CVE-2017-10295

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Java SE, Java SE Embedded, JRockit. While the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded, JRockit accessible data. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 4.0 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N).

Published: 2017-10-19 Last update: 2026-05-13 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2017-10295 is rated Moderate Risk (45.9/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 2.20%). EPSS rose +1.89% over the last day, indicating growing attacker interest. Review affected assets and schedule remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2017-10295

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 0.31% 2.20% +1.89%
2 2026-05-13 0.35% 0.31% -0.05%
3 2025-12-28 0.35%

Full EPSS history (20 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2017-10295

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
4.0 3.1 MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:N)
Service keeps running; no real outage angle.
 2.2 1.4 [email protected]
4.3 2.0 MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:M)
Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:N)
No confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:N)
No availability impact.
 8.6 2.9 [email protected]

Weakness enumeration for CVE-2017-10295

OS Trackers for CVE-2017-10295

vendor priority summary link
debian not yet assigned CVE-2017-10295 not yet assigned priority: Debian including 1 source packages (openjdk-8), 1 status rows across 1 suites (sid): resolved 1. https://security-tracker.debian.org/tracker/CVE-2017-10295
gentoo normal CVE-2017-10295: 2 GLSA(s) (201710-31, 201711-14), 3 atom(s) (dev-java/icedtea-bin, dev-java/oracle-jdk-bin, dev-java/oracle-jre-bin); latest impact normal. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2017-10295
redhat medium https://access.redhat.com/security/cve/CVE-2017-10295
suse medium CVE-2017-10295 severity moderate: SUSE including 174 source package names (java-1.7.0-openjdk-1.7.0.161-2.6.12.0.el7_4, java-1.7.0-openjdk-accessibility-1.7.0.161-2.6.12.0.el7_4, …), 442 product×package rows across 59 product lines (Image SLES12-SP5-Azure-SAP-BYOS, Image SLES12-SP5-Azure-SAP-On-Demand, … (59 product lines)): Fixed 361, Known Not Affected 81. https://www.suse.com/security/cve/CVE-2017-10295/
ubuntu medium CVE-2017-10295 medium priority: Ubuntu including 5 source packages (icedtea-web, openjdk-6, openjdk-7, openjdk-8, openjdk-9), 80 status rows across 16 suites (artful, bionic, cosmic, disco, eoan, focal, groovy, hirsute, impish, jammy, kinetic, lunar, trusty, upstream, xenial, zesty): DNE 43, not-affected 26, released 8, ignored 3. https://ubuntu.com/security/CVE-2017-10295

