Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 717638

Summary: dev-java/oracle-{jdk,jre}-bin: Multiple vulnerabilities (CVE-2020-{2585,2755,2756,2757,2773,2781,2800,2803,2805,2830})
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: ajak, treecleaner
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=732630
Whiteboard: B2 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 681828    
Bug Blocks: 717632    

Description Sam James archtester gentoo-dev Security 2020-04-15 23:29:50 UTC
CVE-2020-2659 (https://nvd.nist.gov/vuln/detail/CVE-2020-2659):
  Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE
  (component: Networking). Supported versions that are affected are Java SE:
  7u241 and 8u231; Java SE Embedded: 8u231. Difficult to exploit vulnerability
  allows unauthenticated attacker with network access via multiple protocols
  to compromise Java SE, Java SE Embedded. Successful attacks of this
  vulnerability can result in unauthorized ability to cause a partial denial
  of service (partial DOS) of Java SE, Java SE Embedded. Note: This
  vulnerability applies to Java deployments, typically in clients running
  sandboxed Java Web Start applications or sandboxed Java applets (in Java SE
  8), that load and run untrusted code (e.g., code that comes from the
  internet) and rely on the Java sandbox for security. This vulnerability can
  also be exploited by using APIs in the specified Component, e.g., through a
  web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7
  (Availability impacts). CVSS Vector:
  (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVE-2020-2654 (https://nvd.nist.gov/vuln/detail/CVE-2020-2654):
  Vulnerability in the Java SE product of Oracle Java SE (component:
  Libraries). Supported versions that are affected are Java SE: 7u241, 8u231,
  11.0.5 and 13.0.1. Difficult to exploit vulnerability allows unauthenticated
  attacker with network access via multiple protocols to compromise Java SE.
  Successful attacks of this vulnerability can result in unauthorized ability
  to cause a partial denial of service (partial DOS) of Java SE. Note: This
  vulnerability can only be exploited by supplying data to APIs in the
  specified Component without using Untrusted Java Web Start applications or
  Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score
  3.7 (Availability impacts). CVSS Vector:
  (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

CVE-2020-2604 (https://nvd.nist.gov/vuln/detail/CVE-2020-2604):
  Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE
  (component: Serialization). Supported versions that are affected are Java
  SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to
  exploit vulnerability allows unauthenticated attacker with network access
  via multiple protocols to compromise Java SE, Java SE Embedded. Successful
  attacks of this vulnerability can result in takeover of Java SE, Java SE
  Embedded. Note: This vulnerability applies to Java deployments, typically in
  clients running sandboxed Java Web Start applications or sandboxed Java
  applets (in Java SE 8), that load and run untrusted code (e.g., code that
  comes from the internet) and rely on the Java sandbox for security. This
  vulnerability can also be exploited by using APIs in the specified
  Component, e.g., through a web service which supplies data to the APIs. CVSS
  v3.0 Base Score 8.1 (Confidentiality, Integrity and Availability impacts).
  CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVE-2020-2601 (https://nvd.nist.gov/vuln/detail/CVE-2020-2601):
  Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE
  (component: Security). Supported versions that are affected are Java SE:
  7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to
  exploit vulnerability allows unauthenticated attacker with network access
  via Kerberos to compromise Java SE, Java SE Embedded. While the
  vulnerability is in Java SE, Java SE Embedded, attacks may significantly
  impact additional products. Successful attacks of this vulnerability can
  result in unauthorized access to critical data or complete access to all
  Java SE, Java SE Embedded accessible data. Note: This vulnerability applies
  to Java deployments, typically in clients running sandboxed Java Web Start
  applications or sandboxed Java applets (in Java SE 8), that load and run
  untrusted code (e.g., code that comes from the internet) and rely on the
  Java sandbox for security. This vulnerability can also be exploited by using
  APIs in the specified Component, e.g., through a web service which supplies
  data to the APIs. CVSS 3.0 Base Score 6.8 (Confidentiality impacts). CVSS
  Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N).

CVE-2020-2593 (https://nvd.nist.gov/vuln/detail/CVE-2020-2593):
  Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE
  (component: Networking). Supported versions that are affected are Java SE:
  7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to
  exploit vulnerability allows unauthenticated attacker with network access
  via multiple protocols to compromise Java SE, Java SE Embedded. Successful
  attacks of this vulnerability can result in unauthorized update, insert or
  delete access to some of Java SE, Java SE Embedded accessible data as well
  as unauthorized read access to a subset of Java SE, Java SE Embedded
  accessible data. Note: This vulnerability applies to Java deployments,
  typically in clients running sandboxed Java Web Start applications or
  sandboxed Java applets (in Java SE 8), that load and run untrusted code
  (e.g., code that comes from the internet) and rely on the Java sandbox for
  security. This vulnerability can also be exploited by using APIs in the
  specified Component, e.g., through a web service which supplies data to the
  APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS
  Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

