CVE-2017-10285
📋 TL;DR
This is a critical Java RMI vulnerability that allows unauthenticated remote attackers to execute arbitrary code on affected systems. It primarily impacts client-side Java deployments running untrusted code via Java Web Start or applets. Successful exploitation requires user interaction but can lead to complete system compromise.
💻 Affected Systems
- Oracle Java SE
- Oracle Java SE Embedded
📦 What is this software?
E Series Santricity Management Plug Ins by Netapp
View all CVEs affecting E Series Santricity Management Plug Ins →
E Series Santricity Os Controller by Netapp
E Series Santricity Storage Manager by Netapp
View all CVEs affecting E Series Santricity Storage Manager →
E Series Santricity Web Services by Netapp
Jdk by Oracle
Jdk by Oracle
Jdk by Oracle
Jdk by Oracle
Jre by Oracle
Jre by Oracle
Jre by Oracle
Jre by Oracle
Satellite by Redhat
Steelstore Cloud Integrated Storage by Netapp
View all CVEs affecting Steelstore Cloud Integrated Storage →
Storage Replication Adapter For Clustered Data Ontap by Netapp
View all CVEs affecting Storage Replication Adapter For Clustered Data Ontap →
Storage Replication Adapter For Clustered Data Ontap by Netapp
View all CVEs affecting Storage Replication Adapter For Clustered Data Ontap →
Vasa Provider For Clustered Data Ontap by Netapp
View all CVEs affecting Vasa Provider For Clustered Data Ontap →
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with full administrative privileges, allowing data theft, system destruction, and persistent backdoor installation.
Likely Case
Malicious code execution in the context of the Java application, potentially leading to credential theft, data exfiltration, or lateral movement within the network.
If Mitigated
Limited impact if systems only run trusted code or have network segmentation preventing RMI access from untrusted sources.
🎯 Exploit Status
Exploitation requires user interaction (clicking a malicious link or loading untrusted content) but is otherwise straightforward for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Java SE: 6u171, 7u161, 8u151, 9.0.1; Java SE Embedded: 8u151
Vendor Advisory: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
Restart Required: Yes
Instructions:
1. Download latest Java version from Oracle website. 2. Uninstall old Java versions. 3. Install updated version. 4. Restart affected applications/services.
🔧 Temporary Workarounds
Disable Java Web Start and applets
allPrevent execution of untrusted Java content in browsers
Browser-specific: Disable Java plugin in browser settings
Network segmentation
allRestrict RMI traffic to trusted networks only
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_NETWORK" port protocol="tcp" port="1099" accept'
netsh advfirewall firewall add rule name="Block Java RMI" dir=in action=block protocol=TCP localport=1099
🧯 If You Can't Patch
- Disable Java completely on systems that don't require it
- Implement application whitelisting to prevent execution of unauthorized Java applications
🔍 How to Verify
Check if Vulnerable:
Run 'java -version' and check if version matches affected range (6u161, 7u151, 8u144, 9, or Embedded 8u144)Check Version:
java -versionVerify Fix Applied:
Confirm Java version is updated to 6u171+, 7u161+, 8u151+, 9.0.1+, or Embedded 8u151+📡 Detection & Monitoring
Log Indicators:
- Unusual Java process spawning
- RMI connection attempts from untrusted sources
- Java Web Start/applet execution errors
Network Indicators:
- RMI traffic (port 1099 typically) from external sources
- Java serialization payloads in network traffic
SIEM Query:
source="java.log" AND (event="RMI" OR event="WebStart") AND dest_ip NOT IN [trusted_networks]🔗 References
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- http://www.securityfocus.com/bid/101319
- http://www.securitytracker.com/id/1039596
- https://access.redhat.com/errata/RHSA-2017:2998
- https://access.redhat.com/errata/RHSA-2017:2999
- https://access.redhat.com/errata/RHSA-2017:3046
- https://access.redhat.com/errata/RHSA-2017:3047
- https://access.redhat.com/errata/RHSA-2017:3264
- https://access.redhat.com/errata/RHSA-2017:3267
- https://access.redhat.com/errata/RHSA-2017:3268
- https://access.redhat.com/errata/RHSA-2017:3392
- https://access.redhat.com/errata/RHSA-2017:3453
- https://lists.debian.org/debian-lts-announce/2017/11/msg00033.html
- https://security.gentoo.org/glsa/201710-31
- https://security.gentoo.org/glsa/201711-14
- https://security.netapp.com/advisory/ntap-20171019-0001/
- https://www.debian.org/security/2017/dsa-4015
- https://www.debian.org/security/2017/dsa-4048
- https://www.synology.com/support/security/Synology_SA_17_66_OpenJDK
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- http://www.securityfocus.com/bid/101319
- http://www.securitytracker.com/id/1039596
- https://access.redhat.com/errata/RHSA-2017:2998
- https://access.redhat.com/errata/RHSA-2017:2999
- https://access.redhat.com/errata/RHSA-2017:3046
- https://access.redhat.com/errata/RHSA-2017:3047
- https://access.redhat.com/errata/RHSA-2017:3264
- https://access.redhat.com/errata/RHSA-2017:3267
- https://access.redhat.com/errata/RHSA-2017:3268
- https://access.redhat.com/errata/RHSA-2017:3392
- https://access.redhat.com/errata/RHSA-2017:3453
- https://lists.debian.org/debian-lts-announce/2017/11/msg00033.html
- https://security.gentoo.org/glsa/201710-31
- https://security.gentoo.org/glsa/201711-14
- https://security.netapp.com/advisory/ntap-20171019-0001/
- https://www.debian.org/security/2017/dsa-4015
- https://www.debian.org/security/2017/dsa-4048
- https://www.synology.com/support/security/Synology_SA_17_66_OpenJDK
