Java RMI Potential Deserialization RCE

Vendor:Oracle
Product:Java
Affected Version(s):Java SE 6 <= 6u131, Java SE 7 <= 7u121, Java SE 8 <= 8u112, Java SE Embedded <= 8u111, JRockit <= R28.3.12
Severity:Critical
Reference:CVE-2017-3241
Researcher:Nicky Bloor (@NickstaDB)
Links:

Description

When an object is bound to Java’s RMI (remote method invocation) registry, Java deserializes the object without proper validation. This could lead to an unauthenticated attacker executing arbitrary code on the underlying server.

Remediation

Upgrade Java to a version that is greater than 6u131, 7u121, or 8u112. Java SE Embedded should be upgraded to a version greater than 8u111 and JRockit should be upgraded to a version greater than R28.3.12.

Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *.