SRC-2017-0028 : Oracle Java SE Web Start jnlp XML External Entity Processing Information Disclosure Vulnerability
CVE ID:
CVE-2017-10309
CVSS Score:
6.8, (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Affected Vendors:
Oracle
Affected Products:
Java SE
Vulnerability Details:
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Oracle Java SE. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the processing of JNLP files. The issue lies in the failure to properly restrict the use of XML External Entity (XXE) references. A specially crafted JNLP file can cause the XML parser to access the contents of an external entity and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose sensitive information under the context of the current process.
Vendor Response:
Oracle has issued an update to correct these vulnerabilities. More details can be found at:
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
Disclosure Timeline:
- 2017-06-07 – Verified and sent to Oracle
- 2017-09-17 – Coordinated public release of advisory
Proof of Concept:
Credit:
This vulnerability was discovered by Steven Seeley (mr_me) of Source Incite