CVE-2018-2800 [Medium] | Security Vulnerability in Jdk

Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u181, 7u171 and 8u162; JRockit: R28.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, JRockit accessible data as well as unauthorized read access to a subset of Java SE, JRockit accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 4.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N).

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-04-13	0.29%	0.24%	-0.05%
2	2025-12-28	0.20%	0.29%	+0.09%
3	2025-12-27	—	0.20%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-04-13

0.29%

0.24%

-0.05%

2025-12-28

0.20%

0.29%

+0.09%

2025-12-27

—

0.20%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
4.2	3.0	MEDIUM	`CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:H) Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:R) A real person has to do something—click, install, enable—otherwise it doesn’t land. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:L) Some sensitive info could get out, but not a total data dump. Integrity (I:L) Attackers could change some data, but it’s limited—not everything goes. Availability (A:N) Service keeps running; no real outage angle.	1.6	2.5	[email protected]
4.0	2.0	MEDIUM	`AV:N/AC:H/Au:N/C:P/I:P/A:N` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:H) Exploitation requires uncommon or highly specific conditions. Authentication (AU:N) No authentication is required. Confidentiality impact (C:P) Partial confidentiality impact. Integrity impact (I:P) Partial integrity impact. Availability impact (A:N) No availability impact.	4.9	4.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

4.2

3.0

MEDIUM

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H): Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R): A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:L): Some sensitive info could get out, but not a total data dump.
Integrity (I:L): Attackers could change some data, but it’s limited—not everything goes.
Availability (A:N): Service keeps running; no real outage angle.

1.6

2.5

[email protected]

4.0

2.0

MEDIUM

AV:N/AC:H/Au:N/C:P/I:P/A:N Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:H): Exploitation requires uncommon or highly specific conditions.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:P): Partial confidentiality impact.
Integrity impact (I:P): Partial integrity impact.
Availability impact (A:N): No availability impact.

4.9

[email protected]

OS Trackers for CVE-2018-2800

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2018-2800 not yet assigned priority: Debian including 1 source packages (openjdk-8), 1 status rows across 1 suites (sid): resolved 1.	https://security-tracker.debian.org/tracker/CVE-2018-2800
`gentoo`	normal	CVE-2018-2800: 1 GLSA(s) (201903-14), 2 atom(s) (dev-java/oracle-jdk-bin, dev-java/oracle-jre-bin); latest impact normal.	https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2018-2800
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2018-2800
`suse`	medium	—	https://www.suse.com/security/cve/CVE-2018-2800/
`ubuntu`	medium	CVE-2018-2800 medium priority: Ubuntu including 3 source packages (openjdk-6, openjdk-7, openjdk-8), 21 status rows across 7 suites (artful, bionic, cosmic, disco, trusty, upstream, xenial): DNE 12, released 4, needs-triage 3, not-affected 2.	https://ubuntu.com/security/CVE-2018-2800

Affected software / configurations for CVE-2018-2800

Vendor	Product	Version	Raw CPE
oracle	jdk	1.6.0	cpe:2.3:a:oracle:jdk:1.6.0:update181::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update171::::::
oracle	jdk	1.8.0	cpe:2.3:a:oracle:jdk:1.8.0:update162::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update181::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update171::::::
oracle	jre	1.8.0	cpe:2.3:a:oracle:jre:1.8.0:update162::::::
oracle	jrockit	r28.3.17	cpe:2.3:a:oracle:jrockit:r28.3.17:::::::*
redhat	satellite	5.6	cpe:2.3:a:redhat:satellite:5.6:::::::*
redhat	satellite	5.7	cpe:2.3:a:redhat:satellite:5.7:::::::*
redhat	satellite	5.8	cpe:2.3:a:redhat:satellite:5.8:::::::*
redhat	enterprise_linux_desktop	6.0	cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*
redhat	enterprise_linux_desktop	7.0	cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*
redhat	enterprise_linux_server	6.0	cpe:2.3:o:redhat:enterprise_linux_server:6.0:::::::*
redhat	enterprise_linux_server	7.0	cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
redhat	enterprise_linux_server_aus	7.6	cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:::::::*
redhat	enterprise_linux_server_eus	7.5	cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:::::::*
redhat	enterprise_linux_server_eus	7.6	cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:::::::*
redhat	enterprise_linux_server_tus	7.6	cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:::::::*
redhat	enterprise_linux_workstation	6.0	cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:::::::*
redhat	enterprise_linux_workstation	7.0	cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*
debian	debian_linux	8.0	cpe:2.3:o:debian:debian_linux:8.0:::::::*
debian	debian_linux	9.0	cpe:2.3:o:debian:debian_linux:9.0:::::::*
canonical	ubuntu_linux	14.04	cpe:2.3:o:canonical:ubuntu_linux:14.04::::lts:::
canonical	ubuntu_linux	16.04	cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::
canonical	ubuntu_linux	17.10	cpe:2.3:o:canonical:ubuntu_linux:17.10:::::::*
schneider-electric	struxureware_data_center_expert	—	cpe:2.3:a:schneider-electric:struxureware_data_center_expert::::::::
schneider-electric	struxureware_data_center_expert	< 7.6.0	cpe:2.3:a:schneider-electric:struxureware_data_center_expert::::::::
hp	xp7_command_view	—	cpe:2.3:a:hp:xp7_command_view:::::advanced:::*

References for CVE-2018-2800

URL	Tags
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html	Patch Vendor Advisory
http://www.securityfocus.com/bid/103849	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1040697	Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2018:1188	Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1191	Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1201	Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1202	Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1203	Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1204	Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1205	Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1206	Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1270	Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1278	Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1721	Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1722	Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1723	Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1724	Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1974	Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1975	Third Party Advisory
https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0	Third Party Advisory
https://security.gentoo.org/glsa/201903-14	Third Party Advisory
https://security.netapp.com/advisory/ntap-20180419-0001/	Third Party Advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03857en_us	Third Party Advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03915en_us	Third Party Advisory
https://usn.ubuntu.com/3644-1/	Third Party Advisory
https://usn.ubuntu.com/3691-1/	Third Party Advisory
https://www.debian.org/security/2018/dsa-4185	Third Party Advisory
https://www.debian.org/security/2018/dsa-4225	Third Party Advisory

URL

CVE-2018-2800

Exploit prediction scoring system (EPSS) score for CVE-2018-2800

Common vulnerability scoring system (CVSS) metrics for CVE-2018-2800

Weakness enumeration for CVE-2018-2800

OS Trackers for CVE-2018-2800

Affected software / configurations for CVE-2018-2800

References for CVE-2018-2800