ID

VAR-201804-1619


CVE

CVE-2018-2811


TITLE

Oracle Java SE In Install Vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2018-002871

DESCRIPTION

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Install). Supported versions that are affected are Java SE: 8u162 and 10. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE executes to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: Applies to installation process on client deployment of Java. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). Oracle Java SE Is Install There are vulnerabilities that affect confidentiality, integrity, and availability due to incomplete handling.Information is obtained by local users, information is altered, and service operation is interrupted. (DoS) An attack may be carried out. This issue affects the 'Install' component. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201903-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Oracle JDK/JRE: Multiple vulnerabilities Date: March 14, 2019 Bugs: #653560, #661456, #676134 ID: 201903-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Oracleas JDK and JRE software suites. Background ========== Java Platform, Standard Edition (Java SE) lets you develop and deploy Java applications on desktops and servers, as well as in todayas demanding embedded environments. Java offers the rich user interface, performance, versatility, portability, and security that todayas applications require. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-java/oracle-jdk-bin < 1.8.0.202 >= 1.8.0.202 2 dev-java/oracle-jre-bin < 1.8.0.202 >= 1.8.0.202 ------------------------------------------------------------------- 2 affected packages Description =========== Multiple vulnerabilities have been discovered in Oracleas JDK and JRE software suites. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could possibly execute arbitrary code with the privileges of the process, gain access to information, or cause a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== All Oracle JDK bin users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=dev-java/oracle-jdk-bin-1.8.0.202" All Oracle JRE bin users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=dev-java/oracle-jre-bin-1.8.0.202" References ========== [ 1 ] CVE-2018-2790 https://nvd.nist.gov/vuln/detail/CVE-2018-2790 [ 2 ] CVE-2018-2794 https://nvd.nist.gov/vuln/detail/CVE-2018-2794 [ 3 ] CVE-2018-2795 https://nvd.nist.gov/vuln/detail/CVE-2018-2795 [ 4 ] CVE-2018-2796 https://nvd.nist.gov/vuln/detail/CVE-2018-2796 [ 5 ] CVE-2018-2797 https://nvd.nist.gov/vuln/detail/CVE-2018-2797 [ 6 ] CVE-2018-2798 https://nvd.nist.gov/vuln/detail/CVE-2018-2798 [ 7 ] CVE-2018-2799 https://nvd.nist.gov/vuln/detail/CVE-2018-2799 [ 8 ] CVE-2018-2800 https://nvd.nist.gov/vuln/detail/CVE-2018-2800 [ 9 ] CVE-2018-2811 https://nvd.nist.gov/vuln/detail/CVE-2018-2811 [ 10 ] CVE-2018-2814 https://nvd.nist.gov/vuln/detail/CVE-2018-2814 [ 11 ] CVE-2018-2815 https://nvd.nist.gov/vuln/detail/CVE-2018-2815 [ 12 ] CVE-2019-2422 https://nvd.nist.gov/vuln/detail/CVE-2019-2422 [ 13 ] CVE-2019-2426 https://nvd.nist.gov/vuln/detail/CVE-2019-2426 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201903-14 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2019 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5

Trust: 1.98

sources: NVD: CVE-2018-2811 // JVNDB: JVNDB-2018-002871 // BID: 103810 // PACKETSTORM: 152088

AFFECTED PRODUCTS

vendor:redhatmodel:enterprise linux workstationscope:eqversion:7.0

Trust: 1.6

vendor:redhatmodel:enterprise linux workstationscope:eqversion:6.0

Trust: 1.6

vendor:redhatmodel:enterprise linux serverscope:eqversion:7.0

Trust: 1.6

vendor:redhatmodel:enterprise linux serverscope:eqversion:6.0

Trust: 1.0

vendor:oraclemodel:jdkscope:eqversion:1.10.0

Trust: 1.0

vendor:oraclemodel:jrescope:eqversion:1.10.0

Trust: 1.0

vendor:oraclemodel:jdkscope:eqversion:1.8.0

Trust: 1.0

vendor:schneider electricmodel:struxureware data center expertscope:ltversion:7.6.0

Trust: 1.0

vendor:oraclemodel:jrescope:eqversion:1.8.0

Trust: 1.0

vendor:oraclemodel:jre updatescope:eqversion:1.8162

Trust: 0.9

vendor:oraclemodel:jrescope:eqversion:10.0.1

Trust: 0.9

vendor:oraclemodel:jdk updatescope:eqversion:1.8162

Trust: 0.9

vendor:oraclemodel:jdkscope:eqversion:10.0.1

Trust: 0.9

vendor:oraclemodel:jdkscope:eqversion:10

Trust: 0.8

vendor:oraclemodel:jdkscope:eqversion:8 update 162

Trust: 0.8

vendor:oraclemodel:jrescope:eqversion:10

Trust: 0.8

vendor:oraclemodel:jrescope:eqversion:8 update 162

Trust: 0.8

vendor:red hatmodel:enterprise linux serverscope: - version: -

Trust: 0.8

vendor:red hatmodel:enterprise linux workstationscope: - version: -

Trust: 0.8

sources: NVD: CVE-2018-2811 // CNNVD: CNNVD-201804-1210 // JVNDB: JVNDB-2018-002871 // BID: 103810

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2018-2811
value: HIGH

Trust: 1.8

CNNVD: CNNVD-201804-1210
value: HIGH

Trust: 0.6

NVD: CVE-2018-2811
severity: LOW
baseScore: 3.7
vectorString: AV:L/AC:H/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 1.9
impactScore: 6.4
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: TRUE
version: 2.0