Affected software / configurations for CVE-2017-10295

Vendor Product Version Raw CPE
oracle jdk 1.6.0 cpe:2.3:a:oracle:jdk:1.6.0:update161:*:*:*:*:*:*
oracle jdk 1.7.0 cpe:2.3:a:oracle:jdk:1.7.0:update151:*:*:*:*:*:*
oracle jdk 1.8.0 cpe:2.3:a:oracle:jdk:1.8.0:update144:*:*:*:*:*:*
oracle jdk 1.9.0 cpe:2.3:a:oracle:jdk:1.9.0:*:*:*:*:*:*:*
oracle jre 1.6.0 cpe:2.3:a:oracle:jre:1.6.0:update161:*:*:*:*:*:*
oracle jre 1.7.0 cpe:2.3:a:oracle:jre:1.7.0:update151:*:*:*:*:*:*
oracle jre 1.8.0 cpe:2.3:a:oracle:jre:1.8.0:update144:*:*:*:*:*:*
oracle jre 1.9.0 cpe:2.3:a:oracle:jre:1.9.0:*:*:*:*:*:*:*
oracle jrockit r28.3.15 cpe:2.3:a:oracle:jrockit:r28.3.15:*:*:*:*:*:*:*
debian debian_linux 7.0 cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
debian debian_linux 8.0 cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
debian debian_linux 9.0 cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
redhat satellite 5.8 cpe:2.3:a:redhat:satellite:5.8:*:*:*:*:*:*:*
redhat enterprise_linux_desktop 6.0 cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
redhat enterprise_linux_desktop 7.0 cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
redhat enterprise_linux_eus 7.4 cpe:2.3:o:redhat:enterprise_linux_eus:7.4:*:*:*:*:*:*:*
redhat enterprise_linux_eus 7.5 cpe:2.3:o:redhat:enterprise_linux_eus:7.5:*:*:*:*:*:*:*
redhat enterprise_linux_eus 7.6 cpe:2.3:o:redhat:enterprise_linux_eus:7.6:*:*:*:*:*:*:*
redhat enterprise_linux_eus 7.7 cpe:2.3:o:redhat:enterprise_linux_eus:7.7:*:*:*:*:*:*:*
redhat enterprise_linux_server 6.0 cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
redhat enterprise_linux_server 7.0 cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
redhat enterprise_linux_server_aus 7.4 cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
redhat enterprise_linux_server_aus 7.6 cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
redhat enterprise_linux_server_aus 7.7 cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:*
redhat enterprise_linux_server_tus 7.4 cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*
redhat enterprise_linux_server_tus 7.6 cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
redhat enterprise_linux_server_tus 7.7 cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:*:*:*:*:*:*:*
redhat enterprise_linux_workstation 6.0 cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
redhat enterprise_linux_workstation 7.0 cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
netapp active_iq_unified_manager >= 7.3 cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:windows:*:*
netapp active_iq_unified_manager >= 9.5 cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:vmware_vsphere:*:*
netapp cloud_backup cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
netapp e-series_santricity_management_plug-ins cpe:2.3:a:netapp:e-series_santricity_management_plug-ins:-:*:*:*:*:vmware_vcenter:*:*
netapp e-series_santricity_os_controller >= 11.0, <= 11.70.1 cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*
netapp e-series_santricity_storage_manager cpe:2.3:a:netapp:e-series_santricity_storage_manager:-:*:*:*:*:*:*:*
netapp e-series_santricity_web_services cpe:2.3:a:netapp:e-series_santricity_web_services:-:*:*:*:*:web_services_proxy:*:*
netapp element_software cpe:2.3:a:netapp:element_software:-:*:*:*:*:*:*:*
netapp oncommand_balance cpe:2.3:a:netapp:oncommand_balance:-:*:*:*:*:*:*:*
netapp oncommand_insight cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
netapp oncommand_performance_manager cpe:2.3:a:netapp:oncommand_performance_manager:-:*:*:*:*:vmware_vsphere:*:*
netapp oncommand_shift cpe:2.3:a:netapp:oncommand_shift:-:*:*:*:*:*:*:*
netapp oncommand_unified_manager <= 7.1 cpe:2.3:a:netapp:oncommand_unified_manager:*:*:*:*:*:vsphere:*:*
netapp oncommand_unified_manager <= 7.1 cpe:2.3:a:netapp:oncommand_unified_manager:*:*:*:*:*:windows:*:*
netapp oncommand_unified_manager cpe:2.3:a:netapp:oncommand_unified_manager:-:*:*:*:*:7-mode:*:*
netapp oncommand_workflow_automation cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
netapp plug-in_for_symantec_netbackup cpe:2.3:a:netapp:plug-in_for_symantec_netbackup:-:*:*:*:*:*:*:*
netapp snapmanager cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:*
netapp snapmanager cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:*
netapp steelstore_cloud_integrated_storage cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*
netapp storage_replication_adapter_for_clustered_data_ontap >= 7.2 cpe:2.3:a:netapp:storage_replication_adapter_for_clustered_data_ontap:*:*:*:*:*:vmware_vsphere:*:*
netapp storage_replication_adapter_for_clustered_data_ontap >= 7.2 cpe:2.3:a:netapp:storage_replication_adapter_for_clustered_data_ontap:*:*:*:*:*:windows:*:*
netapp vasa_provider_for_clustered_data_ontap >= 7.2 cpe:2.3:a:netapp:vasa_provider_for_clustered_data_ontap:*:*:*:*:*:*:*:*
netapp vasa_provider_for_clustered_data_ontap 6.0 cpe:2.3:a:netapp:vasa_provider_for_clustered_data_ontap:6.0:*:*:*:*:*:*:*
netapp virtual_storage_console >= 7.2 cpe:2.3:a:netapp:virtual_storage_console:*:*:*:*:*:vmware_vsphere:*:*
netapp virtual_storage_console 6.0 cpe:2.3:a:netapp:virtual_storage_console:6.0:*:*:*:*:vmware_vsphere:*:*

References for CVE-2017-10295

URL Tags
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html Patch Vendor Advisory
http://www.securityfocus.com/bid/101384 Broken Link
http://www.securitytracker.com/id/1039596 Broken Link
https://access.redhat.com/errata/RHSA-2017:2998 Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2999 Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3046 Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3047 Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3264 Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3267 Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3268 Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3392 Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3453 Third Party Advisory
https://lists.debian.org/debian-lts-announce/2017/11/msg00033.html Mailing List Third Party Advisory
https://security.gentoo.org/glsa/201710-31 Third Party Advisory
https://security.gentoo.org/glsa/201711-14 Third Party Advisory
https://security.netapp.com/advisory/ntap-20171019-0001/ Third Party Advisory
https://www.debian.org/security/2017/dsa-4015 Third Party Advisory
https://www.debian.org/security/2017/dsa-4048 Third Party Advisory
cvelogic Threat Intelligence