CVE-2011-3544
Published: 19 October 2011
Summary
CVE-2011-3544 is a critical-severity Improper Access Control (CWE-284) vulnerability in Oracle Jre. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is an unspecified issue in the Java Runtime Environment component of Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier. It is tracked under CWE-284 and NVD-CWE-noinfo, carries a CVSS 3.1 score of 9.8, and is related to the Scripting subsystem, allowing impacts to confidentiality, integrity, and availability.
Remote attackers can exploit the flaw via untrusted Java Web Start applications or untrusted Java applets delivered over the network. No privileges or user interaction are required, enabling complete compromise of the affected Java environment.
Vendor advisories referenced in the disclosure, including OpenSUSE security announcements, Red Hat errata such as RHSA-2013-1455, and multiple Bugtraq postings, direct administrators to apply the corresponding Java updates that remediate the Scripting-related vectors. No information on observed in-the-wild exploitation is provided in the source data.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2011-3507
Vulnerability details
Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via…
more
unknown vectors related to Scripting.
- CWE(s)
- KEV Date Added
- 03 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of vendor patches that remediate the Scripting flaw in Java SE 6/7.
Explicitly governs acceptance and execution of mobile code such as untrusted Java applets and Web Start applications.
Enforces disabling or restricting unnecessary Java scripting and applet execution capabilities that the vulnerability exploits.