Timely Java security updates are necessary to protect your infrastructure

Managing Java security is a critical challenge for every operations team. Every few quarters the Java community is made aware of one or more high-CVE errors and these errors need to be addressed quickly.

The Java community updates the platform quarterly, through a combination of security only Critical Patch Updates (CPUs), and Patch Set Updates, which contain a combination of security updates plus new and back-ported features and bugfixes.

 

Discover Zulu Enterprise

Cloud Server

Zulu Common Vulnerabilities and Exposures Fixes

Filter:

April 2020 – CVSS VERSION 3.0 RISK

CVEComponentProtocolRemote Exploit without Auth.Base ScoreAttack VectorAttack ComplexPrivs Req’dUser InteractScopeConfidentialityIntegrityAvailbilitySupported Zulu Versions AffectedNotes
CVE-2020-2830ConcurrencyMultipleYes5.3NetworkLowNoneNoneUnchangedNoneNoneLow14,13,11,8,7,6Note 3
CVE-2020-2816JSSEHTTPSYes7.5NetworkLowNoneNoneUnchangedNoneHighNone14,13,11,8*Note 2
CVE-2020-2805LibrariesMultipleYes8.3NetworkHighNoneRequiredChangedHighHighHigh14,13,11,8,7Note 1
CVE-2020-2803LibrariesMultipleYes8.3NetworkHighNoneRequiredChangedHighHighHigh14,13,11,8,7Note 1
CVE-2020-2800Lightweight HTTP ServerMultipleYes4.8NetworkHighNoneNoneUnchangedLowLowNone14,13,11,8,7,6Note 2
CVE-2019-18197JavaFX(libxslt)MultipleYes8.1NetworkHighNoneNoneUnchangedHighHighHigh13,11,8Note 1
CVE-2020-2781JSSEHTTPSYes5.3NetworkLowNoneNoneUnchangedNoneNoneLow14,13,11,8,7,6Note 3
CVE-2020-2767JSSEHTTPSYes4.8NetworkHighNoneNoneUnchangedLowLowNone14,13,11,8*Note 3
CVE-2020-2778JSSEHTTPSYes3.7NetworkHighNoneNoneUnchangedLowNoneNone14,13,11,8*Note 3
CVE-2020-2773SecurityMultipleYes3.7NetworkHighNoneNoneUnchangedNoneNoneLow14,13,11,8,7,6Note 3
CVE-2020-2757SerializationMultipleYes3.7NetworkHighNoneNoneUnchangedNoneNoneLow14,13,11,8,7,6Note 3
CVE-2020-2756SerializationMultipleYes3.7NetworkHighNoneNoneUnchangedNoneNoneLow14,13,11,8,7,6Note 3
CVE-2020-2755ScriptingMultipleYes3.7NetworkHighNoneNoneUnchangedNoneNoneLow14,13,11,8Note 3
CVE-2020-2754ScriptingMultipleYes3.7NetworkHighNoneNoneUnchangedNoneNoneLow14,13,11,8Note 3
CVE-2020-2764Advanced Management ConsoleMultipleYes3.7NetworkHighNoneNoneUnchangedLowNoneNoneNoneNote 2
 

* Applicable only if the UseOpenJSSE option is enabled.

IDNotes
1This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
2This vulnerability can only be exploited by supplying data to APIs in the specified Component without using untrusted code executed under Java sandbox restrictions, such as through a web service.
3This vulnerability applies to client and server deployment of Java. This vulnerability can be exploited through untrusted code executed under Java sandbox restrictions. It can also be exploited by supplying data to APIs in the specified Component without using untrusted code executed under Java sandbox restrictions, such as through a web service.

January 2020 – CVSS VERSION 3.0 RISK

CVEComponentProtocolRemote Exploit without Auth.Base ScoreAttack VectorAttack ComplexPrivs Req’dUser InteractScopeConfidentialityIntegrityAvailbilitySupported Zulu Versions AffectedNotes
CVE-2020-2604SerializationMultipleYes8.1NetworkHNNUHHH13, 11, 8, 7Note 1
CVE-2019-16168JavaFX (SQLite)MultipleYes7.5NetworkLNNUNNH13, 11, 8Note 2
CVE-2019-13117JavaFX (libxslt)MultipleYes7.5NetworkLNNUHNN13, 11, 8Note 2
CVE-2019-13118JavaFX (libxslt)MultipleYes7.5NetworkLNNUHNN13, 11, 8Note 2
CVE-2020-2601SecurityKerberosYes6.8NetworkHNNCHNN13, 11, 8, 7Note 1
CVE-2020-2585JavaFXMultipleYes5.9NetworkHNNUNHN13, 11, 8Note 1
CVE-2020-2655JSSEHTTPSYes4.8NetworkHNNULLN13, 11, 8*Note 1
CVE-2020-2593NetworkingMultipleYes4.8NetworkHNNULLN13, 11, 8, 7Note 1
CVE-2020-2654LibrariesMultipleYes3.7NetworkHNNUNNL13, 11, 8, 7Note 3
CVE-2020-2590SecurityKerberosYes3.7NetworkHNNUNLN13, 11, 8, 7Note 1
CVE-2020-2659NetworkingMultipleYes3.7NetworkHNNUNNL8, 7Note 1
CVE-2020-2583SerializationMultipleYes3.7NetworkHNNUNNL13, 11, 8, 7Note 1
 

* Applicable only if the UseOpenJSSE option is enabled.

IDNotes
1This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
2This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
3This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java deployments, such as through a web service.

