CVE-2017-10274
First published: Fri Oct 13 2017(Updated: )
It was discovered that the CardImpl class in the Smart Card IO component of OpenJDK failed to properly update its state in the finalize() method. An untrusted Java application or applet could possibly use this flaw to gain unexpected access to a smart card, bypassing certain Java sandbox restrictions.
Credit: secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/openjdk-8 | 8u382-ga-2 | |
| Oracle JDK 6 | =1.6.0-update161 | |
| Oracle JDK 6 | =1.7.0-update151 | |
| Oracle JDK 6 | =1.8.0-update144 | |
| Oracle JDK 6 | =1.9.0 | |
| Oracle Java Runtime Environment (JRE) | =1.6.0-update161 | |
| Oracle Java Runtime Environment (JRE) | =1.7.0-update151 | |
| Oracle Java Runtime Environment (JRE) | =1.8.0-update144 | |
| Oracle Java Runtime Environment (JRE) | =1.9.0 | |
| Debian GNU/Linux | =7.0 | |
| Debian GNU/Linux | =8.0 | |
| Debian GNU/Linux | =9.0 | |
| redhat enterprise Linux desktop | =6.0 | |
| redhat enterprise Linux desktop | =7.0 | |
| redhat enterprise Linux eus | =7.4 | |
| redhat enterprise Linux eus | =7.5 | |
| redhat enterprise Linux eus | =7.6 | |
| redhat enterprise Linux eus | =7.7 | |
| redhat enterprise Linux server | =6.0 | |
| redhat enterprise Linux server | =7.0 | |
| redhat enterprise Linux server aus | =7.4 | |
| redhat enterprise Linux server aus | =7.6 | |
| redhat enterprise Linux server aus | =7.7 | |
| redhat enterprise Linux server tus | =7.4 | |
| redhat enterprise Linux server tus | =7.6 | |
| redhat enterprise Linux server tus | =7.7 | |
| redhat enterprise Linux workstation | =6.0 | |
| redhat enterprise Linux workstation | =7.0 | |
| netapp active iq unified manager windows | >=7.3 | |
| NetApp Active IQ Unified Manager for VMware vSphere | >=9.5 | |
| netapp cloud backup | ||
| NetApp E-Series SANtricity Management Plug-ins for VMware vCenter | ||
| NetApp E-Series SANtricity OS Controller | >=11.0<=11.70.1 | |
| netapp e-series santricity storage manager | ||
| netapp e-series santricity Web services Web services proxy | ||
| NetApp Element Software | ||
| NetApp OnCommand Balance | ||
| NetApp OnCommand Insight | ||
| NetApp OnCommand Performance Manager | ||
| NetApp OnCommand Shift | ||
| NetApp OnCommand Unified Manager for vSphere | <=7.1 | |
| NetApp OnCommand Unified Manager for Windows | <=7.1 | |
| NetApp OnCommand Unified Manager for 7-Mode | ||
| NetApp OnCommand Workflow Automation | ||
| netapp plug-in for symantec netbackup | ||
| netapp snapmanager Oracle | ||
| netapp snapmanager sap | ||
| NetApp SteelStore | ||
| NetApp Storage Replication Adapter for Clustered Data ONTAP for VMware vSphere | >=7.2 | |
| NetApp Storage Replication Adapter for Clustered Data ONTAP | >=7.2 | |
| NetApp VASA Provider | >=7.2 | |
| NetApp VASA Provider | =6.0 | |
| NetApp Virtual Storage Console for VMware vSphere | >=7.2 | |
| NetApp Virtual Storage Console for VMware vSphere | =6.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- http://www.securityfocus.com/bid/101333
- http://www.securitytracker.com/id/1039596
- https://access.redhat.com/errata/RHSA-2017:2998
- https://access.redhat.com/errata/RHSA-2017:2999
- https://access.redhat.com/errata/RHSA-2017:3046
- https://access.redhat.com/errata/RHSA-2017:3047
- https://access.redhat.com/errata/RHSA-2017:3392
- https://lists.debian.org/debian-lts-announce/2017/11/msg00033.html
- https://security.gentoo.org/glsa/201710-31
- https://security.gentoo.org/glsa/201711-14
- https://security.netapp.com/advisory/ntap-20171019-0001/
- https://www.debian.org/security/2017/dsa-4015
- https://www.debian.org/security/2017/dsa-4048
- https://www.synology.com/support/security/Synology_SA_17_66_OpenJDK
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixJAVA
- http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/8913fd33ceee
- https://bugzilla.redhat.com/show_bug.cgi?id=1502053
- https://security-tracker.debian.org/tracker/CVE-2017-10274
Frequently Asked Questions
What is the severity of CVE-2017-10274?
