What is CVE-2018-2603?

CVE-2018-2603 is a vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Libraries).

What are the affected versions of Java SE?

The affected versions of Java SE are 6u171, 7u161, 8u152, and 9.0.1.

How can an attacker exploit CVE-2018-2603?

An unauthenticated attacker can easily exploit CVE-2018-2603.

What is the severity of CVE-2018-2603?

The severity of CVE-2018-2603 is medium, with a severity value of 5.3.

Where can I find more information about CVE-2018-2603?

You can find more information about CVE-2018-2603 on the MITRE CVE website.

Vulnerability/
CVE-2018-2603

medium

5.3

15/1/2018

18/1/2018

21/11/2024

CVE-2018-2603

First published: Mon Jan 15 2018(Updated: )

It was discovered that the DerValue class in the Libraries component of OpenJDK failed to sufficiently limit the amount of memory allocated when reading DER (Distinguished Encoding Rules) encoded input. It could allocate a large amount of memory even when processing short input. A remote attacker could possibly use this flaw to make a Java application use an excessive amount of memory if it parsed attacker-supplied DER encoded input.

Credit: secalert_us@oracle.com secalert_us@oracle.com secalert_us@oracle.com

Affected Software	Affected Version	How to fix
debian/openjdk-8		8u442-ga-2
Oracle JDK 6	=1.6.0-update171
Oracle JDK 6	=1.7.0-update161
Oracle JDK 6	=1.8.0-update152
Oracle JDK 6	=1.9.0.1
Oracle Java Runtime Environment (JRE)	=1.6.0-update171
Oracle Java Runtime Environment (JRE)	=1.7.0-update161
Oracle Java Runtime Environment (JRE)	=1.8.0-update152
Oracle Java Runtime Environment (JRE)	=1.9.0.1
BEA JRockit	=r28.3.16
redhat satellite	=5.6
redhat satellite	=5.7
redhat satellite	=5.8
redhat enterprise Linux desktop	=6.0
redhat enterprise Linux desktop	=7.0
redhat enterprise Linux server	=6.0
redhat enterprise Linux server	=7.0
redhat enterprise Linux server aus	=7.4
redhat enterprise Linux server aus	=7.6
redhat enterprise Linux server eus	=7.4
redhat enterprise Linux server eus	=7.5
redhat enterprise Linux server eus	=7.6
redhat enterprise Linux server tus	=7.4
redhat enterprise Linux server tus	=7.6
redhat enterprise Linux workstation	=6.0
redhat enterprise Linux workstation	=7.0
Debian	=7.0
Debian	=8.0
Debian	=9.0
Ubuntu	=14.04
Ubuntu	=16.04
Ubuntu	=17.10
Schneider Electric EcoStruxure Data Center Expert	<7.6.0
HP P9000 Command View Advanced Edition Software	>=8.6.2-01
HP XP P9000 Command View	>=8.6.2-01
HP P9000 Command View Advanced Edition Software	>=8.6.2-01
Oracle JDK 6	=9.0.1
Oracle Java Runtime Environment (JRE)	=9.0.1

Remedy

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2018-2603?
CVE-2018-2603 is a vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Libraries).
What are the affected versions of Java SE?
The affected versions of Java SE are 6u171, 7u161, 8u152, and 9.0.1.
How can an attacker exploit CVE-2018-2603?
An unauthenticated attacker can easily exploit CVE-2018-2603.
What is the severity of CVE-2018-2603?
The severity of CVE-2018-2603 is medium, with a severity value of 5.3.
Where can I find more information about CVE-2018-2603?
You can find more information about CVE-2018-2603 on the MITRE CVE website.

agent/type
collector/launchpad-cve
source/Launchpad
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2018-2603
agent/severity
agent/author
agent/first-publish-date
collector/usn-cve
source/Ubuntu
agent/references
agent/remedy
agent/description
agent/event
collector/mitre-cve
source/MITRE
agent/trending
agent/last-modified-date
agent/source
collector/security-tracker-debian
source/Debian
agent/software-canonical-lookup
agent/softwarecombine
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
collector/nvd-cve
source/NVD
collector/nvd-api
package-manager/debian
vendor/oracle
canonical/oracle jdk 6
version/oracle jdk 6/1.6.0-update171
version/oracle jdk 6/1.7.0-update161
version/oracle jdk 6/1.8.0-update152
version/oracle jdk 6/1.9.0.1
canonical/oracle java runtime environment (jre)
version/oracle java runtime environment (jre)/1.6.0-update171
version/oracle java runtime environment (jre)/1.7.0-update161
version/oracle java runtime environment (jre)/1.8.0-update152
version/oracle java runtime environment (jre)/1.9.0.1
canonical/bea jrockit
version/bea jrockit/r28.3.16
vendor/redhat
canonical/redhat satellite
version/redhat satellite/5.6
version/redhat satellite/5.7
version/redhat satellite/5.8
canonical/redhat enterprise linux desktop
version/redhat enterprise linux desktop/6.0
version/redhat enterprise linux desktop/7.0
canonical/redhat enterprise linux server
version/redhat enterprise linux server/6.0
version/redhat enterprise linux server/7.0
canonical/redhat enterprise linux server aus
version/redhat enterprise linux server aus/7.4
version/redhat enterprise linux server aus/7.6
canonical/redhat enterprise linux server eus
version/redhat enterprise linux server eus/7.4
version/redhat enterprise linux server eus/7.5
version/redhat enterprise linux server eus/7.6
canonical/redhat enterprise linux server tus
version/redhat enterprise linux server tus/7.4
version/redhat enterprise linux server tus/7.6
canonical/redhat enterprise linux workstation
version/redhat enterprise linux workstation/6.0
version/redhat enterprise linux workstation/7.0
vendor/debian
canonical/debian
version/debian/7.0
version/debian/8.0
version/debian/9.0
vendor/canonical
canonical/ubuntu
version/ubuntu/14.04
version/ubuntu/16.04
version/ubuntu/17.10
vendor/schneider-electric
canonical/schneider electric ecostruxure data center expert
vendor/hp
canonical/hp p9000 command view advanced edition software
version/hp p9000 command view advanced edition software/8.6.2-01
canonical/hp xp p9000 command view
version/hp xp p9000 command view/8.6.2-01
version/oracle jdk 6/9.0.1
version/oracle java runtime environment (jre)/9.0.1