CVE-2017-3272
First published: Mon Jan 16 2017(Updated: )
It was discovered that the atomic field updaters in the in the java.util.concurrent.atomic package in the Libraries component of OpenJDK did not properly restrict access to protected field members. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions.
Credit: secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/openjdk-8 | 8u442-ga-2 | |
| Oracle Java SE 7 | =1.6-update_131 | |
| Oracle Java SE 7 | =1.7-update_121 | |
| Oracle Java SE 7 | =1.8-update_111 | |
| Oracle Java SE 7 | =1.8-update_112 | |
| Oracle JRE | =1.6-update_131 | |
| Oracle JRE | =1.7-update_121 | |
| Oracle JRE | =1.8-update_111 | |
| Oracle JRE | =1.8-update_112 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://rhn.redhat.com/errata/RHSA-2017-0175.html
- http://rhn.redhat.com/errata/RHSA-2017-0176.html
- http://rhn.redhat.com/errata/RHSA-2017-0177.html
- http://rhn.redhat.com/errata/RHSA-2017-0180.html
- http://rhn.redhat.com/errata/RHSA-2017-0263.html
- http://rhn.redhat.com/errata/RHSA-2017-0269.html
- http://rhn.redhat.com/errata/RHSA-2017-0336.html
- http://rhn.redhat.com/errata/RHSA-2017-0337.html
- http://rhn.redhat.com/errata/RHSA-2017-0338.html
- http://www.debian.org/security/2017/dsa-3782
- http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
- http://www.securityfocus.com/bid/95533
- http://www.securitytracker.com/id/1037637
- https://access.redhat.com/errata/RHSA-2017:1216
- https://security.gentoo.org/glsa/201701-65
- https://security.gentoo.org/glsa/201707-01
- https://security.netapp.com/advisory/ntap-20170119-0001/
- https://launchpad.net/bugs/cve/CVE-2017-3272
- http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixJAVA
- http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/5b2b1dadd53c
- https://rhn.redhat.com/errata/RHSA-2017-0176.html
- https://rhn.redhat.com/errata/RHSA-2017-0175.html
- https://rhn.redhat.com/errata/RHSA-2017-0177.html
- https://rhn.redhat.com/errata/RHSA-2017-0180.html
- https://rhn.redhat.com/errata/RHSA-2017-0263.html
- https://rhn.redhat.com/errata/RHSA-2017-0269.html
- https://rhn.redhat.com/errata/RHSA-2017-0337.html
- https://rhn.redhat.com/errata/RHSA-2017-0336.html
- https://rhn.redhat.com/errata/RHSA-2017-0338.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1413554
- https://security-tracker.debian.org/tracker/CVE-2017-3272
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3272
- https://nvd.nist.gov/vuln/detail/CVE-2017-3272
- https://ubuntu.com/security/CVE-2017-3272
Frequently Asked Questions
What is the severity of CVE-2017-3272?
CVE-2017-3272 is considered a high severity vulnerability.
How do I fix CVE-2017-3272?
To fix CVE-2017-3272, update to the latest version of OpenJDK or Oracle JDK that contains the relevant security patches.
Which software versions are affected by CVE-2017-3272?
CVE-2017-3272 affects OpenJDK 8u432-b06-2 and Oracle JDK versions 1.6-update_131, 1.7-update_121, and 1.8-update_111 and 1.8-update_112.
What impact does CVE-2017-3272 have on applications?
CVE-2017-3272 allows untrusted Java applications or applets to bypass Java sandbox restrictions, potentially leading to unauthorized access.
What is the attack vector for CVE-2017-3272?
The attack vector for CVE-2017-3272 is through the execution of untrusted Java applications or applets that exploit the improper access controls.
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2017-3272
- agent/remedy
- agent/severity
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/source
- agent/author
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/debian
- vendor/oracle
- canonical/oracle java se 7
- version/oracle java se 7/1.6-update_131
- version/oracle java se 7/1.7-update_121
- version/oracle java se 7/1.8-update_111
- version/oracle java se 7/1.8-update_112
- canonical/oracle jre
- version/oracle jre/1.6-update_131
- version/oracle jre/1.7-update_121
- version/oracle jre/1.8-update_111
- version/oracle jre/1.8-update_112