// For flags

CVE-2017-10118

OpenJDK: ECDSA implementation timing attack (JCE, 8175110)

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JCE). Supported versions that are affected are Java SE: 7u141 and 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Java SE Embedded, JRockit accessible data. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Vulnerabilidad en los componentes Java SE, Java SE Embedded y JRockit de Oracle Java SE (subcomponente: JCE). Las versiones compatibles que se han visto afectadas son Java SE: 7u141 y 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Una vulnerabilidad fácilmente explotable permite que un atacante sin autenticar que tenga acceso a red por medio de múltiples protocolos comprometa la seguridad de Java SE, Java SE Embedded y JRockit. Los ataques exitosos a esta vulnerabilidad pueden resultar en un acceso no autorizado a datos de suma importancia o un acceso completo a todos los datos accesibles de Java SE, Java SE Embedded y JRockit. Nota: Esta vulnerabilidad puede ser explotada mediante aplicaciones Java Web Start en sandbox y applets Java en sandbox. También puede ser explotada proporcionando datos a las API en los componentes especificados sin emplear aplicaciones Java Web Start en sandbox o applets Java en sandbox, como a través de un servicio web. CVSS 3.0 Base Score 7.5 (impactos en la confidencialidad). Vector CVSS: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
None
Automatable
Yes
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2017-06-21 CVE Reserved
  • 2017-07-20 CVE Published
  • 2023-10-04 EPSS Updated
  • 2024-10-04 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-385: Covert Timing Channel
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Oracle
Search vendor "Oracle"
Jdk
Search vendor "Oracle" for product "Jdk"
1.7.0
Search vendor "Oracle" for product "Jdk" and version "1.7.0"
update141
Affected
Oracle
Search vendor "Oracle"
Jdk
Search vendor "Oracle" for product "Jdk"
1.8.0
Search vendor "Oracle" for product "Jdk" and version "1.8.0"
update131
Affected
Oracle
Search vendor "Oracle"
Jre
Search vendor "Oracle" for product "Jre"
1.7.0
Search vendor "Oracle" for product "Jre" and version "1.7.0"
update141
Affected
Oracle
Search vendor "Oracle"
Jre
Search vendor "Oracle" for product "Jre"
1.8.0
Search vendor "Oracle" for product "Jre" and version "1.8.0"
update131
Affected
Oracle
Search vendor "Oracle"
Jrockit
Search vendor "Oracle" for product "Jrockit"
r28.3.14
Search vendor "Oracle" for product "Jrockit" and version "r28.3.14"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
8.0
Search vendor "Debian" for product "Debian Linux" and version "8.0"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected
Phoenixcontact
Search vendor "Phoenixcontact"
Fl Mguard Dm
Search vendor "Phoenixcontact" for product "Fl Mguard Dm"
<= 1.8.0
Search vendor "Phoenixcontact" for product "Fl Mguard Dm" and version " <= 1.8.0"
-
Affected
Netapp
Search vendor "Netapp"
Active Iq Unified Manager
Search vendor "Netapp" for product "Active Iq Unified Manager"
>= 7.3
Search vendor "Netapp" for product "Active Iq Unified Manager" and version " >= 7.3"
windows
Affected
Netapp
Search vendor "Netapp"
Active Iq Unified Manager
Search vendor "Netapp" for product "Active Iq Unified Manager"
>= 9.5
Search vendor "Netapp" for product "Active Iq Unified Manager" and version " >= 9.5"
vmware_vsphere
Affected
Netapp
Search vendor "Netapp"
Cloud Backup
Search vendor "Netapp" for product "Cloud Backup"
--
Affected
Netapp
Search vendor "Netapp"
E-series Santricity Os Controller
