Vendor: | Oracle |
---|---|
Product: | Java |
Affected Version(s): | Java SE 6 <= 6u131, Java SE 7 <= 7u121, Java SE 8 <= 8u112, Java SE Embedded <= 8u111, JRockit <= R28.3.12 |
Severity: | Critical |
Reference: | CVE-2017-3241 |
Researcher: | Nicky Bloor (@NickstaDB) |
Links: |
Description
When an object is bound to Java’s RMI (remote method invocation) registry, Java deserializes the object without proper validation. This could lead to an unauthenticated attacker executing arbitrary code on the underlying server.
Remediation
Upgrade Java to a version that is greater than 6u131, 7u121, or 8u112. Java SE Embedded should be upgraded to a version greater than 8u111 and JRockit should be upgraded to a version greater than R28.3.12.