Your submission was sent successfully! Close


Published: 16 October 2018

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Sound). Supported versions that are affected are Java SE: 6u201, 7u191 and 8u182; Java SE Embedded: 8u181; JRockit: R28.3.19. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

From the Ubuntu security team

Tobias Ospelt discovered that the Resource Interchange File Format (RIFF) reader implementation in OpenJDK contained an infinite loop. An attacker could use this to cause a denial of service.


fixed in openjdk-9 and newer.


CVSS 3 base score: 5.3


Package Release Status
Launchpad, Ubuntu, Debian
bionic Does not exist

cosmic Does not exist

disco Does not exist

precise Does not exist

trusty Does not exist
(trusty was needs-triage)
upstream Needs triage

xenial Does not exist

Launchpad, Ubuntu, Debian
Released (8u191-b12-0ubuntu0.18.04.1)
Released (8u191-b12-0ubuntu0.18.10.1)
Released (8u191-b12-0ubuntu0.19.04.1)
precise Does not exist

trusty Does not exist

upstream Needs triage

Released (8u181-b13-1ubuntu0.16.04.1)
Launchpad, Ubuntu, Debian
bionic Not vulnerable

cosmic Not vulnerable

disco Not vulnerable

precise Does not exist

trusty Does not exist

upstream Not vulnerable

xenial Does not exist