CVE-2019-2684 - Improper Access Control

Severity

43%

Complexity

86%

Confidentiality

48%

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

CVSS 3.0 Base Score 5.9. CVSS Attack Vector: network. CVSS Attack Complexity: high. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

CVSS 2.0 Base Score 4.3. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N).

Overview

First reported 5 years ago

2019-04-23 19:32:00

Last updated 5 years ago

2019-06-04 17:29:00

Affected Software

Oracle JDK 1.7.0 Update 211

1.7.0

Oracle JDK 1.8.0 Update 201

1.8.0

Oracle JDK 1.8.0 Update 202

1.8.0

Oracle JDK 11.0.2

11.0.2

Oracle JDK 12

12

Oracle JRE 1.7.0 Update 211

1.7.0

Oracle JRE 1.8.0 Update 201

1.8.0

Oracle JRE 1.8.0 Update 202

1.8.0

Oracle JRE 11.0.2

11.0.2

Oracle JRE 12

12

Red Hat OpenShift Container Platform 3.11

3.11

openSUSE Leap 15.0

15.0

References

openSUSE-SU-2019:1327

Third Party Advisory

openSUSE-SU-2019:1438

openSUSE-SU-2019:1439

openSUSE-SU-2019:1500

http://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Patch, Vendor Advisory

RHBA-2019:0959

Third Party Advisory

RHSA-2019:1146

RHSA-2019:1163

RHSA-2019:1164

RHSA-2019:1165

RHSA-2019:1166

RHSA-2019:1238

RHSA-2019:1325

RHSA-2019:1518

[tomcat-dev] 20191218 svn commit: r1871756 - in /tomcat/site/trunk: docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-7.xml xdocs/security-8.xml xdocs/security-9.xml

[tomcat-announce] 20191218 [SECURITY] CVE-2019-12418 Local Privilege Escalation

[tomcat-users] 20191218 [SECURITY] CVE-2019-12418 Local Privilege Escalation

[announce] 20191218 [SECURITY] CVE-2019-12418 Local Privilege Escalation

[tomcat-dev] 20191218 [SECURITY] CVE-2019-12418 Local Privilege Escalation

[tomcat-dev] 20200203 svn commit: r1873527 [25/30] - /tomcat/site/trunk/docs/

[tomcat-dev] 20200213 svn commit: r1873980 [29/34] - /tomcat/site/trunk/docs/

[tomcat-dev] 20200203 svn commit: r1873527 [24/30] - /tomcat/site/trunk/docs/

[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/

[tomcat-dev] 20200213 svn commit: r1873980 [28/34] - /tomcat/site/trunk/docs/

[debian-lts-announce] 20190510 [SECURITY] [DLA 1782-1] openjdk-7 security update

20190530 [SECURITY] [DSA 4453-1] openjdk-8 security update

GLSA-201908-10

https://support.f5.com/csp/article/K11175903?utm_source=f5support&utm_medium=RSS

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03959en_us

USN-3975-1

DSA-4453

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.