Search vendor "Netapp" for product "E-series Santricity Os Controller"
>= 11.0 <= 11.70.1
Search vendor "Netapp" for product "E-series Santricity Os Controller" and version " >= 11.0 <= 11.70.1"
-
Affected
Netapp
Search vendor "Netapp"
E-series Santricity Storage Manager
Search vendor "Netapp" for product "E-series Santricity Storage Manager"
--
Affected
Netapp
Search vendor "Netapp"
Element Software
Search vendor "Netapp" for product "Element Software"
--
Affected
Netapp
Search vendor "Netapp"
Oncommand Balance
Search vendor "Netapp" for product "Oncommand Balance"
--
Affected
Netapp
Search vendor "Netapp"
Oncommand Insight
Search vendor "Netapp" for product "Oncommand Insight"
--
Affected
Netapp
Search vendor "Netapp"
Oncommand Performance Manager
Search vendor "Netapp" for product "Oncommand Performance Manager"
-vmware_vsphere
Affected
Netapp
Search vendor "Netapp"
Oncommand Shift
Search vendor "Netapp" for product "Oncommand Shift"
--
Affected
Netapp
Search vendor "Netapp"
Oncommand Unified Manager
Search vendor "Netapp" for product "Oncommand Unified Manager"
<= 7.1
Search vendor "Netapp" for product "Oncommand Unified Manager" and version " <= 7.1"
vsphere
Affected
Netapp
Search vendor "Netapp"
Oncommand Unified Manager
Search vendor "Netapp" for product "Oncommand Unified Manager"
<= 7.1
Search vendor "Netapp" for product "Oncommand Unified Manager" and version " <= 7.1"
windows
Affected
Netapp
Search vendor "Netapp"
Oncommand Unified Manager
Search vendor "Netapp" for product "Oncommand Unified Manager"
-7-mode
Affected
Netapp
Search vendor "Netapp"
Plug-in For Symantec Netbackup
Search vendor "Netapp" for product "Plug-in For Symantec Netbackup"
--
Affected
Netapp
Search vendor "Netapp"
Snapmanager
Search vendor "Netapp" for product "Snapmanager"
-oracle
Affected
Netapp
Search vendor "Netapp"
Snapmanager
Search vendor "Netapp" for product "Snapmanager"
-sap
Affected
Netapp
Search vendor "Netapp"
Steelstore Cloud Integrated Storage
Search vendor "Netapp" for product "Steelstore Cloud Integrated Storage"
--
Affected
Netapp
Search vendor "Netapp"
Storage Replication Adapter For Clustered Data Ontap
Search vendor "Netapp" for product "Storage Replication Adapter For Clustered Data Ontap"
>= 7.2
Search vendor "Netapp" for product "Storage Replication Adapter For Clustered Data Ontap" and version " >= 7.2"
windows
Affected
Netapp
Search vendor "Netapp"
Storage Replication Adapter For Clustered Data Ontap
Search vendor "Netapp" for product "Storage Replication Adapter For Clustered Data Ontap"
9.6
Search vendor "Netapp" for product "Storage Replication Adapter For Clustered Data Ontap" and version "9.6"
vmware_vsphere
Affected
Netapp
Search vendor "Netapp"
Vasa Provider For Clustered Data Ontap
Search vendor "Netapp" for product "Vasa Provider For Clustered Data Ontap"
>= 7.2
Search vendor "Netapp" for product "Vasa Provider For Clustered Data Ontap" and version " >= 7.2"
-
Affected
Netapp
Search vendor "Netapp"
Vasa Provider For Clustered Data Ontap
Search vendor "Netapp" for product "Vasa Provider For Clustered Data Ontap"
6.0
Search vendor "Netapp" for product "Vasa Provider For Clustered Data Ontap" and version "6.0"
-
Affected
Netapp
Search vendor "Netapp"
Virtual Storage Console
Search vendor "Netapp" for product "Virtual Storage Console"
>= 7.2
Search vendor "Netapp" for product "Virtual Storage Console" and version " >= 7.2"
vmware_vsphere
Affected
Netapp
Search vendor "Netapp"
Virtual Storage Console
Search vendor "Netapp" for product "Virtual Storage Console"
6.0
Search vendor "Netapp" for product "Virtual Storage Console" and version "6.0"
vmware_vsphere
Affected