July 2019 – CVSS VERSION 3.0 RISK

CVEComponentSub ComponentProtocolRemote Exploit without Auth.Base ScoreAttack VectorAttack ComplexPrivs Req’dUser InteractScopeConfiden-
tiality
IntegrityAvaila-
bility
Supported Zulu Versions AffectedNotes
CVE-2019-7317Java SEAWT (libpng)MultipleYes6.8NHNRUNHH12, 11, 8, 7Note 1
CVE-2019-2821Java SEJSSETLSYes5.3NHNRUHNN12, 11Note 1
CVE-2019-2769Java SEUtilitiesMultipleYes5.3NLNNUNNL12, 11, 8, 7Note 2
CVE-2019-2762Java SEUtilitiesMultipleYes5.3NLNNUNNL12, 11, 8, 7Note 2
CVE-2019-2745Java SESecurityNoneNo5.1LHNNUHNN11, 8, 7Note 2
CVE-2019-2816Java SENetworkingMultipleYes4.8NHNNULLN12, 11, 8, 7Note 2
CVE-2019-2842Java SEJCEMultipleYes3.7NHNNUNNL8, 7Note 2
CVE-2019-2786Java SESecurityMultipleYes3.4NHNRCLNN12, 11, 8, 7Note 2
CVE-2019-2818Java SESecurityMultipleYes3.1NHNRULNN12, 11Note 1
CVE-2019-2766Java SENetworkingMultipleYes3.1NHNRULNN12, 11, 8, 7Note 2
 

* Applicable only if the UseOpenJSSE option is enabled.

IDNotes
1This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
2This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
3This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java deployments, such as through a web service.

April 2019 – CVSS VERSION 3.0 RISK

CVEComponentSub ComponentProtocolRemote Exploit without Auth.Base ScoreAttack VectorAttack ComplexPrivs Req’dUser InteractScopeConfiden-
tiality
IntegrityAvaila-
bility
Supported Zulu Versions AffectedNotes
CVE-2019-2699Java SEWindows DLLMultipleYes9.0NHNNCHHH7Note 1
CVE-2019-2698Java SE2DMultipleYes8.1NHNNUHHH8, 7Note 2
CVE-2019-2697Java SE2DMultipleYes8.1NHNNUHHHNoneNote 2
CVE-2019-2602Java SELibrariesMultipleYes7.5NLNNUNNH12, 11, 8, 7Note 3
CVE-2019-2684Java SERMIMultipleYes5.9NHNNUNHN12, 11, 8, 7Note 1
 

* Applicable only if the UseOpenJSSE option is enabled.

IDNotes
1This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
2This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
3This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java deployments, such as through a web service.

October 2019 – CVSS VERSION 3.0 RISK

CVEComponentSub ComponentProtocolRemote Exploit without Auth.Base ScoreAttack VectorAttack ComplexPrivs Req’dUser InteractScopeConfiden-
tiality
IntegrityAvaila-
bility
Supported Zulu Versions AffectedNotes
CVE-2019-2949Kerberosjavax.net.sslKerberosYes6.8NHNNCHNN13, 11, 8Note 1
CVE-2019-2989Networkingjava.netMultipleYes6.8NHNNCNHN13, 11, 8, 7Note 1
CVE-2019-2958Librariesjava.langMultipleYes5.9NHNNUNHN13, 11, 8, 7Note 1
CVE-2019-2977HotspotcompilerMultipleYes4.8NHNNULNL13, 11Note 2
CVE-2019-2975Scriptingjavax.scriptMultipleYes4.8NHNNUNLL13, 11, 8Note 1
CVE-2019-2999Javadocjavadoc
(tool)
MultipleYes4.7NHNRCLLN13, 11, 8, 7Note 2
CVE-2019-29872d2dMultipleYes3.7NHNNUNNL13, 11, 8, 7Note 1
CVE-2019-2981JAXPjaxpMultipleYes3.7NHNNUNNL13, 11, 8, 7Note 1
CVE-2019-2973JAXPjaxpMultipleYes3.7NHNNUNNL13, 11, 8, 7Note 1
CVE-2019-2983Serialization2dMultipleYes3.7NHNNUNNL13, 11, 8, 7Note 1
CVE-2019-29882D2dMultipleYes3.7NHNNUNNL13, 11, 8, 7Note 2
CVE-2019-2978Networkingjava.netMultipleYes3.7NHNNUNNL13, 11, 8, 7Note 1
CVE-2019-29922D2dMultipleYes3.7NHNNUNNL13, 11, 8, 7Note 2
CVE-2019-2964Concu-
rrency
java.util.regexMultipleYes3.7NHNNUNNL13, 11, 8, 7Note 3
CVE-2019-29622D2dMultipleYes3.7NHNNUNNL13, 11, 8, 7Note 1
CVE-2019-2933Libraries MultipleYes3.1NHNRULNN13, 11, 8, 7Note 1
CVE-2019-2945Networking MultipleYes3.1NHNRUNNL13, 11, 8, 7Note 2
CVE-2019-2894Securityjavax.net.sslMultipleYes3.7NHNNULNN13, 11, 8, 7Note 1
 

* Applicable only if the UseOpenJSSE option is enabled.

IDNotes
1This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
2This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
3This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java deployments, such as through a web service.

 Did You Know?

Security-only patches are only available from Oracle and Azul? Did you also know that every free build of OpenJDK contains only PSUs?

CPU and PSU updates

CPU updates were designed for very rapid deployment, within days of release, while PSU updates add many new features and need to be tested thoroughly prior to deployment.

To learn more about the difference between CPU and PSU updates for OpenJDK, and the best ways to manage Java security at your site, start by discovering why security-only updates like those available via a Zulu Enterprise subscription are a more cost-effective choice for keeping your Java infrastructure secure.

 

Contact Us

© Azul Systems, Inc. 2020 All rights reserved.