The following advisory describes two (2) vulnerabilities found in Oracle Java JDK/JRE (220.127.116.11 and previous versions) packages and Apache Xerces (2.11.0)
The vulnerabilities are:
- Oracle JDK/JRE Concurrency-Related Denial of Service
- java.net.URLConnection (with no setConnectTimeout) Concurrency-Related Denial of Service
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
Update 1: Oracle has released patches to address this vulnerability and assigned CVE-2017-10355
Oracle acknowledged receiving the report, and has assigned it a tracking number: S0876966. We have no further information on patch availability or a workaround.