CVE-2020-2590 (https://nvd.nist.gov/vuln/detail/CVE-2020-2590):
  Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE
  (component: Security). Supported versions that are affected are Java SE:
  7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to
  exploit vulnerability allows unauthenticated attacker with network access
  via Kerberos to compromise Java SE, Java SE Embedded. Successful attacks of
  this vulnerability can result in unauthorized update, insert or delete
  access to some of Java SE, Java SE Embedded accessible data. Note: This
  vulnerability applies to Java deployments, typically in clients running
  sandboxed Java Web Start applications or sandboxed Java applets (in Java SE
  8), that load and run untrusted code (e.g., code that comes from the
  internet) and rely on the Java sandbox for security. This vulnerability can
  also be exploited by using APIs in the specified Component, e.g., through a
  web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7
  (Integrity impacts). CVSS Vector:
  (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

CVE-2020-2585 (https://nvd.nist.gov/vuln/detail/CVE-2020-2585):
  Vulnerability in the Java SE product of Oracle Java SE (component: JavaFX).
  The supported version that is affected is Java SE: 8u231. Difficult to
  exploit vulnerability allows unauthenticated attacker with network access
  via multiple protocols to compromise Java SE. Successful attacks of this
  vulnerability can result in unauthorized creation, deletion or modification
  access to critical data or all Java SE accessible data. Note: This
  vulnerability applies to Java deployments, typically in clients running
  sandboxed Java Web Start applications or sandboxed Java applets (in Java SE
  8), that load and run untrusted code (e.g., code that comes from the
  internet) and rely on the Java sandbox for security. This vulnerability can
  also be exploited by using APIs in the specified Component, e.g., through a
  web service which supplies data to the APIs. CVSS 3.0 Base Score 5.9
  (Integrity impacts). CVSS Vector:
  (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

CVE-2020-2583 (https://nvd.nist.gov/vuln/detail/CVE-2020-2583):
  Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE
  (component: Serialization). Supported versions that are affected are Java
  SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to
  exploit vulnerability allows unauthenticated attacker with network access
  via multiple protocols to compromise Java SE, Java SE Embedded. Successful
  attacks of this vulnerability can result in unauthorized ability to cause a
  partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note:
  This vulnerability applies to Java deployments, typically in clients running
  sandboxed Java Web Start applications or sandboxed Java applets (in Java SE
  8), that load and run untrusted code (e.g., code that comes from the
  internet) and rely on the Java sandbox for security. This vulnerability can
  also be exploited by using APIs in the specified Component, e.g., through a
  web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7
  (Availability impacts). CVSS Vector:
  (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
Comment 1 Sam James archtester gentoo-dev Security 2020-04-15 23:30:36 UTC
note that this is already masked for licence reasons but last-rites have NOT been done yet
Comment 2 Larry the Git Cow gentoo-dev 2020-09-19 08:07:07 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6a7faaad2f8c5312dfb8d6e539b5a7346652e98b

commit 6a7faaad2f8c5312dfb8d6e539b5a7346652e98b
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2020-09-18 22:36:24 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2020-09-19 08:05:29 +0000

    dev-java/oracle-jdk-bin: remove last rited pkg
    
    Bug: https://bugs.gentoo.org/732630
    Bug: https://bugs.gentoo.org/717638
    Closes: https://bugs.gentoo.org/575978
    Closes: https://bugs.gentoo.org/686672
    Closes: https://bugs.gentoo.org/684306
    Closes: https://bugs.gentoo.org/692420
    Closes: https://bugs.gentoo.org/684120
    Closes: https://bugs.gentoo.org/681828
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>
    Closes: https://github.com/gentoo/gentoo/pull/17594
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-java/oracle-jdk-bin/Manifest                   |  15 --
 .../oracle-jdk-bin/files/fontconfig.properties     | 161 -----------
 .../oracle-jdk-bin/files/oracle-jdk-bin-9.env.sh   |  16 --
 .../oracle-jdk-bin/files/oracle-jdk-bin.env.sh     |  16 --
 dev-java/oracle-jdk-bin/metadata.xml               |  16 --
 .../oracle-jdk-bin/oracle-jdk-bin-1.8.0.202.ebuild | 297 ---------------------
 .../oracle-jdk-bin/oracle-jdk-bin-11.0.2.ebuild    | 247 -----------------
 7 files changed, 768 deletions(-)
Comment 3 John Helmert III gentoo-dev Security 2020-09-19 13:47:56 UTC
Thanks all. Needs GLSA.