SSD Advisory – Oracle Java and Apache Xerces PDF/Docx Server Side DoS

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

Vulnerabilities Summary
The following advisory describes two (2) vulnerabilities found in Oracle Java JDK/JRE (1.8.0.131 and previous versions) packages and Apache Xerces (2.11.0)

The vulnerabilities are:

  • Oracle JDK/JRE Concurrency-Related Denial of Service
  • java.net.URLConnection (with no setConnectTimeout) Concurrency-Related Denial of Service

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response
Update 1: Oracle has released patches to address this vulnerability and assigned CVE-2017-10355

Oracle acknowledged receiving the report, and has assigned it a tracking number: S0876966. We have no further information on patch availability or a workaround.

Continue reading SSD Advisory – Oracle Java and Apache Xerces PDF/Docx Server Side DoS