CVE-2017-10388

Priority
Medium
Description
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE
(subcomponent: Libraries). Supported versions that are affected are Java
SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Difficult to
exploit vulnerability allows unauthenticated attacker with network access
via Kerberos to compromise Java SE, Java SE Embedded. Successful attacks
require human interaction from a person other than the attacker. Successful
attacks of this vulnerability can result in takeover of Java SE, Java SE
Embedded. Note: Applies to the Java SE Kerberos client. CVSS 3.0 Base Score
7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).
Ubuntu-Description
Jeffrey Altman discovered that the Kerberos client implementation in
OpenJDK incorrectly trusted unauthenticated portions of Kerberos
tickets. A remote attacker could use this to impersonate trusted
network services or perform other attacks.
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10388
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixJAVA
https://www.orpheus-lyre.info/
https://usn.ubuntu.com/usn/usn-3473-1
https://usn.ubuntu.com/usn/usn-3497-1
Notes
 sbeattie> another instance of the Orpheus-Lyre vulnerability
Package
Source: openjdk-7 (LP Ubuntu Debian)
Upstream:released
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):released (7u151-2.6.11-2ubuntu0.14.04.1)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 17.10 (Artful Aardvark):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 18.10 (Cosmic Cuttlefish):DNE
Package
Source: openjdk-6 (LP Ubuntu Debian)
Upstream:released
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):needed
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 17.10 (Artful Aardvark):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 18.10 (Cosmic Cuttlefish):DNE
Package
Source: openjdk-9 (LP Ubuntu Debian)
Upstream:released (9.0.1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 17.10 (Artful Aardvark):ignored (reached end-of-life)
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 18.10 (Cosmic Cuttlefish):DNE
Package
Source: icedtea-web (LP Ubuntu Debian)
Upstream:not-affected
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):not-affected
Ubuntu 16.04 LTS (Xenial Xerus):not-affected
Ubuntu 17.10 (Artful Aardvark):not-affected
Ubuntu 18.04 LTS (Bionic Beaver):not-affected
Ubuntu 18.10 (Cosmic Cuttlefish):not-affected
Package
Source: openjdk-8 (LP Ubuntu Debian)
Upstream:released (8u151)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (8u151-b12-0ubuntu0.16.04.2)
Ubuntu 17.10 (Artful Aardvark):released (8u151-b12-0ubuntu0.17.10.2)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (8u151-b12-1)
Ubuntu 18.10 (Cosmic Cuttlefish):not-affected (8u151-b12-1)
Patches:
Upstream:http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/6805783b9875
More Information

Updated: 2018-07-20 15:19:11 UTC (commit a528766076160b2c60cf56892e2070e2c83615a3)