CVE-2018-3180

Name of the Vulnerable Software and Affected Versions Java SE versions 6u201, 7u191, 8u182 and 11 Java SE Embedded version 8u181 JRockit version R28.3.19

Description The issue is related to inadequate access control in the JSSE component of Oracle Java SE, allowing an unauthenticated attacker with network access via SSL/TLS to compromise Java SE, Java SE Embedded, and JRockit. This can result in unauthorized update, insert, or delete access to some data, as well as unauthorized read access to a subset of data and the ability to cause a partial denial of service. The vulnerability applies to Java deployments that load and run untrusted code and rely on the Java sandbox for security. It can also be exploited through APIs in the specified component.

Recommendations For Java SE versions 6u201, 7u191, 8u182 and 11, update to a version that includes the fix for this issue. For Java SE Embedded version 8u181, update to a version that includes the fix for this issue. For JRockit version R28.3.19, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the JSSE component until a patch is available. Avoid using APIs in the JSSE component that supply data to untrusted code until the issue is resolved.