CVE-2017-10388 in Ubuntu

CVE-2017-10388

Priority

Description

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE
(subcomponent: Libraries). Supported versions that are affected are Java
SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Difficult to
exploit vulnerability allows unauthenticated attacker with network access
via Kerberos to compromise Java SE, Java SE Embedded. Successful attacks
require human interaction from a person other than the attacker. Successful
attacks of this vulnerability can result in takeover of Java SE, Java SE
Embedded. Note: Applies to the Java SE Kerberos client. CVSS 3.0 Base Score
7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).

Ubuntu-Description

Jeffrey Altman discovered that the Kerberos client implementation in
OpenJDK incorrectly trusted unauthenticated portions of Kerberos
tickets. A remote attacker could use this to impersonate trusted
network services or perform other attacks.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10388
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixJAVA
https://www.orpheus-lyre.info/
https://usn.ubuntu.com/usn/usn-3473-1
https://usn.ubuntu.com/usn/usn-3497-1

Notes

sbeattie> another instance of the Orpheus-Lyre vulnerability

Package

Source: icedtea-web (LP Ubuntu Debian)

Upstream:	not-affected
Ubuntu 12.04 ESM (Precise Pangolin):	DNE
Ubuntu 14.04 LTS (Trusty Tahr):	not-affected
Ubuntu 16.04 LTS (Xenial Xerus):	not-affected
Ubuntu 18.04 LTS (Bionic Beaver):	not-affected
Ubuntu 18.10 (Cosmic Cuttlefish):	not-affected
Ubuntu 19.04 (Disco Dingo):	not-affected

Package

Source: openjdk-6 (LP Ubuntu Debian)

Upstream:	released
Ubuntu 12.04 ESM (Precise Pangolin):	DNE
Ubuntu 14.04 LTS (Trusty Tahr):	needed
Ubuntu 16.04 LTS (Xenial Xerus):	DNE
Ubuntu 18.04 LTS (Bionic Beaver):	DNE
Ubuntu 18.10 (Cosmic Cuttlefish):	DNE
Ubuntu 19.04 (Disco Dingo):	DNE

Package

Source: openjdk-7 (LP Ubuntu Debian)

Upstream:	released
Ubuntu 12.04 ESM (Precise Pangolin):	DNE
Ubuntu 14.04 LTS (Trusty Tahr):	released (7u151-2.6.11-2ubuntu0.14.04.1)
Ubuntu 16.04 LTS (Xenial Xerus):	DNE
Ubuntu 18.04 LTS (Bionic Beaver):	DNE
Ubuntu 18.10 (Cosmic Cuttlefish):	DNE
Ubuntu 19.04 (Disco Dingo):	DNE

Package

Source: openjdk-8 (LP Ubuntu Debian)

Upstream:	released (8u151)
Ubuntu 12.04 ESM (Precise Pangolin):	DNE
Ubuntu 14.04 LTS (Trusty Tahr):	DNE
Ubuntu 16.04 LTS (Xenial Xerus):	released (8u151-b12-0ubuntu0.16.04.2)
Ubuntu 18.04 LTS (Bionic Beaver):	not-affected (8u151-b12-1)
Ubuntu 18.10 (Cosmic Cuttlefish):	not-affected (8u151-b12-1)
Ubuntu 19.04 (Disco Dingo):	not-affected (8u151-b12-1)

Patches:

Upstream:

http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/6805783b9875

Package

Source: openjdk-9 (LP Ubuntu Debian)

Upstream:	released (9.0.1)
Ubuntu 12.04 ESM (Precise Pangolin):	DNE
Ubuntu 14.04 LTS (Trusty Tahr):	DNE
Ubuntu 16.04 LTS (Xenial Xerus):	needed
Ubuntu 18.04 LTS (Bionic Beaver):	DNE
Ubuntu 18.10 (Cosmic Cuttlefish):	DNE
Ubuntu 19.04 (Disco Dingo):	DNE

More Information

Updated: 2019-01-14 21:22:49 UTC (commit 51f9b73af244ba86b9321e46e526586c25a8e060)