CVE-2017-10388 in Ubuntu

CVE-2017-10388

Priority

Description

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE
(subcomponent: Libraries). Supported versions that are affected are Java
SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Difficult to
exploit vulnerability allows unauthenticated attacker with network access
via Kerberos to compromise Java SE, Java SE Embedded. Successful attacks
require human interaction from a person other than the attacker. Successful
attacks of this vulnerability can result in takeover of Java SE, Java SE
Embedded. Note: Applies to the Java SE Kerberos client. CVSS 3.0 Base Score
7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).

Ubuntu-Description

Jeffrey Altman discovered that the Kerberos client implementation in
OpenJDK incorrectly trusted unauthenticated portions of Kerberos
tickets. A remote attacker could use this to impersonate trusted
network services or perform other attacks.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10388
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixJAVA
https://www.orpheus-lyre.info/
https://usn.ubuntu.com/usn/usn-3473-1
https://usn.ubuntu.com/usn/usn-3497-1

Notes

sbeattie

another instance of the Orpheus-Lyre vulnerability

Package

Source: icedtea-web (LP Ubuntu Debian)

Upstream:	not-affected
Ubuntu 12.04 ESM (Precise Pangolin):	DNE
Ubuntu 14.04 ESM (Trusty Tahr):	DNE (trusty was not-affected)
Ubuntu 16.04 LTS (Xenial Xerus):	not-affected
Ubuntu 18.04 LTS (Bionic Beaver):	not-affected
Ubuntu 19.04 (Disco Dingo):	not-affected
Ubuntu 19.10 (Eoan Ermine):	not-affected
Ubuntu 20.04 (Focal Fossa):	not-affected

Package

Source: openjdk-6 (LP Ubuntu Debian)

Upstream:	released
Ubuntu 12.04 ESM (Precise Pangolin):	DNE
Ubuntu 14.04 ESM (Trusty Tahr):	DNE (trusty was needed)
Ubuntu 16.04 LTS (Xenial Xerus):	DNE
Ubuntu 18.04 LTS (Bionic Beaver):	DNE
Ubuntu 19.04 (Disco Dingo):	DNE
Ubuntu 19.10 (Eoan Ermine):	DNE
Ubuntu 20.04 (Focal Fossa):	DNE

Package

Source: openjdk-7 (LP Ubuntu Debian)

Upstream:	released
Ubuntu 12.04 ESM (Precise Pangolin):	DNE
Ubuntu 14.04 ESM (Trusty Tahr):	DNE (trusty was released [7u151-2.6.11-2ubuntu0.14.04.1])
Ubuntu 16.04 LTS (Xenial Xerus):	DNE
Ubuntu 18.04 LTS (Bionic Beaver):	DNE
Ubuntu 19.04 (Disco Dingo):	DNE
Ubuntu 19.10 (Eoan Ermine):	DNE
Ubuntu 20.04 (Focal Fossa):	DNE

Package

Source: openjdk-8 (LP Ubuntu Debian)

Upstream:	released (8u151)
Ubuntu 12.04 ESM (Precise Pangolin):	DNE
Ubuntu 14.04 ESM (Trusty Tahr):	DNE
Ubuntu 16.04 LTS (Xenial Xerus):	released (8u151-b12-0ubuntu0.16.04.2)
Ubuntu 18.04 LTS (Bionic Beaver):	not-affected (8u151-b12-1)
Ubuntu 19.04 (Disco Dingo):	not-affected (8u151-b12-1)
Ubuntu 19.10 (Eoan Ermine):	not-affected (8u151-b12-1)
Ubuntu 20.04 (Focal Fossa):	not-affected (8u151-b12-1)

Patches:

Upstream:

http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/6805783b9875

Package

Source: openjdk-9 (LP Ubuntu Debian)

Upstream:	released (9.0.1)
Ubuntu 12.04 ESM (Precise Pangolin):	DNE
Ubuntu 14.04 ESM (Trusty Tahr):	DNE
Ubuntu 16.04 LTS (Xenial Xerus):	needed
Ubuntu 18.04 LTS (Bionic Beaver):	DNE
Ubuntu 19.04 (Disco Dingo):	DNE
Ubuntu 19.10 (Eoan Ermine):	DNE
Ubuntu 20.04 (Focal Fossa):	DNE

More Information

Updated: 2019-12-05 19:39:31 UTC (commit 0aa5e7c87c8b55d2ec5c7f4ca1179cf75de91961)