Cyber Resilience

CVE-2011-3544

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 19 October 2011

Published
19 October 2011
Modified
22 April 2026
KEV Added
03 March 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9254 99.8th percentile
Risk Priority 95 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2011-3544 is a critical-severity Improper Access Control (CWE-284) vulnerability in Oracle Jre. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is an unspecified issue in the Java Runtime Environment component of Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier. It is tracked under CWE-284 and NVD-CWE-noinfo, carries a CVSS 3.1 score of 9.8, and is related to the Scripting subsystem, allowing impacts to confidentiality, integrity, and availability.

Remote attackers can exploit the flaw via untrusted Java Web Start applications or untrusted Java applets delivered over the network. No privileges or user interaction are required, enabling complete compromise of the affected Java environment.

Vendor advisories referenced in the disclosure, including OpenSUSE security announcements, Red Hat errata such as RHSA-2013-1455, and multiple Bugtraq postings, direct administrators to apply the corresponding Java updates that remediate the Scripting-related vectors. No information on observed in-the-wild exploitation is provided in the source data.

EU & UK References

Vulnerability details

Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via…

more

unknown vectors related to Scripting.

CWE(s)
KEV Date Added
03 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

oracle
jdk
1.6.0, 1.7.0 · ≤ 1.6.0
oracle
jre
1.6.0, 1.7.0 · ≤ 1.6.0
canonical
ubuntu linux
10.04, 10.10, 11.04, 11.10
redhat
satellite with embedded oracle
5.4
suse
linux enterprise java
10
suse
linux enterprise server
10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of vendor patches that remediate the Scripting flaw in Java SE 6/7.

prevent

Explicitly governs acceptance and execution of mobile code such as untrusted Java applets and Web Start applications.

prevent

Enforces disabling or restricting unnecessary Java scripting and applet execution capabilities that the vulnerability exploits.

References