CVE-2017-3526
First published: Tue Apr 18 2017(Updated: )
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 6u141, 7u131 and 8u121; Java SE Embedded: 8u121; JRockit: R28.3.13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
Credit: secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Oracle JDK 6 | =1.6-update_141 | |
| Oracle JDK 6 | =1.7-update_131 | |
| Oracle JDK 6 | =1.8-update_121 | |
| Oracle Java Runtime Environment (JRE) | =1.6-update_141 | |
| Oracle Java Runtime Environment (JRE) | =1.7-update_131 | |
| Oracle Java Runtime Environment (JRE) | =1.8-update_121 | |
| BEA JRockit | =r28.3.13 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.debian.org/security/2017/dsa-3858
- http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
- http://www.securityfocus.com/bid/97733
- http://www.securitytracker.com/id/1038286
- https://access.redhat.com/errata/RHSA-2017:1108
- https://access.redhat.com/errata/RHSA-2017:1109
- https://access.redhat.com/errata/RHSA-2017:1117
- https://access.redhat.com/errata/RHSA-2017:1118
- https://access.redhat.com/errata/RHSA-2017:1119
- https://access.redhat.com/errata/RHSA-2017:1204
- https://security.gentoo.org/glsa/201705-03
- https://security.gentoo.org/glsa/201707-01
- http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixJAVA
- http://hg.openjdk.java.net/jdk8u/jdk8u/jaxp/rev/756b7a2f20cc
- https://bugzilla.redhat.com/show_bug.cgi?id=1443252
Frequently Asked Questions
What is the severity of CVE-2017-3526?
CVE-2017-3526 is classified as a difficult-to-exploit vulnerability affecting certain versions of Oracle Java SE.
How do I fix CVE-2017-3526?
To mitigate CVE-2017-3526, update to the latest patched versions of Oracle Java SE accordingly.
Which versions of Java are affected by CVE-2017-3526?
CVE-2017-3526 affects Java SE versions 6u141, 7u131, 8u121, as well as Java SE Embedded and JRockit R28.3.13.
Who can exploit CVE-2017-3526?
CVE-2017-3526 can be exploited by an unauthenticated attacker over the network.
What components are involved in CVE-2017-3526?
CVE-2017-3526 involves the JAXP component of Oracle Java SE, Java SE Embedded, and JRockit.
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2017-3526
- agent/author
- agent/severity
- agent/references
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- vendor/oracle
- canonical/oracle jdk 6
- version/oracle jdk 6/1.6-update_141
- version/oracle jdk 6/1.7-update_131
- version/oracle jdk 6/1.8-update_121
- canonical/oracle java runtime environment (jre)
- version/oracle java runtime environment (jre)/1.6-update_141
- version/oracle java runtime environment (jre)/1.7-update_131
- version/oracle java runtime environment (jre)/1.8-update_121
- canonical/bea jrockit
- version/bea jrockit/r28.3.13