Trust: 1.9
url:	https://security.gentoo.org/glsa/201903-14	Trust: 1.7
url:	http://www.securitytracker.com/id/1040697	Trust: 1.6
url:	https://security.netapp.com/advisory/ntap-20180419-0001/	Trust: 1.6
url:	https://access.redhat.com/errata/rhsa-2018:1204	Trust: 1.6
url:	https://access.redhat.com/errata/rhsa-2018:1202	Trust: 1.6
url:	https://help.ecostruxureit.com/display/public/uadce725/security+fixes+in+struxureware+data+center+expert+v7.6.0	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2018-2811	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-2811	Trust: 0.8
url:	https://www.ipa.go.jp/security/ciadr/vul/20180418-jre.html	Trust: 0.8
url:	http://www.jpcert.or.jp/at/2018/at180018.html	Trust: 0.8
url:	https://packetstormsecurity.com/files/152088/gentoo-linux-security-advisory-201903-14.html	Trust: 0.6
url:	http://www.oracle.com/index.html	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2018-2798	Trust: 0.1
url:	https://bugs.gentoo.org.	Trust: 0.1
url:	https://security.gentoo.org/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-2796	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-2794	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-2795	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-2814	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-2790	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-2815	Trust: 0.1
url:	https://creativecommons.org/licenses/by-sa/2.5	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-2797	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-2426	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-2800	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-2799	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-2422	Trust: 0.1

sources: NVD: CVE-2018-2811 // CNNVD: CNNVD-201804-1210 // JVNDB: JVNDB-2018-002871 // BID: 103810 // PACKETSTORM: 152088

CREDITS

Gentoo

Trust: 0.7

sources: CNNVD: CNNVD-201804-1210 // PACKETSTORM: 152088

SOURCES

db:	NVD	id:	CVE-2018-2811
db:	CNNVD	id:	CNNVD-201804-1210
db:	JVNDB	id:	JVNDB-2018-002871
db:	BID	id:	103810
db:	PACKETSTORM	id:	152088

LAST UPDATE DATE

2021-12-19T00:57:05.378000+00:00

SOURCES UPDATE DATE

db:	NVD	id:	CVE-2018-2811	date:	2020-09-08T12:29:00
db:	CNNVD	id:	CNNVD-201804-1210	date:	2019-10-23T00:00:00
db:	JVNDB	id:	JVNDB-2018-002871	date:	2018-05-07T00:00:00
db:	BID	id:	103810	date:	2018-04-17T00:00:00
db:	PACKETSTORM	id:	152088	date:	-

SOURCES RELEASE DATE

db:	NVD	id:	CVE-2018-2811	date:	2018-04-19T02:29:00
db:	CNNVD	id:	CNNVD-201804-1210	date:	2018-04-20T00:00:00
db:	JVNDB	id:	JVNDB-2018-002871	date:	2018-05-07T00:00:00
db:	BID	id:	103810	date:	2018-04-17T00:00:00
db:	PACKETSTORM	id:	152088	date:	2019-03-14T16:24:13