Trust: 1.8

NVD: CVE-2018-2811
baseSeverity: HIGH
baseScore: 7.7
vectorString: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.0
impactScore: 6.0
version: 3.0

Trust: 1.8

sources: NVD: CVE-2018-2811 // CNNVD: CNNVD-201804-1210 // JVNDB: JVNDB-2018-002871

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:CWE-284

Trust: 0.8

sources: NVD: CVE-2018-2811 // JVNDB: JVNDB-2018-002871

THREAT TYPE

local

Trust: 0.9

sources: CNNVD: CNNVD-201804-1210 // BID: 103810

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201804-1210

CONFIGURATIONS

sources: NVD: CVE-2018-2811

PATCH

title:Oracle Critical Patch Update Advisory - April 2018url:http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

Trust: 0.8

title:Text Form of Oracle Critical Patch Update - April 2018 Risk Matricesurl:http://www.oracle.com/technetwork/security-advisory/cpuapr2018verbose-3678108.html

Trust: 0.8

title:RHSA-2018:1204url:https://access.redhat.com/errata/rhsa-2018:1204

Trust: 0.8

title:RHSA-2018:1202url:https://access.redhat.com/errata/rhsa-2018:1202

Trust: 0.8

title:Oracle Corporation Javaプラグインの脆弱性に関するお知らせurl:http://www.fmworld.net/biz/common/oracle/20180418.html

Trust: 0.8

title:Oracle Java SE Fixes for component security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=79528

Trust: 0.6

sources: CNNVD: CNNVD-201804-1210 // JVNDB: JVNDB-2018-002871

EXTERNAL IDS

db:NVDid:CVE-2018-2811

Trust: 2.8

db:BIDid:103810

Trust: 1.9

db:SECTRACKid:1040697

Trust: 1.6

db:JVNDBid:JVNDB-2018-002871

Trust: 0.8

db:PACKETSTORMid:152088

Trust: 0.7

db:CNNVDid:CNNVD-201804-1210

Trust: 0.6

sources: NVD: CVE-2018-2811 // CNNVD: CNNVD-201804-1210 // JVNDB: JVNDB-2018-002871 // BID: 103810 // PACKETSTORM: 152088

REFERENCES

url:http://www.securityfocus.com/bid/103810

Trust: 2.2

url:http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

Trust: 1.9

url:https://security.gentoo.org/glsa/201903-14

Trust: 1.7

url:http://www.securitytracker.com/id/1040697

Trust: 1.6

url:https://security.netapp.com/advisory/ntap-20180419-0001/

Trust: 1.6

url:https://access.redhat.com/errata/rhsa-2018:1204

Trust: 1.6

url:https://access.redhat.com/errata/rhsa-2018:1202

Trust: 1.6

url:https://help.ecostruxureit.com/display/public/uadce725/security+fixes+in+struxureware+data+center+expert+v7.6.0

Trust: 1.6

url:https://nvd.nist.gov/vuln/detail/cve-2018-2811

Trust: 0.9

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-2811

Trust: 0.8

url:https://www.ipa.go.jp/security/ciadr/vul/20180418-jre.html

Trust: 0.8

url:http://www.jpcert.or.jp/at/2018/at180018.html

Trust: 0.8

url:https://packetstormsecurity.com/files/152088/gentoo-linux-security-advisory-201903-14.html

Trust: 0.6

url:http://www.oracle.com/index.html

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2018-2798

Trust: 0.1

url:https://bugs.gentoo.org.

Trust: 0.1

url:https://security.gentoo.org/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-2796

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-2794

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-2795

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-2814

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-2790

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-2815

Trust: 0.1

url:https://creativecommons.org/licenses/by-sa/2.5

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-2797

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-2426

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-2800

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-2799

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-2422

Trust: 0.1

sources: NVD: CVE-2018-2811 // CNNVD: CNNVD-201804-1210 // JVNDB: JVNDB-2018-002871 // BID: 103810 // PACKETSTORM: 152088

CREDITS

Gentoo

Trust: 0.7

sources: CNNVD: CNNVD-201804-1210 // PACKETSTORM: 152088

SOURCES

db:NVDid:CVE-2018-2811
db:CNNVDid:CNNVD-201804-1210
db:JVNDBid:JVNDB-2018-002871
db:BIDid:103810
db:PACKETSTORMid:152088

LAST UPDATE DATE

2021-12-19T00:57:05.378000+00:00


SOURCES UPDATE DATE

db:NVDid:CVE-2018-2811date:2020-09-08T12:29:00
db:CNNVDid:CNNVD-201804-1210date:2019-10-23T00:00:00
db:JVNDBid:JVNDB-2018-002871date:2018-05-07T00:00:00
db:BIDid:103810date:2018-04-17T00:00:00
db:PACKETSTORMid:152088date: -

SOURCES RELEASE DATE

db:NVDid:CVE-2018-2811date:2018-04-19T02:29:00
db:CNNVDid:CNNVD-201804-1210date:2018-04-20T00:00:00
db:JVNDBid:JVNDB-2018-002871date:2018-05-07T00:00:00
db:BIDid:103810date:2018-04-17T00:00:00
db:PACKETSTORMid:152088date:2019-03-14T16:24:13