CVE-2017-3252

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JAAS). Supported versions that are affected are Java SE: 6u131, 7u121 and 8u112; Java SE Embedded: 8u111; JRockit: R28.3.12. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, JRockit accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS v3.0 Base Score 5.8 (Integrity impacts).

CVSS v3 5.8 MEDIUM
CVSS v2.0 2.1 LOW

5.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector : AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N

Exploitability : 1.3 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

2.1^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:N/AC:H/Au:S/C:N/I:P/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector NETWORK

Access Complexity HIGH

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://rhn.redhat.com/errata/RHSA-2017-0175.html
http://rhn.redhat.com/errata/RHSA-2017-0176.html
http://rhn.redhat.com/errata/RHSA-2017-0177.html
http://rhn.redhat.com/errata/RHSA-2017-0180.html
http://rhn.redhat.com/errata/RHSA-2017-0263.html
http://rhn.redhat.com/errata/RHSA-2017-0269.html
http://rhn.redhat.com/errata/RHSA-2017-0336.html
http://rhn.redhat.com/errata/RHSA-2017-0337.html
http://rhn.redhat.com/errata/RHSA-2017-0338.html
http://www.debian.org/security/2017/dsa-3782
http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html	Not Applicable Vendor Advisory
http://www.securityfocus.com/bid/95509	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1037637
https://access.redhat.com/errata/RHSA-2017:1216
https://security.gentoo.org/glsa/201701-65
https://security.gentoo.org/glsa/201707-01
https://security.netapp.com/advisory/ntap-20170119-0001/
http://rhn.redhat.com/errata/RHSA-2017-0175.html
http://rhn.redhat.com/errata/RHSA-2017-0176.html
http://rhn.redhat.com/errata/RHSA-2017-0177.html
http://rhn.redhat.com/errata/RHSA-2017-0180.html
http://rhn.redhat.com/errata/RHSA-2017-0263.html
http://rhn.redhat.com/errata/RHSA-2017-0269.html
http://rhn.redhat.com/errata/RHSA-2017-0336.html
http://rhn.redhat.com/errata/RHSA-2017-0337.html
http://rhn.redhat.com/errata/RHSA-2017-0338.html
http://www.debian.org/security/2017/dsa-3782
http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html	Not Applicable Vendor Advisory
http://www.securityfocus.com/bid/95509	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1037637
https://access.redhat.com/errata/RHSA-2017:1216
https://security.gentoo.org/glsa/201701-65
https://security.gentoo.org/glsa/201707-01
https://security.netapp.com/advisory/ntap-20170119-0001/

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:oracle:jdk:1.6:update_131::::::
	cpe:2.3:a:oracle:jdk:1.7:update_121::::::
	cpe:2.3:a:oracle:jdk:1.8:update_111::::::
	cpe:2.3:a:oracle:jdk:1.8:update_112::::::
	cpe:2.3:a:oracle:jre:1.6:update_131::::::
	cpe:2.3:a:oracle:jre:1.7:update_121::::::
	cpe:2.3:a:oracle:jre:1.8:update_111::::::
	cpe:2.3:a:oracle:jre:1.8:update_112::::::
	cpe:2.3:a:oracle:jrockit:r28.3.12:::::::*

