SRC-2017-0028 : Oracle Java SE Web Start jnlp XML External Entity Processing Information Disclosure Vulnerability



CVSS Score:

6.8, (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Affected Vendors:


Affected Products:

Java SE

Vulnerability Details:

This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Oracle Java SE. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the processing of JNLP files. The issue lies in the failure to properly restrict the use of XML External Entity (XXE) references. A specially crafted JNLP file can cause the XML parser to access the contents of an external entity and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose sensitive information under the context of the current process.

Vendor Response:

Oracle has issued an update to correct these vulnerabilities. More details can be found at:

Disclosure Timeline:

  • 2017-06-07 – Verified and sent to Oracle
  • 2017-09-17 – Coordinated public release of advisory

Proof of Concept:



This vulnerability was discovered by Steven Seeley (mr_me) of Source Incite