PublicDateAtUSN: 2018-10-16
Candidate: CVE-2018-3149
PublicDate: 2018-10-17 01:31:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3149
 http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
 https://ubuntu.com/security/notices/USN-3804-1
 https://ubuntu.com/security/notices/USN-3824-1
Description:
 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle
 Java SE (subcomponent: JNDI). Supported versions that are affected are Java
 SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19.
 Difficult to exploit vulnerability allows unauthenticated attacker with
 network access via multiple protocols to compromise Java SE, Java SE
 Embedded, JRockit. Successful attacks require human interaction from a
 person other than the attacker and while the vulnerability is in Java SE,
 Java SE Embedded, JRockit, attacks may significantly impact additional
 products. Successful attacks of this vulnerability can result in takeover
 of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to
 Java deployments, typically in clients running sandboxed Java Web Start
 applications or sandboxed Java applets (in Java SE 8), that load and run
 untrusted code (e.g. code that comes from the internet) and rely on the
 Java sandbox for security. This vulnerability can also be exploited by
 using APIs in the specified Component, e.g. through a web service which
 supplies data to the APIs. CVSS 3.0 Base Score 8.3 (Confidentiality,
 Integrity and Availability impacts). CVSS Vector:
 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Ubuntu-Description:
 It was discovered that the Java Naming and Directory Interface (JNDI)
 implementation in OpenJDK did not properly enforce restrictions
 specified by system properties in some situations. An attacker could
 potentially use this to execute arbitrary code.
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H [8.3 HIGH]


Patches_openjdk-7:
upstream_openjdk-7: needs-triage
precise/esm_openjdk-7: DNE
trusty_openjdk-7: released (7u181-2.6.14-0ubuntu0.3)
trusty/esm_openjdk-7: DNE (trusty was released [7u181-2.6.14-0ubuntu0.3])
xenial_openjdk-7: DNE
bionic_openjdk-7: DNE
cosmic_openjdk-7: DNE
devel_openjdk-7: DNE

Patches_openjdk-lts:
upstream_openjdk-lts: released (11.0.1+13-1)
precise/esm_openjdk-lts: DNE
trusty_openjdk-lts: DNE
trusty/esm_openjdk-lts: DNE
xenial_openjdk-lts: DNE
bionic_openjdk-lts: released (10.0.2+13-1ubuntu0.18.04.3)
cosmic_openjdk-lts: released (11.0.1+13-2ubuntu1)
devel_openjdk-lts: not-affected (11.0.1+13-3ubuntu1)

Patches_openjdk-8:
upstream_openjdk-8: needs-triage
precise/esm_openjdk-8: DNE
trusty_openjdk-8: DNE
trusty/esm_openjdk-8: DNE
xenial_openjdk-8: released (8u181-b13-1ubuntu0.16.04.1)
esm-infra/xenial_openjdk-8: released (8u181-b13-1ubuntu0.16.04.1)
bionic_openjdk-8: released (8u191-b12-0ubuntu0.18.04.1)
cosmic_openjdk-8: released (8u191-b12-0ubuntu0.18.10.1)
devel_openjdk-8: not-affected (8u191-b12-2)