Description
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle
Java SE (subcomponent: JMX). Supported versions that are affected are Java
SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit:
R28.3.16. Difficult to exploit vulnerability allows unauthenticated
attacker with network access via multiple protocols to compromise Java SE,
Java SE Embedded, JRockit. Successful attacks of this vulnerability can
result in unauthorized creation, deletion or modification access to
critical data or all Java SE, Java SE Embedded, JRockit accessible data as
well as unauthorized access to critical data or complete access to all Java
SE, Java SE Embedded, JRockit accessible data. Note: This vulnerability can
only be exploited by supplying data to APIs in the specified Component
without using Untrusted Java Web Start applications or Untrusted Java
applets, such as through a web service. CVSS 3.0 Base Score 7.4
(Confidentiality and Integrity impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
Ubuntu-Description
It was discovered that the Java Management Extensions (JMX) component
of OpenJDK did not properly apply deserialization filters in some
situations. An attacker could use this to bypass deserialization
restrictions.
Package
| Upstream: | needs-triage
|
| Ubuntu 18.04 LTS: | DNE
|
| Ubuntu 20.04 LTS: | DNE
|
| Ubuntu 21.10: | DNE
|
| Ubuntu 22.04 LTS: | DNE
|
| Ubuntu 14.04 ESM: | DNE
(trusty was needs-triage)
|
Patches:
Package
| Upstream: | released
(7u171-2.6.13-1)
|
| Ubuntu 18.04 LTS: | DNE
|
| Ubuntu 20.04 LTS: | DNE
|
| Ubuntu 21.10: | DNE
|
| Ubuntu 22.04 LTS: | DNE
|
| Ubuntu 14.04 ESM: | DNE
(trusty was released [7u171-2.6.13-0ubuntu0.14.04.2])
|
Patches:
Package
| Upstream: | released
(9.0.4+12-1)
|
| Ubuntu 18.04 LTS: | DNE
|
| Ubuntu 20.04 LTS: | DNE
|
| Ubuntu 21.10: | DNE
|
| Ubuntu 22.04 LTS: | DNE
|
| Ubuntu 14.04 ESM: | DNE
|
Patches:
Updated: 2022-04-25 00:26:48 UTC (commit ecc1009cb19540b950de59270950018900f37f15)