CVE-2017-10350 in Java SE
Summary
by MITRE
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JAX-WS). Supported versions that are affected are Java SE: 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/18/2021
The vulnerability identified as CVE-2017-10350 resides within the Java SE and Java SE Embedded platforms, specifically affecting the Java API for XML Web Services component. This issue manifests in versions Java SE 7u151, 8u144, and 9, alongside Java SE Embedded 8u144, representing a significant security weakness that impacts the core security model of Java applications. The vulnerability operates at the intersection of network-based exploitation and sandboxed execution environments, creating a dangerous attack surface for unauthenticated adversaries seeking to compromise Java deployments.
The technical flaw stems from insufficient input validation within the JAX-WS implementation, allowing malicious actors to manipulate XML processing operations through network-based protocols. This weakness enables attackers to craft specifically designed payloads that exploit the XML parsing mechanisms, potentially leading to resource exhaustion or other availability-related disruptions. The vulnerability's classification as easily exploitable indicates that the attack vectors require minimal specialized access or skills, making it particularly dangerous for environments where untrusted code execution is permitted. The attack vector operates over multiple protocols, increasing the potential attack surface and reducing the effectiveness of traditional network segmentation measures.
The operational impact of this vulnerability extends beyond simple denial of service conditions, as it specifically targets the availability aspect of the Java runtime environment. Attackers can potentially cause partial denial of service scenarios that disrupt legitimate application functionality while maintaining the underlying system stability. This partial DOS condition can severely impact business operations, particularly in environments where Java applications serve critical functions or where sandboxed applets and Web Start applications are commonly deployed. The vulnerability's applicability to client-side Java deployments, particularly those running in sandboxed environments, creates a significant risk for end-user systems where security boundaries are less strictly enforced.
The security implications are particularly severe for Java deployments that execute untrusted code from internet sources, as the vulnerability specifically targets the sandboxing mechanisms that are supposed to protect against such threats. This attack scenario aligns with common threat patterns documented in the ATT&CK framework under the 'Execution' and 'Resource Hijacking' tactics, where adversaries leverage application vulnerabilities to consume system resources or disrupt service availability. Organizations running Java applications in client environments must consider this vulnerability as a critical risk factor, especially when implementing security controls that rely on sandboxed execution models. The CVSS 3.0 scoring of 5.3 reflects the moderate severity of the availability impact, though the combination of network accessibility and the potential for resource exhaustion makes this vulnerability particularly concerning for operational continuity.
Mitigation strategies should prioritize immediate patching of affected Java versions, with particular attention to the specific Java SE and Embedded versions mentioned in the vulnerability description. Organizations should also implement network segmentation controls to limit exposure of Java clients to untrusted networks, while considering the deployment of additional monitoring and anomaly detection mechanisms to identify potential exploitation attempts. The vulnerability's characteristics align with CWE-400, which addresses 'Uncontrolled Resource Consumption' in software systems, emphasizing the importance of proper resource management and input validation. Security teams should also consider implementing application whitelisting controls and restricting the execution of Java applets or Web Start applications from untrusted sources, as these deployment models are particularly vulnerable to this class of attack.