Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 717632 (CVE-2020-2585, CVE-2020-2755, CVE-2020-2756, CVE-2020-2757, CVE-2020-2773, CVE-2020-2781, CVE-2020-2800, CVE-2020-2803, CVE-2020-2805)

Summary: [Tracker] Multiple Java vulnerabilities (CVE-2020-{2585,2755,2756,2757,2773,2781,2800,2803,2805,2830})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal Keywords: Tracker
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=705992
Whiteboard: B2 [ebuild cve]
Package list:
Runtime testing required: ---
Bug Depends on: 717638, 718720, 720690    
Bug Blocks:    

Description GLSAMaker/CVETool Bot gentoo-dev 2020-04-15 22:22:25 UTC 
CVE-2020-2659 (https://nvd.nist.gov/vuln/detail/CVE-2020-2659):
  Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE
  (component: Networking). Supported versions that are affected are Java SE:
  7u241 and 8u231; Java SE Embedded: 8u231. Difficult to exploit vulnerability
  allows unauthenticated attacker with network access via multiple protocols
  to compromise Java SE, Java SE Embedded. Successful attacks of this
  vulnerability can result in unauthorized ability to cause a partial denial
  of service (partial DOS) of Java SE, Java SE Embedded. Note: This
  vulnerability applies to Java deployments, typically in clients running
  sandboxed Java Web Start applications or sandboxed Java applets (in Java SE
  8), that load and run untrusted code (e.g., code that comes from the
  internet) and rely on the Java sandbox for security. This vulnerability can
  also be exploited by using APIs in the specified Component, e.g., through a
  web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7
  (Availability impacts). CVSS Vector:
  (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVE-2020-2654 (https://nvd.nist.gov/vuln/detail/CVE-2020-2654):
  Vulnerability in the Java SE product of Oracle Java SE (component:
  Libraries). Supported versions that are affected are Java SE: 7u241, 8u231,
  11.0.5 and 13.0.1. Difficult to exploit vulnerability allows unauthenticated
  attacker with network access via multiple protocols to compromise Java SE.
  Successful attacks of this vulnerability can result in unauthorized ability
  to cause a partial denial of service (partial DOS) of Java SE. Note: This
  vulnerability can only be exploited by supplying data to APIs in the
  specified Component without using Untrusted Java Web Start applications or
  Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score
  3.7 (Availability impacts). CVSS Vector:
  (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVE-2020-2604 (https://nvd.nist.gov/vuln/detail/CVE-2020-2604):
  Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE
  (component: Serialization). Supported versions that are affected are Java
  SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to
  exploit vulnerability allows unauthenticated attacker with network access
  via multiple protocols to compromise Java SE, Java SE Embedded. Successful
  attacks of this vulnerability can result in takeover of Java SE, Java SE
  Embedded. Note: This vulnerability applies to Java deployments, typically in
  clients running sandboxed Java Web Start applications or sandboxed Java
  applets (in Java SE 8), that load and run untrusted code (e.g., code that
  comes from the internet) and rely on the Java sandbox for security. This
  vulnerability can also be exploited by using APIs in the specified
  Component, e.g., through a web service which supplies data to the APIs. CVSS
  v3.0 Base Score 8.1 (Confidentiality, Integrity and Availability impacts).
  CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVE-2020-2601 (https://nvd.nist.gov/vuln/detail/CVE-2020-2601):
  Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE
  (component: Security). Supported versions that are affected are Java SE:
  7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to
  exploit vulnerability allows unauthenticated attacker with network access
  via Kerberos to compromise Java SE, Java SE Embedded. While the
  vulnerability is in Java SE, Java SE Embedded, attacks may significantly
  impact additional products. Successful attacks of this vulnerability can
  result in unauthorized access to critical data or complete access to all
  Java SE, Java SE Embedded accessible data. Note: This vulnerability applies
  to Java deployments, typically in clients running sandboxed Java Web Start
  applications or sandboxed Java applets (in Java SE 8), that load and run
  untrusted code (e.g., code that comes from the internet) and rely on the
  Java sandbox for security. This vulnerability can also be exploited by using
  APIs in the specified Component, e.g., through a web service which supplies
  data to the APIs. CVSS 3.0 Base Score 6.8 (Confidentiality impacts). CVSS
  Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N).

