CVE-2017-10388

Priority
Medium
Description
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE
(subcomponent: Libraries). Supported versions that are affected are Java
SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Difficult to
exploit vulnerability allows unauthenticated attacker with network access
via Kerberos to compromise Java SE, Java SE Embedded. Successful attacks
require human interaction from a person other than the attacker. Successful
attacks of this vulnerability can result in takeover of Java SE, Java SE
Embedded. Note: Applies to the Java SE Kerberos client. CVSS 3.0 Base Score
7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).
Ubuntu-Description
Jeffrey Altman discovered that the Kerberos client implementation in
OpenJDK incorrectly trusted unauthenticated portions of Kerberos
tickets. A remote attacker could use this to impersonate trusted
network services or perform other attacks.
References
Notes
 sbeattie> another instance of the Orpheus-Lyre vulnerability
Package
Upstream:released
Ubuntu 17.10 (Artful Aardvark):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):needed
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 17.04 (Zesty Zapus):DNE
Package
Upstream:released
Ubuntu 17.10 (Artful Aardvark):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):needed
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 17.04 (Zesty Zapus):DNE
Package
Upstream:released (9.0.1)
Ubuntu 17.10 (Artful Aardvark):needed
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 17.04 (Zesty Zapus):needed
Package
Upstream:not-affected
Ubuntu 17.10 (Artful Aardvark):not-affected
Ubuntu 18.04 LTS (Bionic Beaver):not-affected
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):not-affected
Ubuntu 16.04 LTS (Xenial Xerus):not-affected
Ubuntu 17.04 (Zesty Zapus):not-affected
Package
Upstream:released (8u151)
Ubuntu 17.10 (Artful Aardvark):released (8u151-b12-0ubuntu0.17.10.2)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (8u151-b12-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (8u151-b12-0ubuntu0.16.04.2)
Ubuntu 17.04 (Zesty Zapus):released (8u151-b12-0ubuntu0.17.04.2)
Patches:
Upstream:http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/6805783b9875
More Information

Updated: 2017-11-08 10:14:18 UTC (commit 13651)