Oracle Java SE 7u231/8u221/11.0.4/13 Kerberos information disclosure

Summaryinfo

A vulnerability, which was classified as critical, was found in Oracle Java SE 7u231/8u221/11.0.4/13. The impacted element is an unknown function of the component Kerberos. Executing a manipulation can lead to information disclosure. This vulnerability is handled as CVE-2019-2949. The attack can be executed remotely. There is not any exploit available. You should upgrade the affected component.

Detailsinfo

A vulnerability was found in Oracle Java SE 7u231/8u221/11.0.4/13 (Programming Language Software). It has been declared as critical. This vulnerability affects some unknown functionality of the component Kerberos. The manipulation with an unknown input leads to a information disclosure vulnerability. The CWE definition for the vulnerability is CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. As an impact it is known to affect confidentiality. CVE summarizes:

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Kerberos). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. While the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 6.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N).

The weakness was released 10/16/2019 as Oracle Critical Patch Update Advisory - October 2019 as confirmed advisory (Website). The advisory is shared for download at oracle.com. This vulnerability was named CVE-2019-2949. The exploitation appears to be difficult. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1592.

The vulnerability scanner Nessus provides a plugin with the ID 208620 (CentOS 7 : java-1.8.0-ibm (RHSA-2020:2237)), which helps to determine the existence of the flaw in a target environment.

Upgrading eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.

The vulnerability is also documented in the vulnerability database at Tenable (208620). Entries connected to this vulnerability are available at VDB-143620, VDB-143661, VDB-143632 and VDB-143631. VulDB is the best source for vulnerability data and more expert information about this specific topic.

Productinfo

Type

• Programming Language Software

Vendor

• Oracle

Name

• Java SE

Version

• 7u231
• 8u221
• 11.0.4
• 13

License

• open-source

Website

• Vendor: https://www.oracle.com

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Discussion