Linux Distros Unpatched Vulnerability : CVE-2018-3209

🗓️ 19 Aug 2025 00:00:00Reported by TenableType

Unpatched Linux host; JavaFX 8u182; remote access; sandboxed apps affected; no vendor patch.

Reporter	Title	Published	Views	Family All 43
Tenable Nessus	Oracle Java SE 6 < Update 211 / 7 < Update 201 / 8 < Update 191 / 11 < Update 1 Multiple Vulnerabilities (October 2018 CPU)	2 May 201900:00	–	nessus
Tenable Nessus	GLSA-201908-10 : Oracle JDK/JRE: Multiple vulnerabilities	20 Aug 201900:00	–	nessus
Tenable Nessus	Oracle Java SE Multiple Vulnerabilities (October 2018 CPU)	19 Oct 201800:00	–	nessus
Tenable Nessus	Oracle Java SE Multiple Vulnerabilities (October 2018 CPU) (Unix)	19 Oct 201800:00	–	nessus
Tenable Nessus	Photon OS 1.0: Openjdk PHSA-2018-1.0-0192 (deprecated)	29 Oct 201800:00	–	nessus
Tenable Nessus	Photon OS 1.0: Openjdk PHSA-2018-1.0-0192	7 Feb 201900:00	–	nessus
Tenable Nessus	Photon OS 2.0: Openjdk8 PHSA-2018-2.0-0106	7 Feb 201900:00	–	nessus
Tenable Nessus	RHEL 7 : java-1.8.0-oracle (RHSA-2018:3002)	25 Oct 201800:00	–	nessus
Tenable Nessus	RHEL 6 : java-1.8.0-oracle (RHSA-2018:3003)	25 Oct 201800:00	–	nessus
Chainguard	CVE-2018-3209 vulnerabilities	23 Aug 202514:16	–	cgr

Source	Link
ubuntu	www.ubuntu.com/security/CVE-2018-3209
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(251711);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/08/19");

  script_cve_id("CVE-2018-3209");

  script_name(english:"Linux Distros Unpatched Vulnerability : CVE-2018-3209");

  script_set_attribute(attribute:"synopsis", value:
"The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be
patched.");
  script_set_attribute(attribute:"description", value:
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied
patch available.

  - Vulnerability in the Java SE component of Oracle Java SE (subcomponent: JavaFX). The supported version
    that is affected is Java SE: 8u182. Difficult to exploit vulnerability allows unauthenticated attacker
    with network access via multiple protocols to compromise Java SE. Successful attacks require human
    interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may
    significantly impact additional products. Successful attacks of this vulnerability can result in takeover
    of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed
    Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code
    (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability
    does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code
    installed by an administrator). (CVE-2018-3209)

Note that Nessus relies on the presence of the package as reported by the vendor.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/CVE-2018-3209");
  script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-3209");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/10/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/08/19");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openjfx");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl", "set_linux_os_id.nasl");
  script_require_keys("Host/cpu", "Host/local_checks_enabled", "global_settings/vendor_unpatched", "Host/OS/identifier");
  script_require_ports("Host/OS/Ubuntu Linux-16.04");

  exit(0);
}

if (!get_kb_item("global_settings/vendor_unpatched")) exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (empty_or_null(get_one_kb_item("Host/Debian/dpkg-l"))) audit(AUDIT_PACKAGE_LIST_MISSING);

include('linux_unpatched.inc');

var distro_constraints_array = {
  "Ubuntu Linux-16.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "16.04",
        "pkgs": [
          {"reference": "openjfx"}
        ]
      }
    ]
  }
};

var distro_constraints_values = linux_unpatched::get_distro_constraints(distro_constraints_arr:distro_constraints_array);
if (empty_or_null(distro_constraints_values)) audit(AUDIT_HOST_NOT, 'affected');
var report = linux_unpatched::check_unpatched_constraints(distro_constraints_values:distro_constraints_values);

if (!empty_or_null(report))
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : report
  );
  exit(0);
}
else
{
  audit(AUDIT_HOST_NOT, 'affected');
}

19 Aug 2025 00:00Current

6.3Medium risk

Vulners AI Score6.3

CVSS 25.1

CVSS 3.18.3

EPSS0.01242

SSVC