CVE-2017-10274 has been assigned a medium severity rating due to its potential to allow unauthorized access to smart cards.
How do I fix CVE-2017-10274?
To remediate CVE-2017-10274, upgrade OpenJDK to version 8u382-ga-2 or later on affected systems.
Which versions of JDK are affected by CVE-2017-10274?
CVE-2017-10274 affects multiple Oracle JDK and JRE versions including 1.6.0-update161, 1.7.0-update151, and 1.8.0-update144.
What can exploit CVE-2017-10274?
An untrusted Java application or applet can exploit CVE-2017-10274 to bypass Java sandbox restrictions.
Is CVE-2017-10274 specific to certain operating systems?
CVE-2017-10274 impacts multiple operating systems, including various versions of Debian and Red Hat Enterprise Linux.
- collector/security-tracker-debian
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2017-10274
- agent/severity
- agent/references
- agent/remedy
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/debian
- vendor/oracle
- canonical/oracle jdk 6
- version/oracle jdk 6/1.6.0-update161
- version/oracle jdk 6/1.7.0-update151
- version/oracle jdk 6/1.8.0-update144
- version/oracle jdk 6/1.9.0
- canonical/oracle java runtime environment (jre)
- version/oracle java runtime environment (jre)/1.6.0-update161
- version/oracle java runtime environment (jre)/1.7.0-update151
- version/oracle java runtime environment (jre)/1.8.0-update144
- version/oracle java runtime environment (jre)/1.9.0
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/7.0
- version/debian gnu/linux/8.0
- version/debian gnu/linux/9.0
- vendor/redhat
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/6.0
- version/redhat enterprise linux desktop/7.0
- canonical/redhat enterprise linux eus
- version/redhat enterprise linux eus/7.4
- version/redhat enterprise linux eus/7.5
- version/redhat enterprise linux eus/7.6
- version/redhat enterprise linux eus/7.7
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/6.0
- version/redhat enterprise linux server/7.0
- canonical/redhat enterprise linux server aus
- version/redhat enterprise linux server aus/7.4
- version/redhat enterprise linux server aus/7.6
- version/redhat enterprise linux server aus/7.7
- canonical/redhat enterprise linux server tus
- version/redhat enterprise linux server tus/7.4
- version/redhat enterprise linux server tus/7.6
- version/redhat enterprise linux server tus/7.7
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/6.0
- version/redhat enterprise linux workstation/7.0
- vendor/netapp
- canonical/netapp active iq unified manager windows
- version/netapp active iq unified manager windows/7.3
- canonical/netapp active iq unified manager for vmware vsphere
- version/netapp active iq unified manager for vmware vsphere/9.5
- canonical/netapp cloud backup
- canonical/netapp e-series santricity management plug-ins for vmware vcenter
- canonical/netapp e-series santricity os controller
- version/netapp e-series santricity os controller/11.0
- version/netapp e-series santricity os controller/11.70.1
- canonical/netapp e-series santricity storage manager
- canonical/netapp e-series santricity web services web services proxy
- canonical/netapp element software
- canonical/netapp oncommand balance
- canonical/netapp oncommand insight
- canonical/netapp oncommand performance manager
- canonical/netapp oncommand shift
- canonical/netapp oncommand unified manager for vsphere
- version/netapp oncommand unified manager for vsphere/7.1
- canonical/netapp oncommand unified manager for windows
- version/netapp oncommand unified manager for windows/7.1
- canonical/netapp oncommand unified manager for 7-mode
- canonical/netapp oncommand workflow automation
- canonical/netapp plug-in for symantec netbackup
- canonical/netapp snapmanager oracle
- canonical/netapp snapmanager sap
- canonical/netapp steelstore
- canonical/netapp storage replication adapter for clustered data ontap for vmware vsphere
- version/netapp storage replication adapter for clustered data ontap for vmware vsphere/7.2
- canonical/netapp storage replication adapter for clustered data ontap
- version/netapp storage replication adapter for clustered data ontap/7.2
- canonical/netapp vasa provider
- version/netapp vasa provider/7.2
- version/netapp vasa provider/6.0
- canonical/netapp virtual storage console for vmware vsphere
- version/netapp virtual storage console for vmware vsphere/7.2
- version/netapp virtual storage console for vmware vsphere/6.0