History

21 Nov 2024, 03:25

Information

Published : 2017-01-27 22:59

Updated : 2025-04-20 01:37

NVD link : CVE-2017-3252

Mitre link : CVE-2017-3252

CVE.ORG link : CVE-2017-3252

JSON object : View

Products Affected

oracle

jdk
jrockit
jre

CWE

NVD-CWE-noinfo

{"id": "CVE-2017-3252", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "NETWORK", "vectorString": "AV:N/AC:H/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "HIGH", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 1.3}]}, "published": "2017-01-27T22:59:02.693", "references": [{"url": "http://rhn.redhat.com/errata/RHSA-2017-0175.html", "source": "secalert_us@oracle.com"}, {"url": "http://rhn.redhat.com/errata/RHSA-2017-0176.html", "source": "secalert_us@oracle.com"}, {"url": "http://rhn.redhat.com/errata/RHSA-2017-0177.html", "source": "secalert_us@oracle.com"}, {"url": "http://rhn.redhat.com/errata/RHSA-2017-0180.html", "source": "secalert_us@oracle.com"}, {"url": "http://rhn.redhat.com/errata/RHSA-2017-0263.html", "source": "secalert_us@oracle.com"}, {"url": "http://rhn.redhat.com/errata/RHSA-2017-0269.html", "source": "secalert_us@oracle.com"}, {"url": "http://rhn.redhat.com/errata/RHSA-2017-0336.html", "source": "secalert_us@oracle.com"}, {"url": "http://rhn.redhat.com/errata/RHSA-2017-0337.html", "source": "secalert_us@oracle.com"}, {"url": "http://rhn.redhat.com/errata/RHSA-2017-0338.html", "source": "secalert_us@oracle.com"}, {"url": "http://www.debian.org/security/2017/dsa-3782", "source": "secalert_us@oracle.com"}, {"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html", "tags": ["Not Applicable", "Vendor Advisory"], "source": "secalert_us@oracle.com"}, {"url": "http://www.securityfocus.com/bid/95509", "tags": ["Third Party Advisory", "VDB Entry"], "source": "secalert_us@oracle.com"}, {"url": "http://www.securitytracker.com/id/1037637", "source": "secalert_us@oracle.com"}, {"url": "https://access.redhat.com/errata/RHSA-2017:1216", "source": "secalert_us@oracle.com"}, {"url": "https://security.gentoo.org/glsa/201701-65", "source": "secalert_us@oracle.com"}, {"url": "https://security.gentoo.org/glsa/201707-01", "source": "secalert_us@oracle.com"}, {"url": "https://security.netapp.com/advisory/ntap-20170119-0001/", "source": "secalert_us@oracle.com"}, {"url": "http://rhn.redhat.com/errata/RHSA-2017-0175.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://rhn.redhat.com/errata/RHSA-2017-0176.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://rhn.redhat.com/errata/RHSA-2017-0177.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://rhn.redhat.com/errata/RHSA-2017-0180.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://rhn.redhat.com/errata/RHSA-2017-0263.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://rhn.redhat.com/errata/RHSA-2017-0269.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://rhn.redhat.com/errata/RHSA-2017-0336.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://rhn.redhat.com/errata/RHSA-2017-0337.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://rhn.redhat.com/errata/RHSA-2017-0338.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.debian.org/security/2017/dsa-3782", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html", "tags": ["Not Applicable", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securityfocus.com/bid/95509", "tags": ["Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securitytracker.com/id/1037637", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://access.redhat.com/errata/RHSA-2017:1216", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.gentoo.org/glsa/201701-65", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.gentoo.org/glsa/201707-01", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20170119-0001/", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JAAS). Supported versions that are affected are Java SE: 6u131, 7u121 and 8u112; Java SE Embedded: 8u111; JRockit: R28.3.12. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, JRockit accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS v3.0 Base Score 5.8 (Integrity impacts)."}, {"lang": "es", "value": "Vulnerabilidad en el componente Java SE, Java SE Embedded, JRockit de Oracle Java SE (Subcomponente:JAAS). Versiones compatibles que est\u00e1n afectadas son Java SE: 6u131, 7u121 y 8u112; Java SE Embedded: 8u111; JRockit: R28.3.12. Vulnerabilidad dif\u00edcil de explotar permite a atacantes poco privilegiados con acceso a la red a trav\u00e9s de m\u00faltiples protocolos, comprometer Java SE, Java SE Embedded, JRockit. Ataques exitosos requieren interacci\u00f3n humana de una persona distinta del atacante y mientras la vulnerabilidad est\u00e9 en Java SE, Java SE Embedded, JRockit, los ataques podr\u00edan afectar significativamente a productos adicionales. Ataques exitosos de esta vulnerabilidad pueden resultar en creaci\u00f3n no autorizada, inserci\u00f3n o borrado de acceso a todos los datos accesibles de Java SE, Java SE Embedded, JRockit. Nota: Aplica a la implementaci\u00f3n de cliente y servidor de Java. Esta vulnerabilidad puede ser explotada a trav\u00e9s de aplicaciones Java Web Start y applets Java aislados. Tambi\u00e9n puede ser explotada suministrando datos de APIs en el componente especificado sin utilizar aplicaciones Java Web Start o applets Java aislados, como por ejemplo mediante un servicio web. CVSS v3.0 Base Score 5.8 (Impactos de integridad)."}], "lastModified": "2025-04-20T01:37:25.860", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oracle:jdk:1.6:update_131:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B1384D79-F9DA-44C5-A3C9-3CCE627B2255"}, {"criteria": "cpe:2.3:a:oracle:jdk:1.7:update_121:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "92EF1E3B-6EF8-499A-84EA-D7792B181CCB"}, {"criteria": "cpe:2.3:a:oracle:jdk:1.8:update_111:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "73185AEF-8CB1-4728-9E99-D0D2A3419D40"}, {"criteria": "cpe:2.3:a:oracle:jdk:1.8:update_112:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BEB76EC4-557F-4C67-BE1E-79E837043B05"}, {"criteria": "cpe:2.3:a:oracle:jre:1.6:update_131:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C747C39A-145E-4648-99C2-0A8C7BA77F11"}, {"criteria": "cpe:2.3:a:oracle:jre:1.7:update_121:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "706F9471-3647-4D13-B794-4F53700091F7"}, {"criteria": "cpe:2.3:a:oracle:jre:1.8:update_111:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1ED8B5A9-E738-430E-9FC6-206DFC98B965"}, {"criteria": "cpe:2.3:a:oracle:jre:1.8:update_112:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4AA3E574-DC5D-465B-95B8-CD1AF5433646"}, {"criteria": "cpe:2.3:a:oracle:jrockit:r28.3.12:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CE1A57E9-0134-466F-B8EE-9E38A844F865"}], "operator": "OR"}]}], "sourceIdentifier": "secalert_us@oracle.com"}

5.8 /10

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

2.1 /10

Access Vector NETWORK

Access Complexity HIGH

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2017-3252

5.8^/10

2.1^/10

Attach tags to `CVE-2017-3252`