CVE-2020-2593 (https://nvd.nist.gov/vuln/detail/CVE-2020-2593):
  Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE
  (component: Networking). Supported versions that are affected are Java SE:
  7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to
  exploit vulnerability allows unauthenticated attacker with network access
  via multiple protocols to compromise Java SE, Java SE Embedded. Successful
  attacks of this vulnerability can result in unauthorized update, insert or
  delete access to some of Java SE, Java SE Embedded accessible data as well
  as unauthorized read access to a subset of Java SE, Java SE Embedded
  accessible data. Note: This vulnerability applies to Java deployments,
  typically in clients running sandboxed Java Web Start applications or
  sandboxed Java applets (in Java SE 8), that load and run untrusted code
  (e.g., code that comes from the internet) and rely on the Java sandbox for
  security. This vulnerability can also be exploited by using APIs in the
  specified Component, e.g., through a web service which supplies data to the
  APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS
  Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

CVE-2020-2590 (https://nvd.nist.gov/vuln/detail/CVE-2020-2590):
  Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE
  (component: Security). Supported versions that are affected are Java SE:
  7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to
  exploit vulnerability allows unauthenticated attacker with network access
  via Kerberos to compromise Java SE, Java SE Embedded. Successful attacks of
  this vulnerability can result in unauthorized update, insert or delete
  access to some of Java SE, Java SE Embedded accessible data. Note: This
  vulnerability applies to Java deployments, typically in clients running
  sandboxed Java Web Start applications or sandboxed Java applets (in Java SE
  8), that load and run untrusted code (e.g., code that comes from the
  internet) and rely on the Java sandbox for security. This vulnerability can
  also be exploited by using APIs in the specified Component, e.g., through a
  web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7
  (Integrity impacts). CVSS Vector:
  (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

CVE-2020-2585 (https://nvd.nist.gov/vuln/detail/CVE-2020-2585):
  Vulnerability in the Java SE product of Oracle Java SE (component: JavaFX).
  The supported version that is affected is Java SE: 8u231. Difficult to
  exploit vulnerability allows unauthenticated attacker with network access
  via multiple protocols to compromise Java SE. Successful attacks of this
  vulnerability can result in unauthorized creation, deletion or modification
  access to critical data or all Java SE accessible data. Note: This
  vulnerability applies to Java deployments, typically in clients running
  sandboxed Java Web Start applications or sandboxed Java applets (in Java SE
  8), that load and run untrusted code (e.g., code that comes from the
  internet) and rely on the Java sandbox for security. This vulnerability can
  also be exploited by using APIs in the specified Component, e.g., through a
  web service which supplies data to the APIs. CVSS 3.0 Base Score 5.9
  (Integrity impacts). CVSS Vector:
  (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

CVE-2020-2583 (https://nvd.nist.gov/vuln/detail/CVE-2020-2583):
  Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE
  (component: Serialization). Supported versions that are affected are Java
  SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to
  exploit vulnerability allows unauthenticated attacker with network access
  via multiple protocols to compromise Java SE, Java SE Embedded. Successful
  attacks of this vulnerability can result in unauthorized ability to cause a
  partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note:
  This vulnerability applies to Java deployments, typically in clients running
  sandboxed Java Web Start applications or sandboxed Java applets (in Java SE
  8), that load and run untrusted code (e.g., code that comes from the
  internet) and rely on the Java sandbox for security. This vulnerability can
  also be exploited by using APIs in the specified Component, e.g., through a
  web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7
  (Availability impacts). CVSS Vector:
  (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).